Hi Forum, We’re building a security-focused SDK for iOS that includes SIM Binding and SIM Swap detection to help prevent fraud and unauthorised device access, particularly in the context of banking and fintech apps. We understand that iOS limits access to SIM-level data, and that previously available APIs (such as those in CoreTelephony, now deprecated from iOS 16 onwards) provide only limited support for these use cases. We have a few questions and would appreciate any guidance from the community or Apple engineers: Q1. Are there any best practices or Apple-recommended approaches for binding a SIM to a device or user account? Q2. Is there a reliable way to detect a SIM swap when the app is not running (e.g., via system callback, entitlement, or background mechanism)? Q3. Are fields like GID1, GID2, or ICCID accessible through any public APIs or entitlements (such as com.apple.coretelephony.IdentityAccess)? If so, what is the process to request access? Q4. For dual SIM and eSIM scenarios, is there a documented approach to identify which SIM is active or whether a SIM slot has changed? Q5. In a banking or regulated environment, is it possible for an app vendor (e.g., a bank) to acquire certain entitlements from Apple and securely expose that information to a security SDK like ours? What would be the compliant or recommended way to structure such a partnership? Thanks in advance for any insights!

We are developing an IoT companion app that connects to the IoT device's Wi-Fi network and communicates with it through local network APIs. To support this functionality, we have: Added the necessary keys in the Info.plist. NSLocalNetworkUsageDescription , NSBonjourServices Used a Bonjour service at app launch to trigger the local network permission prompt. Problem on iOS 18.x (including 18.6 beta) Even when the user explicitly denies the local network permission, our API communication still works. This is unexpected behavior, as we assume denying permission should restrict access to local network communication. We tested this with the latest iOS 18.6 beta (as per Thread 789461021), but the issue still persists. This behavior raises concerns about inconsistent permission enforcement in iOS 18.x. Problem on iOS 17.x In iOS 17.x, if the user accidentally denies the local network permission and later enables it manually via Settings, the change does not take effect immediately. The app cannot access the local network unless the device is restarted, which results in a confusing and poor user experience. Expected Behavior If local network permission is denied, local API communication should be strictly blocked. If the permission is later enabled via Settings, the app should regain access without requiring a device restart. Request We request clarification and resolution on: Why local network APIs are accessible even when permission is denied on iOS 18.x. Whether the delayed permission update (requiring restart) in iOS 17.x is expected or a known issue. Best practices to ensure consistent and predictable permission handling across iOS versions.

We need your assistance as we are currently facing an issue without a workaround for users on macOS 15.4 and 15.5. FeedbackID: FB17547675 The problem has been observed on macOS versions 15.4 and 15.5. Apple has acknowledged this issue and confirmed that it is fixed in the macOS 15.6 beta. Although we tried to reproduce the issue in our environment, it did not occur, even on macOS 15.5. Therefore, we cannot verify if the fix in macOS 15.6 beta resolves the problem. We are actively working to identify an appropriate workaround for users on macOS 15.5. Some users have reported a failure to obtain an IP address over Wi-Fi, possibly due to a DHCP failure. As a temporary solution, we added logic to restart Wi-Fi programmatically when either an APIPA address (169.254.x.x) or no IPv4 address is detected on the active interface. However, restarting Wi-Fi does not always resolve the issue, and the device may still fail to obtain an IP address over Wi-Fi or Ethernet. Could you advise if there is a reliable method to detect DHCP failure and recover the device from this state? Also, any idea, how we can reproduce this scenario in our machine? Below is the failure. default 2025-06-27 10:07:57.055003 -0700 configd DHCP en0: ARP router: No leases to query for default 2025-06-27 10:07:57.055269 -0700 configd DHCP en0: status = 'no server' default 2025-06-27 10:08:23.336215 -0700 airportd WiFiUsageBssSession:: ChannelAfterRoam=0; ChannelAtJoin=36; FaultReasonApsdTimedOut=0; FaultReasonArpFailureCount=0; FaultReasonBrokenBackhaulLinkFailed=0; FaultReasonDhcpFailure=0; default 2025-06-27 10:08:23.367852 -0700 configd DHCP en0: status = 'media inactive' default 2025-06-27 10:08:23.367909 -0700 configd DHCP en0: INACTIVE default 2025-06-27 10:08:23.988565 -0700 configd DHCP en0: status = 'media inactive' default 2025-06-27 10:08:23.988703 -0700 configd DHCP en0: INACTIVE info 2025-06-27 10:08:23.988852 -0700 configd DHCPv6 en0: Inactive default 2025-06-27 10:08:35.656415 -0700 configd DHCP en0: status = 'network changed' default 2025-06-27 10:08:35.656817 -0700 configd DHCP en0: INIT default 2025-06-27 10:08:35.656821 -0700 configd DHCP en0: supplying device type 'Mac' info 2025-06-27 10:08:35.656934 -0700 configd DHCP en0: busy default 2025-06-27 10:08:35.657351 -0700 configd DHCP en0: INIT waiting at 0 for 1.358613 info 2025-06-27 10:08:35.657404 -0700 configd DHCPv6 en0: Inactive default 2025-06-27 10:08:37.019229 -0700 configd DHCP en0: INIT waiting at 1.36206 for 2.113913 default 2025-06-27 10:08:39.136955 -0700 configd DHCP en0: INIT waiting at 3.47937 for 4.462224 default 2025-06-27 10:08:43.602229 -0700 configd DHCP en0: ARP router: No leases to query for default 2025-06-27 10:08:43.603143 -0700 configd DHCP en0: INIT waiting at 7.94533 for 8.128784 default 2025-06-27 10:08:51.735532 -0700 configd DHCP en0: ARP router: No leases to query for default 2025-06-27 10:08:51.735846 -0700 configd DHCP en0: INIT waiting at 16.0786 for 8.749985 default 2025-06-27 10:09:00.488315 -0700 configd DHCP en0: ARP router: No leases to query for default 2025-06-27 10:09:00.488550 -0700 configd DHCP en0: INIT waiting at 24.8313 for 8.496864 default 2025-06-27 10:09:08.988284 -0700 configd DHCP en0: ARP router: No leases to query for default 2025-06-27 10:09:08.988310 -0700 configd DHCP en0: reported address acquisition failure symptom default 2025-06-27 10:09:08.988579 -0700 configd DHCP en0: INIT waiting at 33.3312 for 8.300735 default 2025-06-27 10:09:17.294478 -0700 configd DHCP en0: ARP router: No leases to query for info 2025-06-27 10:09:17.294485 -0700 configd DHCP en0: symptom failure already reported default 2025-06-27 10:09:17.295454 -0700 configd DHCP en0: INIT waiting at 41.6373 for 8.798768 default 2025-06-27 10:09:26.096673 -0700 configd DHCP en0: ARP router: No leases to query for info 2025-06-27 10:09:26.096688 -0700 configd DHCP en0: symptom failure already reported default 2025-06-27 10:09:26.097553 -0700 configd DHCP en0: INIT waiting at 50.4394 for 8.807943 default 2025-06-27 10:09:34.909050 -0700 configd DHCP en0: ARP router: No leases to query for info 2025-06-27 10:09:34.909054 -0700 configd DHCP en0: symptom failure already reported default 2025-06-27 10:09:34.909375 -0700 configd DHCP en0: INIT waiting at 59.2517 for 8.877971 default 2025-06-27 10:09:43.792458 -0700 configd DHCP en0: ARP router: No leases to query for info 2025-06-27 10:09:43.792464 -0700 configd DHCP en0: symptom failure already reported default 2025-06-27 10:09:43.793641 -0700 configd DHCP en0: status = 'no server' info 2025-06-27 10:09:43.794145 -0700 configd DHCP en0: not busy DNS failure resolver #1 flags : reach : 0x00000000 (Not Reachable) resolver #2 domain : local options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300000 resolver #3 domain : 254.169.in-addr.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300200 resolver #4 domain : 8.e.f.ip6.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300400 resolver #5 domain : 9.e.f.ip6.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300600 resolver #6 domain : a.e.f.ip6.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300800 resolver #7 domain : b.e.f.ip6.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 301000 Route table Destination Gateway Flags Netif Expire 127 127.0.0.1 UCS lo0 127.0.0.1 127.0.0.1 UH lo0 169.254 link#14 UCS en0 ! 169.254.160.160/32 link#14 UCS en0 ! 224.0.0/4 link#14 UmCS en0 ! 224.0.0.251 1:0:5e:0:0:fb UHmLWI en0 239.255.255.250 1:0:5e:7f:ff:fa UHmLWI en0 255.255.255.255/32 link#14 UCS en0 !

Hi, Having an issue on one mac using Xcode 16.3 and simulator 18.4. macSO 15.4 We are checking for bonjour: authorizationBrowser = NWBrowser(for: .bonjour(type: "_bonjour._tcp", domain: nil), using: parameters) authorizationBrowser?.stateUpdateHandler = { [weak self] newState in switch newState { ... } } However at the command line we get the error: nw_browser_fail_on_dns_error_locked [B1] nw_browser_dns_service_browse_callback failed: PolicyDenied(-65570) Any idea why this is happening? or what this error means? Thanks Antz

I've a iOT companion app, in which I'll connect to iOT's Wi-Fi and then communicate the device with APIs, for the above functionality we needed local network permission So we enabled neccessary keys in info.plist and at the time of App Launch we trigger local network permission using the following code info.plist <string>This app needs local network access permission to connect with your iOT device and customize its settings</string> <key>NSBonjourServices</key> <array> <string>_network-perm._tcp</string> <string>_network-perm._udp</string> </array> Network Permission Trigger Methods import Foundation import MultipeerConnectivity class NetworkPermissionManager: NSObject { static let shared = NetworkPermissionManager() private var session: MCSession? private var advertiser: MCNearbyServiceAdvertiser? private var browser: MCNearbyServiceBrowser? private var permissionCallback: ((String) -> Void)? func requestPermission(callback: @escaping (String) -> Void) { self.permissionCallback = callback do { let peerId = MCPeerID(displayName: UUID().uuidString) session = MCSession(peer: peerId, securityIdentity: nil, encryptionPreference: .required) session?.delegate = self advertiser = MCNearbyServiceAdvertiser( peer: peerId, discoveryInfo: nil, serviceType: "network-perm" ) advertiser?.delegate = self browser = MCNearbyServiceBrowser( peer: peerId, serviceType: "network-perm" ) browser?.delegate = self advertiser?.startAdvertisingPeer() browser?.startBrowsingForPeers() // Stop after delay DispatchQueue.main.asyncAfter(deadline: .now() + 1.0) { [weak self] in self?.stopAll() // If no error occurred until now, consider permission triggered self?.permissionCallback?("granted") self?.permissionCallback = nil } } catch { permissionCallback?("error: \(error.localizedDescription)") permissionCallback = nil } } func stopAll() { advertiser?.stopAdvertisingPeer() browser?.stopBrowsingForPeers() session?.disconnect() } } extension NetworkPermissionManager: MCSessionDelegate { func session(_: MCSession, peer _: MCPeerID, didChange _: MCSessionState) {} func session(_: MCSession, didReceive _: Data, fromPeer _: MCPeerID) {} func session(_: MCSession, didReceive _: InputStream, withName _: String, fromPeer _: MCPeerID) {} func session(_: MCSession, didStartReceivingResourceWithName _: String, fromPeer _: MCPeerID, with _: Progress) {} func session(_: MCSession, didFinishReceivingResourceWithName _: String, fromPeer _: MCPeerID, at _: URL?, withError _: Error?) {} } extension NetworkPermissionManager: MCNearbyServiceAdvertiserDelegate { func advertiser(_: MCNearbyServiceAdvertiser, didReceiveInvitationFromPeer _: MCPeerID, withContext _: Data?, invitationHandler: @escaping (Bool, MCSession?) -> Void) { invitationHandler(false, nil) } func advertiser(_: MCNearbyServiceAdvertiser, didNotStartAdvertisingPeer error: Error) { print("❌ Advertising failed: \(error)") if let nsError = error as NSError?, nsError.domain == NetService.errorDomain, nsError.code == -72008 { permissionCallback?("denied") } else { permissionCallback?("error: \(error.localizedDescription)") } permissionCallback = nil stopAll() } } extension NetworkPermissionManager: MCNearbyServiceBrowserDelegate { func browser(_: MCNearbyServiceBrowser, foundPeer _: MCPeerID, withDiscoveryInfo _: [String: String]?) {} func browser(_: MCNearbyServiceBrowser, lostPeer _: MCPeerID) {} func browser(_: MCNearbyServiceBrowser, didNotStartBrowsingForPeers error: Error) { print("❌ Browsing failed: \(error)") if let nsError = error as NSError?, nsError.domain == NetService.errorDomain, nsError.code == -72008 { permissionCallback?("denied") } else { permissionCallback?("error: \(error.localizedDescription)") } permissionCallback = nil stopAll() } }``` I want to satisfy this following cases but it's not working as expected # Case1 Working App launches --> trigger permission using above code --> user granted permission --> connect to iOT's Wi-Fi using app --> Communicate via Local API ---> should return success response # Case2 Not working App launches --> trigger permission using above code --> user denied permission --> connect to iOT's Wi-Fi using app --> Communicate via Local API ---> should throw an error I double checked the permission status in the app settings there also showing disabled state In my case case 2 is also return success, even though user denied the permission I got success response. I wonder why this happens the same above 2 cases working as expected in iOS 17.x versions

When CHIPS was introduced in 18.4 it worked well, however on 18.5 it does not appear to work. There do not appear to be release notes about this in 18.5, so can someone provide definitive if this is a defect that will be fixed, or have they already been deprecated?

Hi all, I have a requirement to intercept and modify inbound connections on macOS. For example, if I’m running a server on TCP port 8080 on macOS, I want to intercept all traffic to and from this port. I’m open to working at the level of TCP flows or even raw Ethernet packets, depending on what’s feasible. I’m already successfully using NETransparentProxy to intercept outbound traffic, but I haven’t found a way to handle inbound connections using any of the Network Extension APIs. Is there any supported or alternative approach for intercepting inbound traffic (via NE, NKEs, PF, or something else)? Any guidance would be greatly appreciated. Thanks in advance!

Hello Everyone, I am currently using macOS 15.5 and XCode 16.4. I am using the following code to send/receive multicast packets on multicast group ff02::1 and port 49153 using Apple NF's NWConnectionGroup. import Network import Foundation // Creating a mutlicast group endpoint let multicastIPv6GroupEndpoint: NWEndpoint = NWEndpoint.hostPort(host: NWEndpoint.Host.ipv6(IPv6Address("ff02::1")!), port: NWEndpoint.Port("49153")!) do { let multicastGroupDescriptor: NWMulticastGroup = try NWMulticastGroup (for: [multicastIPv6GroupEndpoint]) let multicastConnectionGroupDescriptor = NWConnectionGroup (with: multicastGroupDescriptor, using: .udp) multicastConnectionGroupDescriptor.stateUpdateHandler = { state in print ("🕰️ Connection Group state: \(state)") if state == .ready { multicastConnectionGroupDescriptor.send (content: "👋🏻 Hello from the Mac 💻".data (using: .utf8)) { err in print ("➡️ Now, I am trying to send some messages.") if let err = err { print ("💥 Error sending multicast message: \(err)") } else { print ("🌚 Initial multicast message sent") } } } } multicastConnectionGroupDescriptor.setReceiveHandler { message, content, isComplete in if let content = content, let messageString = String (data: content, encoding: .utf8) { print ("⬅️ Received message: \(messageString)") } } multicastConnectionGroupDescriptor.start (queue: .global()) } catch { print ("💥 Error while creating Multicast Group: \(error)") } RunLoop.main.run() I am able to successfully create a NWConnectionGroup without any warnings/errors. The issue occurs when the stateUpdateHandler's callback gets invoked. It first gives me this warning: nw_listener_socket_inbox_create_socket IPV6_LEAVE_GROUP ff02::1.49153 failed [49: Can't assign requested address But then it shows me that the state is ready: 🕰️ Connection Group state: ready After this, when the send is performed, it gives me a bunch of errros: nw_endpoint_flow_failed_with_error [C1 ff02::1.49153 waiting parent-flow (unsatisfied (Local network prohibited), interface: en0[802.11], ipv4, ipv6, uses wifi)] already failing, returning nw_socket_connect [C1:1] connectx(7, [srcif=0, srcaddr=::.62838, dstaddr=ff02::1.49153], SAE_ASSOCID_ANY, 0, NULL, 0, NULL, SAE_CONNID_ANY) failed: [48: Address already in use] nw_socket_connect [C1:1] connectx failed (fd 7) [48: Address already in use] nw_socket_connect connectx failed [48: Address already in use] nw_endpoint_flow_failed_with_error [C1 ff02::1.49153 in_progress socket-flow (satisfied (Path is satisfied), interface: en0[802.11], ipv4, ipv6, dns, uses wifi)] already failing, returning There is no other background process running on the same port. I tried using different ports as well as multicast groups but the same error persists. The same code works fine for an IPv4 multicast group. I have following questions: Why am I getting these errors specifically for IPv6 multicast group but not for IPv4 multicast group? Are there any configurations that needed to be done in order to get this working?

We are developing an iOS application with a key feature designed to enhance user safety: real-time assessment of Wi-Fi network security. The "Safe Wi-Fi" feature aims to inform users about the security level of the Wi-Fi network they are currently connected to. Our goal is to provide this information seamlessly and continuously, even when the user isn't actively using the app. Currently, we've implemented this feature using a NWPathMonitor. The limitation of NWPathMonitor is that it doesn't function when the app is in a kill state. We are looking for guidance on how to achieve persistent Wi-Fi security monitoring in the background or when the app is killed. Is there any API (Public, Special API, etc) or a recommended approach that allows for real-time Wi-Fi connection monitoring (including connection changes and network details) even when the app is not actively running or is in a kill state. Thank you in advance for your help.

Hey everyone, I’m developing an app for visionOS where I need to display the Apple Vision Pro’s current IP address. For this I’m using the following code, which works for iOS, macOS, and visionOS in the simulator. Only on a real Apple Vision Pro it’s unable to extract an IP. Could it be that visionOS currently doesn’t allow this? Have any of you had the same experience and found a workaround? var address: String = "no ip" var ifaddr: UnsafeMutablePointer<ifaddrs>? = nil if getifaddrs(&ifaddr) == 0 { var ptr = ifaddr while ptr != nil { defer { ptr = ptr?.pointee.ifa_next } let interface = ptr?.pointee let addrFamily = interface?.ifa_addr.pointee.sa_family if addrFamily == UInt8(AF_INET) { if let name: Optional<String> = String(cString: (interface?.ifa_name)!), name == "en0" { var hostname = [CChar](repeating: 0, count: Int(NI_MAXHOST)) getnameinfo(interface?.ifa_addr, socklen_t((interface?.ifa_addr.pointee.sa_len)!), &hostname, socklen_t(hostname.count), nil, socklen_t(0), NI_NUMERICHOST) address = String(cString: hostname) } } } freeifaddrs(ifaddr) } return address } Thanks in advance for any insights or tips! Best Regards, David

Recently, my application was having trouble sending udp messages after it was reinstalled. The cause of the problem was initially that I did not grant local network permissions when I reinstalled, I was aware of the problem, so udp worked fine after I granted permissions. However, the next time I repeat the previous operation, I also do not grant local network permissions, and then turn it back on in the Settings, and udp does not work properly (no messages can be sent, the system version and code have not changed). Fortunately, udp worked after rebooting the phone, and more importantly, I was able to repeat the problem many times. So I want to know if the process between when I re-uninstall the app and deny local network permissions, and when I turn it back on in Settings, is that permissions have been granted normally, and not fake, and not required a reboot to reset something for udp to take effect. I'm not sure if it's the system, or if it's a similar situation as described here, hopefully that will help me find out

Simulator: iPhone 16 pro (iOS 26) Minimum Deployments: iOS 16.0+, not iOS 17. Here is the demo: import SwiftUI import NetworkExtension struct ContentView: View { private var monitor = NWPathMonitor() var body: some View { VStack { Text("Hello, world!") } .task { let _ = URLSession.shared } } }

Hi all, I’m developing a companion iOS app that connects to a device-created Wi-Fi hotspot to transfer videos or other files WebSocket. The challenge is: once the iPhone connects to this hotspot, it loses internet access because iOS routes all traffic through Wi-Fi. However, I’d like to keep the iPhone’s cellular data active and usable while staying connected to the local hotspot — so the app can access cloud APIs, or the user can continue using other apps that require internet access. I understand that iOS prioritizes Wi-Fi over cellular, but are there any supported workarounds or patterns (e.g., MFi programs, local-only Wi-Fi access, NEHotspotConfiguration behavior, etc.) that : • Using Wi-Fi only for local communication; • cellular to remain active for internet access. Any insights or Apple-recommended best practices would be greatly appreciated — especially any official references regarding MFi Accessory setup or NEHotspotConfiguration behavior in this context. Thanks in !

Either processInfo.hostName should return the same info as UIDevice.name ("iPhone") or it should require the same entitlement that UIDevice.name does to return the actual result. If processInfo.hostName is intended to return the local Bonjour name, why does it need 'local network' permission? Why isn't the 'local network' permission documented for processInfo.hostName as this is hard to track down? Tested on iOS 18.5

Just tried to re-run the code below (previously discussed https://developer.apple.com/forums/thread/747815) and filed as bug: https://feedbackassistant.apple.com/feedback/13678278 Still broken on macOS 26 first beta. Any chance anything can be done about this @eskimo? thanks, Martin import Foundation import Network let localPort: NWEndpoint.Port = 12345 var connections: [NWConnection] = [] func startFlow(remotePort: UInt16) { let params = NWParameters.udp params.allowLocalEndpointReuse = true params.requiredLocalEndpoint = NWEndpoint.hostPort(host: "0.0.0.0", port: localPort) let conn = NWConnection(host: "93.184.216.34", port: .init(rawValue: remotePort)!, using: params) conn.stateUpdateHandler = { newState in print("connection \(remotePort) did change state, new: \(newState)") } conn.start(queue: .main) connections.append(conn) } func main() { startFlow(remotePort: 23456) startFlow(remotePort: 23457) dispatchMain() } main()

We’ve encountered a reproducible issue where the iPhone fails to reconnect to a Wi-Fi access point under the following conditions: The device is connected to a 2.4GHz Wi-Fi network. A Bluetooth audio accessory is connected (e.g. headset). AVAudioSession is active (such as during a voice call or when using the Voice Memos app). The user moves away from the access point, causing a disconnect. Upon returning within range, the access point is no longer recognized or reconnected while AVAudioSession remains active. However, if the Bluetooth device is disconnected or the AVAudioSession is deactivated, the Wi-Fi access point is immediately recognized again. We confirmed this behavior not only in my app but also using Apple's built-in Voice Memos app, suggesting this is not specific to our implementation. It appears that the Wi-Fi system deprioritizes reconnection while AVAudioSession is engaged. Could this be by design? Or is this a known issue or limitation with Wi-Fi and AVAudioSession interaction? Test Environment: Device: iPhone 13 mini iOS: 17.5.1 Wi-Fi: 2.4GHz band Accessories: Bluetooth headset We’d appreciate clarification on whether this is expected behavior or a bug. Thank you!

I'm using Network framework for communication between devices. The first time I instantiate an NWBrowser, it will prompt the user with a popup that says: Allow &lt;app name&gt; to find devices on local networks? The problem is, once I upgraded from Xcode 15.4 to Xcode 16.4, the popup doesn't appear; it says in the debug window: nw_browser_fail_on_dns_error_locked [B1] nw_browser_dns_service_browse_callback failed: PolicyDenied(18,446,744,073,709,486,046) I do have the info.plist keys Privacy-Local Network Usage Description (NSLocalNetworkUsageDescription) and Bonjour Services (NSBonjourServices) so it's not that. Also, It still works on a real device. I think something changed with Xcode 16 that tightened the security on a simulator, or maybe disabled Network framework entirely. It's not the firewall on my computer because that is turned off. I'm using an M1 MacBook Pro.

Hi, We're hoping someone can help us determine why we're running into some odd behavior where a simple HTTP request is intermittently failing with error code NSURLErrorTimedOut (-1001) Background: HTTP request details: The request is sent from a PacketTunnelProvider and is meant to be a Captive Portal check. The request is insecure (HTTP, instead of HTTPS) but we have configured App Transport Security (ATS) to allow insecure HTTP loads from this hostname. See info.plist excerpt below. The request is sent using NSMutableURLRequest/NSURLSessionDataTask using an Ephemeral session configuration. We only modify 2 properties on NSMutableURLRequest The timeoutInterval property is set to 5 seconds. The allowsCellularAccess property is set to NO. No headers or other configuration are modified. NSURLSessionDataTask completionHandler receives an NSError: We checked the NSError's userInfo dictionary for an underlying error (NSUnderlyingErrorKey). The underlying error shows the same code NSURLErrorTimedOut (-1001). We haven't seen any underlying errors with code NSURLErrorAppTransportSecurityRequiresSecureConnection (-1022) . On a laptop, we confirmed that the Captive portal check site is accessible and loads correctly. Laptop and iOS device are on the same Wi-fi. I've witnessed the error in the debugger, and been able to load the site on my laptop at the same time. So, we don't have any reason to believe this is server related. The PacketTunnelProvider is configured to only handle DNS queries and is not intercepting/routing the HTTP traffic. The DNS query for the Captive portal request is handled correctly. In fact, outside of the PacketTunnelProvider, all sites load in Mobile Safari. So, we're not breaking internet on this device. In other words, we have no reason to believe our DNS handling is interfering with the HTTP request since other HTTP requests are working as expected. We setup CFNetwork Diagnostic Logging (https://developer.apple.com/documentation/network/debugging-https-problems-with-cfnetwork-diagnostic-logging) In console.app, we are able to find some logging on the Timeout See excerpt from Console.app's log below. We confirmed that the nscurl tool did not flag the request (https://developer.apple.com/documentation/security/identifying-the-source-of-blocked-connections) All ATS tests run with nscurl were successful. See nscurl command used below. Questions: What are next steps to debug this intermittent timeout? What should we look for in the CFNetwork Diagnostic Logging to help debug the issue further? Thanks in advance for your help! ATS configuration setup in both the UI and the PacketTunnel's info.plist file: <key>NSAppTransportSecurity</key> <dict> <key>NSExceptionDomains</key> <dict> <key>subdomain.subdomain.example.com</key> <dict> <key>NSExceptionAllowsInsecureHTTPLoads</key> <true/> <key>NSIncludesSubdomains</key> <true/> </dict> </dict> </dict> Excerpt from Console.app's log: CFNetwork Example PacketTunnel 10836 Diagnostics default 11:30:33.029032-0700 CFNetwork Diagnostics [3:834] 11:30:32.946 { Did Timeout: (null) Loader: request GET http://subdomain.subdomain.example.com/content/cpcheck.txt HTTP/1.1 Timeout Interval: 5.000 seconds init to origin load: 0.000592947s total time: 5.00607s total bytes: 0 } [3:834] nscurl command $ /usr/bin/nscurl --ats-diagnostics --verbose http://subdomain.subdomain.example.com/content/cpcheck.txt

While trying to use Bonjour, i am encountering an issue. I was following the setup of Bonjour as described here: (https://developer.apple.com/forums/thread/735862) the response is this : nw_browser_fail_on_dns_error_locked [B2] nw_browser_dns_service_browse_callback failed: PolicyDenied(-65570) browser did change state, new: waiting(-65570: PolicyDenied) i tried modifying the info.plist to include NSLocalNetworkUsageDescription and NSBonjourServices but still getting the same a workout or solution is much appreciated !

In our iOS application, we need to list available WiFi networks so that users can select one for device configuration. Here's the workflow: Initially, the hardware device acts as a WiFi Access Point (AP). The app should scan for nearby WiFi networks to detect the device's AP. The app connects temporarily to this AP and sends the selected WiFi credentials to the device. The device then connects to the selected WiFi network and stops broadcasting its AP. Is this flow achievable on iOS? We understand that Apple restricts access to WiFi scanning APIs — are there any supported methods (e.g., using NEHotspotHelper) or entitlements (such as MFi) that could enable this?