Hi All, I am working on a macOS System Extension using Apple’s Network Extension Framework, designed to observe and log network activity at multiple layers. The system extension is currently stable and working as expected for HTTP and DNS traffic with 3 providers, getting Socket, HTTP, and DNS logs. Current Architecture Overview The project consists of two Xcode targets: 1. Main App Process Responsible for: Managing system extension lifecycle (activation, configuration) Establishing IPC (XPC) communication with extensions Receiving structured logs from extensions Writing logs efficiently to disk using a persistent file handle Uses: OSSystemExtensionManager NEFilterManager, NETransparentProxyManager, NEDNSProxyManager NWPathMonitor for network availability handling Persistent logging mechanism (FileHandle) 2. System Extension Process Contains three providers, all running within a single system extension process: a) Content Filter (NEFilterDataProvider) Captures socket-level metadata Extracts: PID via audit token Local/remote endpoints Protocol (TCP/UDP, IPv4/IPv6) Direction (inbound/outbound) Sends structured JSON logs via shared IPC b) Transparent Proxy (NETransparentProxyProvider) Intercepts TCP flows Creates a corresponding NWConnection to the destination Captures both HTTP and HTTPS traffic, sends it to HTTPFlowLogger file which bypasses if it's not HTTP traffic. Uses a custom HTTPFlowLogger: Built using SwiftNIO library (NIO HTTP1) Parses up to HTTP/1.1 traffic Handles streaming, headers, and partial body capture (with size limits) Maintains per-flow state and lifecycle management Logs structured HTTP data via shared IPC c) DNS Proxy (NEDNSProxyProvider) Intercepts UDP DNS traffic Forwards queries to upstream resolver (system DNS or fallback) Maintains shared UDP connection Tracks pending requests using DNS IDs Parses DNS packets (queries + responses) using a custom parser Logs structured DNS metadata via shared IPC Shared Component: IPCConnection Single bidirectional XPC channel used by all providers Handles: App → Extension registration Extension → App logging Uses Mach service defined in system extension entitlements Project Structure NetworkExtension (Project) │ ├── NetworkExtension (Target 1: Main App) │ ├── AppDelegate.swift │ ├── Assets.xcassets │ ├── Info.plist │ ├── NetworkExtension.entitlements │ ├── Main.storyboard │ └──ViewController.swift │ ├── SystemExtensions (Target 2: Extension Process) │ ├── common/ │ │ ├── IPCConnection.swift │ │ └── main.swift │ │ │ ├── DNSProxyProvider/ │ │ ├──DNSDataParser.swift │ │ └──DNSProxyProvider.swift (DNS Proxy) │ │ │ ├── FilterDataProvider/ │ │ └── FilterDataProvider.swift │ │ │ ├── TransparentProxyProvider/ │ │ ├── HTTPLogParser.swift │ │ ├── LogDataModel.swift │ │ └──TransparentProxyProvider.swift │ │ │ ├── Info.plist │ └── SystemExtensions.entitlements │ Current Capabilities Unified logging pipeline across: Socket-level metadata HTTP traffic (HTTP/1.1) DNS queries/responses Efficient log handling using persistent file descriptors Stable IPC communication between app and extensions Flow-level tracking and lifecycle management Selective filtering (e.g., bypass rules for specific IPs) What's the best approach to add TLS Inspection with MITM proxy setup? Some context and constraints: Existing implementation handles HTTP parsing and should remain unchanged (Swift-based). I’m okay with bypassing apps/sites that use certificate pinning (e.g., banking apps) and legitimate sites. Performance is important — I want to avoid high CPU utilization. I’m relatively new to TLS inspection and MITM proxy design. Questions Is it a good idea to implement TLS inspection within a system extension, or does that typically introduce significant complexity and performance overhead? As NETransparentProxyProvider already intercepting HTTPS traffic, can we redirect it to a separate processing pipeline (e.g., another file/module), while keeping the existing HTTP parser(HTTPFlowLogger - HTTP only parser) intact? What are the recommended architectural approaches for adding HTTPS parsing via MITM in a performant way? Are there best practices for selectively bypassing pinned or sensitive domains while still inspecting other traffic? Any guidance on avoiding common pitfalls (e.g., certificate handling, connection reuse, latency issues)? I’m looking for a clean, maintainable approach to integrate HTTPS inspection into my existing system without unnecessary complexity or performance degradation. Please let me know if any additional details from my side would help in suggesting the most appropriate approach. Thanks in advance for your time and insights—I really appreciate it.

Hi Team, We are implementing HealthKit data sync using HKObserverQuery along with enableBackgroundDelivery and BGTaskScheduler for fallback processing. However, we are observing inconsistent behavior and would like clarification on expected system behavior: For HKObserverQuery: When using enableBackgroundDelivery with frequency .immediate, we sometimes receive updates promptly, but other times we do not receive any trigger at all. Similarly, when using .hourly, our expectation was that updates would be delivered approximately once per hour, but in practice, triggers are delayed, batched, or skipped. For BGTaskScheduler: We are scheduling BGAppRefreshTask with earliestBeginDate set (e.g., 1 hour), but tasks are sometimes delayed by several hours or not triggered predictably. In some cases, tasks are not executed even after extended periods. We would like to understand: Are HKObserverQuery delivery frequencies (.immediate, .hourly, .daily) strictly best-effort hints rather than guaranteed intervals? Under what conditions can observer updates be skipped or significantly delayed? Is there any recommended approach to ensure more reliable periodic syncing of HealthKit data? For BGTaskScheduler, what factors most strongly influence scheduling delays or missed executions? Our goal is to design a reliable sync mechanism, but the lack of deterministic behavior is making it difficult to define expected system behavior. Any clarification or recommended best practices would be greatly appreciated. Thanks in advance!

Hello, I'm seeing an inconsistency in how HKAnchoredObjectQuery applies predicates between its initial results handler and its update handler. Specifically, predicates that filter quantity samples by correlation membership - using either HKQuery.predicateForObjectsWithNoCorrelation() or NSPredicate(format: "%K == nil", HKPredicateKeyPathCorrelation) - are respected in the resultsHandler but silently ignored in the updateHandler. Setup I have three long-running HKAnchoredObjectQuery instances: One for HKCorrelationType(.bloodPressure) - no predicate One for HKQuantityType(.bloodPressureSystolic) - predicate: HKQuery.predicateForObjectsWithNoCorrelation() One for HKQuantityType(.bloodPressureDiastolic) - predicate: HKQuery.predicateForObjectsWithNoCorrelation() The intent of the predicate on the systolic/diastolic queries is to capture only standalone quantity samples written directly by third-party apps - not the constituent sub-samples of an HKCorrelation. The correlation query handles correlated samples. Expected behavior When a BloodPressure correlation is saved to the store, only the correlation query's updateHandler should fire, with 1 new sample. The systolic and diastolic updateHandlers should not fire, since those samples have correlation != nil which is excluded by the predicate. Actual behavior After saving one BloodPressure correlation, all three updateHandlers fire with 1 new object each. The systolic and diastolic update handlers receive the correlated sub-samples despite the predicateForObjectsWithNoCorrelation() predicate. The same predicate correctly filters those kinds of samples out of the initial resultsHandler. Additionally, the same predicate applied in a one-shot HKSampleQuery for the systolic or diastolic type correctly returns 0 results when only correlated readings exist. The problem is only experienced in updateHandler of a long-running HKAnchoredObjectQuery. Tested iOS versions iOS 26.3 iOS 18.7.6 Workaround When an HKAnchoredObjectQuery updateHandler fires with systolic or diastolic samples, I fire a one-shot HKSampleQuery with a compound predicate using the sample UUIDs and predicateForObjectsWithNoCorrelation. Any samples that are part of a correlation are not returned in the HKSampleQuery resultsHandler.

Hi, We have implemented Age Verification in iOS and wanted to test the workflow before releasing the app. How do we test the app before releasing it in production. We currently use Test Flight for testing. We created users in Sandbox but that shows just Texas in Age Assurance.

hello last year at the WWDC Apple announced a app extension for audio playback in CarPlay for iOS apps is there a guide to add this feature because whenever I open my custom music I can hear the music playing trough the car's speakers and I see the album art, but I have no controls on the display of the car the person I white this app for is a indie producer who wants his huge collection to be available for people to enjoy there is no subscription of login

Hi all, I've been observing what appears to be a timing mismatch in how Apple handles Korea trial-to-paid consent, and I wanted to see if other developers are seeing the same thing. Per Korean regulations effective Feb 14, 2025, Apple must obtain explicit user consent before converting a free trial to a paid subscription. Apple handles this via email, push notifications, and an in-app consent option accessible from Settings > Subscriptions. For a 7-day trial in the Republic of Korea storefront, I'm observing: Consent push notifications (Agree to continue your subscription without interruption) start arriving ~1 day after trial redemption, at roughly hourly frequency. However, when the user taps the push and navigates to Settings > Subscriptions, there is no consent option available. The only visible action is "Cancel Free Trial". The consent option only becomes available around day 4 of the trial (i.e., 3 days before renewal, matching Apple's documented messaging cadence [1]). For the first ~3 days, users receive hourly push notifications they cannot act on. The only way to stop them is to cancel the subscription entirely. This is happening across multiple apps in the Korean App Store, so it appears to be a platform-level behavior rather than an app-specific issue. Is anyone else observing this behavior? Any insight from Apple engineers or other developers would be greatly appreciated. [1] https://developer.apple.com/help/app-store-connect/reference/in-app-purchases-and-subscriptions/consent-for-subscription-offer-conversions

Hi everyone, I have developed an app that requires push notifications to notify users to respond to a questionnaire. After login, I inform the user that the app needs push notifications in order to function properly, and I request their consent to receive notifications. However, during the review process, Apple keeps rejecting the app with the following message: Issue Description The app requires push notifications in order to function. Next Steps Push notifications must be optional and must obtain the user's consent to be used within the app. Anyone knows how to fix this problem? Thank You

Just curious if there is anyway to expedite the FamilyControl entitlement. I have seen few people stuck in this step for few days. I submit mine on the 4/18, and my Case ID: 102874096254 Just want to see if I can see any estimate time for my request. Thanks, Jing

Hey my app subscriptions are currently in review whilst my app has been approved 2 times, i need this to be approved to start marketing it.

Hi, I have a problem with watchOS widget configuration intents. It turns out that watchOS is unable to load text for localization keys. This is how I set configuration parameter in WidgetConfigurationIntent: @Parameter( title: LocalizedStringResource( "watchWidgetConfig.showSymbols", defaultValue: "Symbole", table: "WidgetLocalizable", bundle: widgetBundle ), default: true ) var showSymbols: Bool Unfortunately, on a device always the defaultValue is used. I tried everything and nothing works. What's weird, it correctly works on watchOS simulator and if you configure widgets in iOS "Watch" app. On real Apple Watch, the "defaultValue" is displayed. I'm not sure if it's important but both: the Swift file with WidgetConfigurationIntent and WidgetLocalizable.xcstring are included in two targets: Watch Widget Extension and Watch App. I tried so far: All variants of LocalizableStringResource init. With/without "table", with/without "bundle". Previously I had texts in Localizable.strings, I migrated it to WidgetLocalizable.xcstrings and it didn't work either. Setting only one target for WidgetLocalizable.xcstring and WidgetConfigurationIntent. I checked inside xcarchive to see if WidgetLocalizable.xcstring is copied correctly. Seems like watchOS bug, but I would be happy to know if someone figured out any workaround. Xcode: Version 26.4 (17E192) iOS 26.4.1 watchOS 26.4 I already created a ticket: FB22509406

Hi, I’m having an issue where my auto-renewable subscriptions keep detaching from my app version after I submit the build in App Store Connect. Details: App ID: com.growthsync.app Platform: iOS (Capacitor build) Using auto-renewable subscriptions What’s happening: I attach all subscriptions to the app version under “In-App Purchases” Everything looks correct before submission After submitting, the subscriptions become detached or require localisation to be re-entered again This happens every time I resubmit Additional issue: Subscriptions are not working in TestFlight either It feels like they are not properly linked to the binary What I’ve already checked: Product IDs match exactly in code and App Store Connect Subscriptions are in the correct group All localisation fields are filled within character limits Products show as “Ready to Submit” before attaching I reattach them before every submission Questions: Why would subscriptions repeatedly detach after submission? Is this a known App Store Connect issue? Is there a specific order required when creating, localising, and attaching subscriptions? Could this be related to the binary not recognising the products? This is currently blocking release so any help would be appreciated. Thanks.

Hello, For the past few days I have been working on integrating a Crash Reporter called "BugSplat" to our macOS desktop app and it got me thinking, how do crash reporters work on macOS ? After days of trial and error (and claude's help) I managed to integrate it but with a different behavior than windows. On Windows: When the app crashes, the BugSplat crash report window opens and allows you to write your details and message to be sent with the crash report (along with a log file) On macOS: It displays the normal macOS' "App exit unexpectedly", to which I click dismiss. But then when I re-open the app the BugSplat crash report window appears. I asked claude if I can avoid the normal macOS dialog entirely, to which it replied: "This is by design — BugSplat macOS is a next-launch crash reporter, not an in-process one. Here's why that's intentional and unavoidable: When a process crashes (SIGSEGV, SIGBUS, etc.), macOS's ReportCrash daemon independently monitors all processes and shows the "quit unexpectedly" dialog — there's no API to suppress it. Meanwhile, BugSplat's Mach exception handler captures the crash data to disk. On the next launch, BugSplat finds that crash data and shows its dialog. This is the same model used by every macOS crash reporter (PLCrashReporter, Firebase Crashlytics on macOS, etc.). The process heap is in a corrupted state at crash time, so showing UI from inside the crashed process is unreliable." LLMs sometimes speak confidently even when they're wrong so that's why I'm asking: Is it really true that that's the normal behavior for every crash reporter? And is it really that huge of a change to overwrite the macOS dialog entirely ? Thank you in advance and sorry for the long paragraph

Hello! My subscriptions have been stuck in review for a while. I have been chasing my tail trying to get the sandbox purchases to work but the subscriptions are not returning after "sale". Is this because the subscriptions are still in review? Will the purchase ever return a product in the sandbox environment if the products are still in review? How do we get the subscriptions approved? I have submitted them with the app multiple times. The app is rejected because I can't complete it without the subscriptions but the subscriptions are never reviewed. Help!

My enterprise app requires a launch daemon that provides services to support my Security agent plugin. I bundle everything in an App and install using AirWatch. This all used to work until something changed, either AirWatch or the MacOS version. Now the install fails because my SMAppService instance returns an error when .register is called: Error Domain=SMAppServiceErrorDomain Code=1 "Operation not permitted" UserInfo={NSLocalizedFailureReason=Operation not permitted} If I install by opening my installer package as a user, the install always succeeds. The app is an enterprise app and is not distributed through the App Store. The app also installs a security extension. The security extension is installed and activated before any calls to SMAppService. I can't figure out what has changed in the last few months that would cause the error, or how to fix this. Any help or pointers would be appreciated.

I would like to enable the app to persist a stable SIM identifier and compare it across app sessions so it can reliably detect when the user has changed SIM cards. When a SIM change is detected—especially while the device is on Wi-Fi—the app should trigger SIM-change handling (for example: refresh auth/session, reload account-specific data, and update feature availability). The implementation must be robust for: Dual-SIM and eSIM devices Temporary network unavailability or delayed carrier info Current challenge: On Wi-Fi, the existing hash can distinguish a different operator but cannot reliably detect a SIM-card-level change. We need a way to uniquely identify the SIM card itself, not just the operator.

I’m looking for some advice regarding the usage of temporary exception entitlements in Mac App Store apps. Specifically the Apple Event Temporary Exception to communicate with other third party applications (not first-party macOS system apps): The Best Practices for Submitting Scriptable and AppleScript Apps to the Mac App Store section is a bit vague (how to 'request' a temporary entitlement?) and I couldn't find it mentioned in the Review Guidelines. Before designing, implementing and testing functionality based on the Apple Event Temporary Exception I’d like to know if these entitlements would: A. Always be rejected on the Mac App Store B. Only accepted in highly specific use cases C. Accepted if there is a clear use case and sufficient argumentation For this particular use case I’d like to send Apple Events to Adobe Illustrator and QuarkXPress. The application helps the user with some design tasks in their documents. The app requests the currently open documents and accesses document content to process used design elements. This is optional functionality that the user must explicitly enable in the app. I’m aware that the com.apple.security.scripting-targets entitlement is preferred. (Side question: are these always allowed or can they also be rejected for third party app scripting?) However, many third party applications don’t offer any scripting access groups in their definition, including Adobe Illustrator and QuarkXPress in this case. So before spending a lot of time implementing this feature I’d like to have some indication whether it is unlikely that sending Apple Events to third party apps will be allowed on the Mac App Store. Thanks for any insights!

We have recently enrolled to the platform integrator program in order to be able to use this API https://developer.apple.com/documentation/applepaywebmerchantregistrationapi to verify our customers' domains for apple pay. We have distributed certifications and the domain association file and have successfully conducted the domain verification call. Consequently, the domain is registered for a given merchant. However, when conducting a payment session request, we receive an error response saying that the domain is not registered. Specific example: We POST to https://apple-pay-gateway.apple.com/paymentservices/registerMerchant with body: { "domainNames": [ "example.com" ], "encryptTo": "platformintegrator.com.example", "partnerInternalMerchantIdentifier": "example", "partnerMerchantName": "example" } and get a 200 response. The apple server successfully conducts the call to the example.com/.well-known/apple-developer-merchantid-domain-association resource. Then the GET request to https://apple-pay-gateway.apple.com/paymentservices/merchant/example lists the domain for this merchant: Response { "domainNames": [ "example.com" ], "partnerMerchantName": "example", "partnerInternalMerchantIdentifier": "example", "partnerMerchantValidationURI": "/.well-known/apple-developer-merchantid-domain-association", "encryptTo": "<hashed merchant id>", "delegatedCommerce": { "enabled": true } } However, when trying to initiate an apple pay payment session here: POST https://apple-pay-gateway.apple.com/paymentservices/paymentSession Body: { "merchantIdentifier": "platformintegrator.com.example", "displayName": "example", "initiative": "web", "initiativeContext": "example.com" } we receive this error response: { "statusMessage": "Payment Services Exception merchantId=<hashed merchant id> not registered for domain=example.com", "statusCode": "400" } Our assumption is that after registering a domain for a merchant the apple pay process should work. We already have a working apple pay implementation with the traditional domain verification process with merchant IDs. We would like to know if we are missing any detail or what is causing this error in our payment process.

FB: https://feedbackassistant.apple.com/feedback/22556883 We're seeing a small number of production users where both Transaction.currentEntitlements and Transaction.all return zero transactions for a valid, active, non-refunded non-consumable IAP. This makes it impossible to restore the purchase via any StoreKit 2 API. Environment: Xcode 26.4 (Build 17E192) iOS 26.4.1 Direct call to SK2 Transactions.all & Flutter in_app_purchase package v3.2.3 (uses SK2 on iOS 15+) Non-consumable IAP (one-time purchase) What we observe: AppStore.sync() triggers but the purchase stream returns 0 transactions Transaction.all returns empty Transaction.currentEntitlements also returns empty User is confirmed on the correct Apple ID Issue reproduces on both iPhone and Mac for the same Apple ID Issue appears to have started recently for users who previously had no problems Debug log from affected production user: [2026-04-20T08:50:10.744115Z] init: iapAvailable=true [2026-04-20T08:50:10.744566Z] init: isPremium=false [2026-04-20T08:50:10.744567Z] init: triggering silent restorePurchases [2026-04-20T08:50:45.974566Z] restore: started [2026-04-20T08:50:45.986848Z] restore: sk2Transactions count=0 [2026-04-20T08:50:45.993004Z] restore: sk2Direct isVerified=false active=null [2026-04-20T08:50:45.993011Z] restore: sk2Direct inconclusive — falling back to standard restore [2026-04-20T08:51:16.000851Z] restore: timed out after 30s — fallback isPremium=false [2026-04-20T08:51:16.000910Z] restore: completed — succeeded=false foundPurchase=false Unable to reproduce in sandbox — Transaction.all works correctly there. Appears specific to production for a small subset of users. Has anyone else seen this?

I'm building an app with a leaderboard based on users' step counts, so I need the data to sync in real time at minimum. The problem is that when the app is terminated, steps don't seem to be counted at all, so if a user hasn't opened the app in 5 days, the leaderboard ends up completely out of sync. Is it even possible to retrieve this data when the app has been terminated and hasn't been opened? I'm currently using Background Fetch, which works when the app is suspended, slowly, but it does work. However, it does not sync when the app is fully terminated.

Dear Screen Time Team! The Screen Time passcode can be brute-forced without rate limiting by repeatedly attempting guesses through the "Erase All Content and Settings" flow. This allows unlimited passcode attempts with no delay, lockout, or escalation, effectively defeating the purpose of the Screen Time passcode as a parental control mechanism. Impact: Children can bypass Screen Time protections by guessing the passcode No rate limiting enables trivial brute-force attacks (especially for 4-digit codes) Undermines trust in Screen Time as a parental control system Creates real-world safety risks for families relying on Screen Time restrictions Publicly shared methods (e.g. on TikTok) increase likelihood of widespread abuse Steps to Reproduce: Enable Screen Time and set a passcode Open Settings → General → Transfer or Reset iPhone → Erase All Content and Settings When prompted for the Screen Time passcode, enter an incorrect code Repeat the process with different guesses Expected Result: After a small number of incorrect attempts, the system should: enforce exponential backoff delays, or temporarily lock further attempts, or require Apple ID authentication Attempts should be rate-limited across system flows Actual Result: Unlimited passcode attempts are allowed No delay, lockout, or penalty is applied Enables rapid brute-force guessing of the Screen Time passcode Notes: This appears to bypass standard passcode protections that exist in other parts of iOS The issue is especially severe for 4-digit Screen Time passcodes (10,000 combinations) The attack surface is exposed through a system-level reset flow Suggested Fix: Introduce global rate limiting for Screen Time passcode attempts across all entry points Apply exponential backoff after failed attempts Require Apple ID authentication after multiple failures Consider enforcing 6-digit minimum passcodes for Screen Time Log and unify attempt counters across system components Severity: Critical (Security vulnerability enabling brute-force of parental control passcode) See TikTok: https://www.tiktok.com/@aldanaisthebest12170/video/7615053429500644621 Feedback request: FB22263276 – Frederik (one sec app)