We are a Layer 3 VPN provider offering a comprehensive SASE (Secure Access Service Edge) solution that includes TLS inspection, threat protection, granular access control, and secure access to private resources. One of the key challenges we face involves TLS inspection. Many mobile applications, especially on iOS, implement certificate pinning, which causes them to fail when TLS inspection is applied. These apps expect connections to be secured with a specific certificate or trusted certificate authority, and inspection disrupts this trust model. On iOS, the current limitation is that the Packet Tunnel Provider extension does not provide visibility into the originating application (i.e., there is no API to obtain the app’s bundle ID or package name associated with a given network connection). Due to this, we are unable to dynamically determine whether TLS inspection should be bypassed for a particular app. While Apple’s Per-App VPN is one possible solution, it introduces a significant drawback: any applications that are excluded from the VPN configuration are entirely outside the VPN tunnel. This means they do not benefit from any of our SASE features — including secure access to internal resources, DNS/web content filtering, or threat detection. This limits the effectiveness of our solution in environments where both inspection and secure access are critical. We would like to understand whether iOS has any current or planned capabilities to associate a network flow (e.g., a 5-tuple: source IP, destination IP, source port, destination port, and protocol) with the originating app. Such a capability would allow us to programmatically identify certificate-pinned apps and selectively disable TLS inspection without excluding them entirely from the VPN, thereby preserving the full set of SASE protections. Is there any guidance or roadmap update from Apple that addresses this use case?

I develop a terminal app with c++. Everything was fin until i upgraded to Sequoia. If i debug my program with Xcode, all requests to a local network like MQTT fails. How can i grant XCODE the privilege to access the local network?

Hi all. I'm exploring the new URL Filter framework that supports filtering URLs in encrypted HTTPS traffic. I'm particularly interested in understanding how we can leverage this in System Extensions on macOS. Can URL Filter be implemented within a macOS System Extension? The documentation seems to focus primarily on iOS implementations. I've attempted to evaluate the "Filtering traffic by URL" sample code by running PIRService on localhost (tried both macOS native binary, and Linux container) and SimpleURLFilter on the iOS simulator (26.0 23A5260l). However, the app fails to apply the configuration with NetworkExtension.NEURLFilterManager.Error 8, and PIRService doesn't receive any requests. Is this functionality supported in the simulator environment? Does Keyword Private Information Retrieval support pattern matching or wildcards? For example, would it be possible to create rules that block URLs like "object-storage.example[.]org/malicious-user/*"? Regarding enterprise use cases: While I understand URL filtering uses Private Information Retrieval to enhance user privacy, enterprise security teams often need visibility into network traffic for security monitoring and incident response. Are there supported approaches for enterprises to monitor HTTPS URLs? Any insights or clarification would be greatly appreciated. Shay

I'm creating a custom VPN app which should only work on Cellular. Apart from cellular interface binding VPN is working fine. Even though I specified cellular interface like let cellularParams = NWParameters.udp cellularParams.requiredInterfaceType = .cellular It is going via Wifi when it is ON. I know this is the default iOS behaviour. How can I prevent this and route through cellular only even when Wifi is enabled on device?

Context I'm working on a DNS proxy network extension and would like to be able to parse replies from the upstream DNS server for extracting the TTL for caching purposes. I already have a working DNS proxy network extension, but at the moment I am not handling the responses and just forward all queries to an upstream DNS server. My understanding is that I have to take care of result caching myself because I cannot use the system resolver in the DNS proxy network extension. Question What is the best way to parse DNS replies in Swift to extract e.g. the TTL? I found an old thread (https://forums.swift.org/t/parse-dns-packet-requests-and-responses/41797/5) describing a way to achieve this using dns_util. The solution described there works - but dns_parse_packet in dns_util have been marked deprecated since iOS 16. So, I am wondering if there is a better way to achieve the parser. I tried to utilize the dnssd framework but was unable to figure out how to achieve only parsing of the raw DNS reply. If that is possible it would be great to get some pointers.

For our outdoor power supply company that builds public WiFi networks at camping sites, we want to implement the following features in our app: Scan surrounding WiFi networks When detecting specific public WiFi SSIDs, provide users with corresponding passwords Automatically connect to those WiFi networks Regarding the NEHotspotHelper API permission application, when I clicked on https://developer.apple.com/contact/request/network-extension, it redirected me to https://developer.apple.com/unauthorized/. I'm not sure where to properly apply for this permission now.

I pushed a configuration to my iPhone through MDM to run the content filter. However, when I modify the configuration by adding some vendor-configuration , I lose connection to the debugger and can no longer see logs or the updated configuration in Xcode. I have to build the app again. Could this be an issue with Xcode, or is it related to MDM or the configuration itself?

Hi, i have a crash received in my Firebase Crashlytics. I couldn't figure out the root cause of the issue. Could anyone please help me with it. Crashed: com.apple.CFNetwork.Connection 0 libobjc.A.dylib 0x20b8 objc_retain_x19 + 16 1 CFNetwork 0x47398 HTTP3Fields::appendField(NSString*, NSString*) + 72 2 CFNetwork 0x41250 invocation function for block in HTTP3Stream::_buildRequestHeaders() + 240 3 CoreFoundation 0x249f0 __NSDICTIONARY_IS_CALLING_OUT_TO_A_BLOCK__ + 24 4 CoreFoundation 0x565dc ____NSDictionaryEnumerate_block_invoke_2 + 56 5 CoreFoundation 0x55b10 CFBasicHashApply + 148 6 CoreFoundation 0x8abfc __NSDictionaryEnumerate + 520 7 CFNetwork 0x793d4 HTTP3Stream::scheduleAndOpenWithHandler(CoreSchedulingSet const*, void (__CFHTTPMessage*, NSObject<OS_dispatch_data>*, CFStreamError const*) block_pointer, void (unsigned char) block_pointer) + 1120 8 CFNetwork 0x1665c HTTPProtocol::useNetStreamInfoForRequest(MetaNetStreamInfo*, HTTPRequestMessage const*, unsigned char) + 4044 9 CFNetwork 0x80c80 HTTP3ConnectionCacheEntry::enqueueRequestForProtocol(MetaConnectionCacheClient*, HTTPRequestMessage const*, MetaConnectionOptions) + 2540 10 CFNetwork 0x7fab8 HTTP3ConnectionCacheWrapper::ingestTube(Tube*, bool) + 2924 11 CFNetwork 0x257dc TubeManager::newTubeReady(Tube*, CFStreamError) + 4284 12 CFNetwork 0x57b64 invocation function for block in TubeManager::_onqueue_createNewTube(HTTPConnectionCacheKey*) + 72 13 CFNetwork 0x2fe30 Tube::_onqueue_invokeCB(CFStreamError) + 360 14 CFNetwork 0x2fc20 NWIOConnection::_signalEstablished() + 652 15 CFNetwork 0x4ba1c invocation function for block in NWIOConnection::_handleEvent_ReadyFinish() + 748 16 CFNetwork 0x4b5b0 invocation function for block in Tube::postConnectConfiguration(NSObject<OS_tcp_connection>*, NSObject<OS_nw_parameters>*, void () block_pointer) + 860 17 CFNetwork 0x4b220 BlockHolderVar<std::__1::shared_ptr<NetworkProxy>, bool, CFStreamError>::invoke_normal(std::__1::shared_ptr<NetworkProxy>, bool, CFStreamError) + 64 18 CFNetwork 0x32f2c ProxyConnectionEstablishment::postProxyConnectionConfiguration(__CFAllocator const*, std::__1::shared_ptr<TransportConnection>, NSObject<OS_nw_parameters>*, __CFHTTPMessage*, HTTPConnectionCacheKey*, std::__1::shared_ptr<MetaAuthClient>, SmartBlockWithArgs<std::__1::shared_ptr<NetworkProxy>, bool, CFStreamError>) + 664 19 CFNetwork 0x32bbc Tube::postConnectConfiguration(NSObject<OS_tcp_connection>*, NSObject<OS_nw_parameters>*, void () block_pointer) + 744 20 CFNetwork 0xc19b0 invocation function for block in NWIOConnection::_setupConnectionEvents() + 2360 21 libdispatch.dylib 0x132e8 _dispatch_block_async_invoke2 + 148 22 libdispatch.dylib 0x40d0 _dispatch_client_callout + 20 23 libdispatch.dylib 0xb6d8 _dispatch_lane_serial_drain + 744 24 libdispatch.dylib 0xc214 _dispatch_lane_invoke + 432 25 libdispatch.dylib 0xd670 _dispatch_workloop_invoke + 1732 26 libdispatch.dylib 0x17258 _dispatch_root_queue_drain_deferred_wlh + 288 27 libdispatch.dylib 0x16aa4 _dispatch_workloop_worker_thread + 540 28 libsystem_pthread.dylib 0x4c7c _pthread_wqthread + 288 29 libsystem_pthread.dylib 0x1488 start_wqthread + 8 [Here is the complete crash report.](https://developer.apple.com/forums/content/attachment/58b5bb7d-7c90-4eec-906c-4fb76861d44b)

The CA/Browser Forum has voted (cf. https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/9768xgUUfhQ?pli=1) to eventually reduce the maximum validity period for a SSL certificate from 398 days to 47 days by March 2029. This makes statically pinning a leaf certificate rather challenging. What are the consequences for App Transport Security Identity Pinning as it exists today?

Sometimes when adding a VPN configuration, it just redirects to the Settings app and doesn’t continue with the rest of the configuration process like prompting for passcode. But it proceeds as normal after the 2nd or 3rd try. This issue is occurring on iOS 18.5 build 22F5068a but it has been a problem over several versions now. Feedback ID: FB17458055

I'm getting "unsatisfied (Local network prohibited)" when trying accessing my local http server running on mac (http://192.168.0.12:8000/test.txt) from an app running on iPhone with iOS 18.4. That's using URLSession, nothing fancy. This is the contents of the plist file of the app: NSAppTransportSecurity NSExceptionAllowsInsecureHTTPLoads true NSAllowsArbitraryLoads true NSAllowsLocalNetworking true NSExceptionDomains 192.168.0.12 NSIncludesSubdomains true NSAllowsLocalNetworking true NSExceptionAllowsInsecureHTTPLoads true NSLocalNetworkUsageDescription Hello The app correctly "prompts" the alert on the first app run, asking if I want to access local network, to which I say yes. Afterwards I could see that Local Network is enabled in iOS settings for the app, yet getting those "Local network prohibited" errors. From testing other global IP + 'http only" sites it feels like NSAllowsArbitraryLoads no longer works as it used to work before. But specifying other test "global" HTTP-only IP addresses in NSExceptionDomains work alright, it's just the local address doesn't. I could access that IP from iOS safari with no problem. The local web site is HTTP only. Googling reveals tons of relevant hits including FAQ articles from Quinn, but whatever I tried so far based on those hits doesn't seem to work.

Our app uses NEVPNManager with IPsec to create VPN. It uses certificate authentication(.p12) and VPN connectivity is working as expected. Now I am trying to apply On demand rules to manage this VPN. let onDemandRule = NEOnDemandRuleConnect() onDemandRule.interfaceTypeMatch = .wiFi onDemandRule.ssidMatch = ["DNET"] NEOnDemandRuleConnect with interfaceTypeMatch and ssidMatch is starting VPN when the rule matches. When I add onDemandRule.dnsSearchDomainMatch = ["pa.test2.com"], it is not switching ON the VPN when I browse the "pa.test2.com" in the safari. I also tried *.test2.com and *.com. None of these domains switching ON the VPN. Can you please help me if I am missing anything?

Hello, im currently developing proxy app with XrayCore trying to bypass APNs when tunnel us up and i found .excludeAPNs property in NETunnelProviderProtocol that works only when includeAllNetworks property is also TRUE. I wonder if there is a possible way to make APNs bypass tunnel in split tunnelling mode? because we use excludedRoutes and full tunnel is not an option

I have 3 phones iPhone 14 iOS 18.3 iPhone Xr iOS 18.5 iPhone Xr iOS 18.4.1 My app has a network extension, and I've noticed each phone having their connectivity interupted by calls on the push provider, calling stop with the noNetworkAvailable reason. The point of confusion is that each phone seems to get it's interuption at different times. For example one will get an interuption at 1:00, while the others is fine, while at 3:00 another will get an interuption, while the others are fine. This is confusing since a "no network available" seems to imply a problem with the router, or access point, but if that were the case, one would believe it should affect all the phones on the wifi. I don't see less interuptions on the iPhone14 vs the iPhone Xr. Do you believe the iOS version is affecting the performance? Could you please give me some insight, as to what could be going on inside these phones? P.S. I also see an error pop up when using NWConnection, this is inside the App. The state update handler will sometimes return the state, waiting(POSIX(.ENETDOWN)) Is there any relation to what's going on in the extension?

Hi, I run a PacketTunnelProvider embedded within a system extension. We have been having success using this; however we have problems with accessing certificates/private keys manually imported in the file-based keychain. As per this, we are explicitly targeting the file-based keychain. However when attempting to access the certificate and private key we get the following error: System error using certificate key from keychain: Error Domain=NSOSStatusErrorDomain Code=-25308 "CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION" (errKCInteractionNotAllowed / errSecInteractionNotAllowed: / Interaction is not allowed As per the online documentation, I would expect to be prompted for the access to the application: When an app attempts to access a keychain item for a particular purpose—like using a private key to sign a document—the system looks for an entry in the item’s ACL containing the operation. If there’s no entry that lists the operation, then the system denies access and it’s up to the calling app to try something else or to notify the user. If there is an entry that lists the operation, the system checks whether the calling app is among the entry’s trusted apps. If so, the system grants access. Otherwise, the system prompts the user for confirmation. The user may choose to Deny, Allow, or Always Allow the access. In the latter case, the system adds the app to the list of trusted apps for that entry, enabling the app to gain access in the future without prompting the user again But I do not see that prompt, and I only see the permission denied error in my program. I can work around this one of two ways Change the access control of the keychain item to Allow all applications to access this item. This is not preferable, as it essentially disables any ACLs for this item. Embed the certificate in a configuration profile that is pushed down to the device via MDM or something similar. This works at a larger scale, but if I'm trying to manually test out a certificate, I don't always want to have to set this up. Is there another way that I go about adding my application to the ACL of the keychain item? Thanks!

Dear apple: Our app uses the BSD socket interface for socket communication over the local area network. However, when using the socket's connect interface, some iPhone devices fail, and the socket has also bound the local Wi-Fi card's IP using the bind interface. The errno is 65, indicating "no route." We have checked that the app has already requested local network permissions and permissions to use the local area network. The TCP server on the other end is also listening normally. Please help us see if any additional permissions need to be requested. Thank you

Hi, I'm very new to everything related to networking and I've been trying to make some sort of "parental control" app for macOS where if the user tries to access some website domain (e.g youtube.com) the request is denied and the user can't access the website. Turns out I used NEFilterDataProvider and NEDNSProxyProvider to achieve that but it's not 100% bullet proof. First problem I had is that most of the time I can't access the hostname in the NEFilterDataProvider when trying to extract it from the socketFlow.remoteEndpoint. Most of the time I get the ipv4. And the problem is : I don't know the IPV4 behind the domains, specially when they're changing frequently. if let socketFlow = flow as? NEFilterSocketFlow { let remoteEndpoint = socketFlow.remoteFlowEndpoint switch remoteEndpoint { case .hostPort(let host, _): switch host { case .name(let hostname, _): log.info("🌿 Intercepted hostname: \(hostname, privacy: .public)") case .ipv4(let ipv4): let ipv4String = ipv4.rawValue.map { String($0) }.joined(separator: ".") log.info("🌿 Intercepted IPV4: \(ipv4String, privacy: .public)") So that's why I used the DNSProxyProvider. With it I can get the domains. I succeeded to drop some of the flows by not writing the datagrams when I see a domain to block, but that does not work 100% of the time and sometimes, for youtube.com for example then the website is still reachable (and sometimes it works successfully and I can't access it). I guess because the IP behind the domain has already been resolved and so it's cached somewhere and the browser does not need to send an UDP request anymore to know the IP behind the domain? Is there a 100% bullet proof way to block traffic to specific domains? Ideally I would like to get rid of the DNSProxyProvider and use only the NEFilterDataProvider but if I can't access the hostnames then I don't see how to do it.

I'm new to Control Filter Extensions and have a question about their network capabilities. I'm building an app that processes network data and need to send some results to a remote server. My main questions: Are Control Filter Extensions officially permitted to make outbound UDP connections? I want to confirm this is a supported capability before implementing the network export functionality. What specific entitlements are required for outbound network access? Currently using content-filter-provider - do I need additional network-related entitlements? Are there any restrictions or considerations for UDP data export in production vs development builds? I want to ensure I'm following Apple's guidelines and using the correct entitlements for this type of data export from a Control Filter Extension. Any guidance on the official network capabilities and required setup would be greatly appreciated!

when i am running this app on Iphone13 facing these errors On starting Publisher: failed(-11992: Wi-Fi Aware) [L1 ready, local endpoint: , parameters: udp, traffic class: 700, interface: nan0, local: ::.0, definite, attribution: developer, server, port: 65041, path satisfied (Path is satisfied), interface: nan0[802.11], ipv4, uses wifi, LQM: unknown, service: com.example.apple-samplecode.Wi-FiAwareSample94KV3E626L._sat-fileservice._udp scope:0 route:0 custom:107]: waiting(POSIXErrorCode(rawValue: 50): Network is down) [L1 cancelled, local endpoint: , parameters: udp, traffic class: 700, interface: nan0, local: ::.0, definite, attribution: developer, server, port: 65041, path , service: com.example.apple-samplecode.Wi-FiAwareSample94KV3E626L._sat-fileservice._udp scope:0 route:0 custom:107]: ready [L1 cancelled, local endpoint: , parameters: udp, traffic class: 700, interface: nan0, local: ::.0, definite, attribution: developer, server, port: 65041, path , service: com.example.apple-samplecode.Wi-FiAwareSample94KV3E626L._sat-fileservice._udp scope:0 route:0 custom:107]: failed(-11992: Wi-Fi Aware) OnStarting Subscriber : -11992: Wi-Fi Aware B1 &lt;nw_browse_descriptor application_service _sat-simulation._udp bundle_id=com.example.apple-samplecode.Wi-FiAwareSample94KV3E626L device_types=7f device_scope=ff custom:108&gt;, generic, interface: nan0, multipath service: interactive, attribution: developer: failed(-11992: Wi-Fi Aware)

In our project, we download H5 resources to the local device and then open the H5 pages through WKWebView(-loadFileURL:allowingReadAccessToURL:). When the H5 pages request server resources, cookies are required. Before opening the H5 page, we set the required cookies in the WKHTTPCookieStore using the setCookie method. Additionally, we set the allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs properties for the WebView. On other mobile phones, the cookies can be carried normally. However, on mobile phones running the iOS 18.0 system, the cookies cannot be carried. Moreover, this problem only emerged after we upgraded Xcode to version 16.2. We've also tried injecting cookies via JavaScript, but it didn't work(document.cookie = xx=${xx}; path=/; expires=weekday, xx jan xxxx xx:xx:xx GMT; Domain=example.com; Secure; SameSite=None ;). Can anyone help me on this? Thanks in advance.