Hello, I am curious about possibilities and implementing WiFi scanning functionality in iOS apps, in relation to the concept of Remote ID for unmanned aircraft systems (UAS). Remote ID refers to the ability to identify and locate UAS while they are flying, for example using a smartphone. UAS broadcast e.g. location, speed, the id of the operator, height, and other information. Information is encoded into Bluetooth or Wi-Fi advertisements. I am developing an iOS application for the purpose of collecting data called DroneScanner. It scans for nearby RemoteID packets transfered using Bluetooth and Wi-Fi. I was able to implement Bluetooth scans using CoreBluetooth API but I did not find a way to implement Wi-Fi scanning. It is crucial for our users to be able to use Wi-Fi scans because it is one of the methods in the Remote ID standard and we also get negative reviews for missing it. I would need to access a list of Wi-Fi points that are visible from the device and also the raw content of the advertisements so I can parse them into Remote ID packets. I am also interested in understanding any limitations or restrictions regarding access to WiFi network information, as well as any recommended approaches for adhering to Apple's guidelines and policies. Do I need to enroll in any developer program? Would the NEHotspotHelper be useful in my use case? Thanks

Looking into making requests using URLSession via a proxy, on watchOS, and found that in URLSessionConfiguration, there's a proxyConfigurations property. However, since ProxyConfiguration is part of the Network framework, does it means that TN3135 low level networking rules also applies in this case?

In some cases the user connects to a WiFi network that doesn't have internet access. The OS itself is able to display a warning in System Settings: However, in my app NWPathMonitor reports that the WiFi path is satisfied. How could I detect that the internet access is not working while WiFi is connected? I could try to connect to my own servers and report failures to the user, but that takes a long time to receive the timeout error. I cannot reduce the timeout, because maybe the user is on a very slow network and long loading time might be expected. But iOS can detect that there is not internet within a few seconds and display a warning, so I wonder how does Apple implement it in System Settings and if there is something I can implement in my app.

Hi all, Currently working on a shareplay feature where users pull data from a remote source and are able to share it in a volumetric window with others in the facetime call. However, I am running into an issue where the group activity/session seems to be throwing an error on the recipient of the journal's attachment with the description of notSupported. As I understand it, we use GroupSessionJournal for larger pieces of data like images (like in the Drawing Together example) and in my case 3d models. The current flow goes as follows: User will launch the app and fetch a model from remote. User can start a shareplay instance in which the system captures the volumetric window for users to join and see. At this point, only the original user can see the model. The user can press a button to share this model with the other participants using /// modelData is serialized `Data` try await journal.add(modelData) In the group session configuration, I already have a task listening for for await attachments in journal.attachments { for attachment in attachments { ... } } This task attempts to load data via the following code: let modelData = try await attachment.load(Data.self) /// this is where the error is thrown: `notSupported` I expect the attachment.load(Data.self) call to properly deliver the model data, but instead I am receiving this error. I have also attempted to wrap the model data within an enclosing struct that has a name and data property and conform the enclosing struct to Transferable but that continued to throw the notSupported error. Is there something I'm doing wrong or is this simply a bug in the GroupSessionJournal? Please let me know if more information is required for debugging and resolution. Thanks!

Hi. I'm trying to run tunnel_server from https://github.com/networkextension/SimpleTunnel sample on macOS Sonoma. Delegate's method netServiceWillPublish is called, but neither netServiceDidPublish nor netService(didNotPublish) are not. Firewall is enabled, incoming connections to the tunnel_server app are allowed. The app is not sandboxed and signed to run locally. When running the app, Allow Connections prompt pops up which is allowed.

After downloading the Testflight app, the iPhone 15 Pro Max 17.5.1 phone cannot use multicast function, but it can be used normally after restarting the phone. There will be problems with reinstalling and restarting the app. But there are no issues with other phones or system versions. May I ask if this is a defect in the 17.5.1 system?

We are using the Network framework to open TLS listener on the network and set options this way: configure_tls = ^(nw_protocol_options_t tls_options) { sec_protocol_options_t sec_options = nw_tls_copy_sec_protocol_options(tls_options); sec_identity_t sec_identity=sec_identity_create(identity); sec_protocol_options_set_local_identity(sec_options, sec_identity); sec_protocol_options_set_min_tls_protocol_version(sec_options, tls_protocol_version_TLSv12); sec_options=nil; }; This works fine; however, the listener's TLS negotiation only returns the certificate, not the trust chain. We have a requirement from a government agency to return the trust chain: "In addition to the certificate itself, you should provide a “chain” of intermediate certificates that give the connecting browser or client enough information to connect the certificate to a trusted root certificate. Failing to provide intermediates could prevent various browsers and clients from successfully connecting to your service, especially mobile browsers and non-browser clients (such as cURL, and tools based on libcurl). Some browsers will cache intermediates from a previous connection or attempt to automatically download missing intermediates that are presented in a certificate’s Authority Information Access (https://tools.ietf.org/html/rfc5280#section-4.2.2.1) extension, and so it can be easy to miss this problem during initial configuration. Though most browsers have an option to inspect the certificates on a site, they vary in whether they show the exact certificates the server presented or a chain as reconstructed through the fetching of an intermediate listed in the AIA extension. In general: You do not need to serve the trusted root that the certificate chains to. The client will compare the chain to a local root store, so serving the root will only waste bytes and slow the connection. You do need to serve any intermediate certificates that connect your web server certificate to the trusted root. Doing so removes the potential for problems caused by the variation in how clients facilitate trust verification." Is there a way to provide the chain of trust in the TLS options? I could not find any way to do this.

Hi, We are developing react native app, and we are having issue with ATS policy in production build distributed to TestFlight internal testing, requests to https are being killed. The preview build ad-hoc distribution is working fine. (I am testing the app on physical device) I will described what I've tried and supply you with logs from different tools. I tried to disable ATS - requests are working enable ATS (no change to default config) - requests are failing with following error Task <55618987-64A8-4C04-9B00-2EFF074D796C>.<1> finished with error [-1022] Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection., NSErrorFailingURLStringKey=<private>, NSErrorFailingURLKey=<private>, _NSURLErrorRelatedURLSessionTaskErrorKey=<private>, _NSURLErrorFailingURLSessionTaskErrorKey=<private>, NSUnderlyingError=0x30127bb10 {Error Domain=kCFErrorDomainCFNetwork Code=-1022}} I tried to check server if it had met ATS requirements and ran ats-diagnostic ./TLSTool s_client -connect api.rankacy.com:443 * input stream did open * output stream did open * output stream has space * protocol: TLS 1.2 * cipher: ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 * trust result: unspecified * certificate info: * 0 + ecPublicKey 256 ecdsa-with-SHA384 'api.rankacy.com' * 1 + ecPublicKey 384 sha256-with-rsa-signature 'E6' * 2 + rsaEncryption 4096 sha256-with-rsa-signature 'ISRG Root X1' nscurl https://api.rankacy.com/ --verbose --ats-diagnostics Starting ATS Diagnostics Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://api.rankacy.com/. A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error. ================================================================================ Default ATS Secure Connection --- ATS Default Connection ATS Dictionary: { } Result : PASS --- ================================================================================ Allowing Arbitrary Loads --- Allow All Loads ATS Dictionary: { NSAllowsArbitraryLoads = true; } Result : PASS --- ================================================================================ Configuring TLS exceptions for api.rankacy.com --- TLSv1.3 ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionMinimumTLSVersion = "TLSv1.3"; }; }; } Result : PASS --- --- TLSv1.2 ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionMinimumTLSVersion = "TLSv1.2"; }; }; } Result : PASS --- --- TLSv1.1 ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionMinimumTLSVersion = "TLSv1.1"; }; }; } Result : PASS --- --- TLSv1.0 ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionMinimumTLSVersion = "TLSv1.0"; }; }; } Result : PASS --- ================================================================================ Configuring PFS exceptions for api.rankacy.com --- Disabling Perfect Forward Secrecy ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- ================================================================================ Configuring PFS exceptions and allowing insecure HTTP for api.rankacy.com --- Disabling Perfect Forward Secrecy and Allowing Insecure HTTP ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionAllowsInsecureHTTPLoads = true; NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- ================================================================================ Configuring TLS exceptions with PFS disabled for api.rankacy.com --- TLSv1.3 with PFS disabled ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionMinimumTLSVersion = "TLSv1.3"; NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- --- TLSv1.2 with PFS disabled ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionMinimumTLSVersion = "TLSv1.2"; NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- --- TLSv1.1 with PFS disabled ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionMinimumTLSVersion = "TLSv1.1"; NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- --- TLSv1.0 with PFS disabled ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionMinimumTLSVersion = "TLSv1.0"; NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- ================================================================================ Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for api.rankacy.com --- TLSv1.3 with PFS disabled and insecure HTTP allowed ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionAllowsInsecureHTTPLoads = true; NSExceptionMinimumTLSVersion = "TLSv1.3"; NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- --- TLSv1.2 with PFS disabled and insecure HTTP allowed ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionAllowsInsecureHTTPLoads = true; NSExceptionMinimumTLSVersion = "TLSv1.2"; NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- --- TLSv1.1 with PFS disabled and insecure HTTP allowed ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionAllowsInsecureHTTPLoads = true; NSExceptionMinimumTLSVersion = "TLSv1.1"; NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- --- TLSv1.0 with PFS disabled and insecure HTTP allowed ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionAllowsInsecureHTTPLoads = true; NSExceptionMinimumTLSVersion = "TLSv1.0"; NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- I am running out of ideas. Also it's hard to test because the preview ad-hoc build is working fine. So only after submitting the app to TestFlight I am having this issue Looking for your response Martin

If "send and receive" on imessages has my Microsoft work email address, can my imessage content be synched with Microsoft ? Because I recently logged into our big data system through SSH client using my work email address, on a Console I saw one of my imessage thread printed. I reached Microsoft and their reply was to get advise reaching out to Apple support as their knowledge of iMessage is limited. Based on general knowledge about data protection the messages are most likely not synced unless there is a setting that you can allow from my side. PLEASE HELP ! This is a Mystery !!

I am updating a universal app for release on iOS 17+ devices using Xcode15.2 and Solar2d v3708. The last release was 7 years ago. The app connects to the local network and used a custom UDP protocol to connect to and control specific hardware devices. The protocol involves transmitting and receiving both broadcast and unicast messages to/from IPV4 capable proprietary devices on the local network. When I run the app in the Solar2d simulator and when I run the current version installed from the App store on my iPad, communications work well. When I build the same code into a new development build and transfer it to my iPad, I found that attempts to send broadcast messages are failing. When I print out the error returned from the socket interface to the console, I see the message is "No Route to Host". I requested multicast capability from Apple and when it appeared on my development portal I updated the App Id to include the multicast entitlement. I updated the development profile to include our new 6th gen IPad and the updated AppID. I downloaded and installed the development profile. That new profile is what I am selecting / using to sign the app. I am using lua socket library to send broadcast messages I created a very basic project with just the basic networking code example and built this for my iPad the results are the same. local socket = require("socket") local main, errorMain = socket.udp6() main:setoption('broadcast', true) local ack, mError = main:sendto("", "::FFFF:255.255.255.255", 3100) print("My Debug Message: Main sending - " .. (ack or "nil") .. ", Error : " .. (mError or "None")) I also tried modifying my code to use udp4 as follows and the results were the same. local socket = require("socket") local main, errorMain = socket.udp4() main:setoption('broadcast', true) local ack, mError = main:sendto("", "255.255.255.255", 3100) print("My Debug Message: Main sending - " .. (ack or "nil") .. ", Error : " .. (mError or "None")) console output: My Debug Message: Main sending - nil, Error : No route to host Any help or insight would be greatly appreciated.

$ tccutil reset All This command resets the other permissions (i.e. camera, microphone) but doesn't reset the Local Network permission. OS: macOS 15.0

Since the release of macOS 14.0, we have encountered issues with the Content Filtering MDM Payload. This problem is unusual but can be resolved by restarting the system. Prerequisites: macOS 14 or higher Any Mac with a Silicon (ARM) processor Restrictions Payload and Parental Content Filtering Payload must be installed on the device, either manually or through any MDM service Issue Details: When the Parental Content Filtering Payload is removed after installation, it causes internet issues, and browsers display "The site can't be reached". This affects applications as well, with Safari being the only application that continues to work. The issue can be resolved by either re-adding the Content Filtering Payload or restarting the Mac. Links: Restriction Payload: https://drive.google.com/file/d/1buwLFgbjTRXij9ZSv1QrDeRnWbFfKNtq/view?usp=drive_link Content Filtering Payload: https://drive.google.com/file/d/1eAJiBg4N__dML65MRDH7hYCocuTqOCcu/view?usp=drive_link System Logs: https://drive.google.com/drive/folders/1hKKNAoMn_4x1CqMTxz1bPrUucCbftjO9?usp=drive_link Screen Recording: https://drive.google.com/file/d/1uS8CJqe9p9DG9XzhUnIsY35eme4Dxs60/view?usp=drive_link

I saw this sentence in the documentation at https://developer.apple.com/documentation/bundleresources/information_property_list/nsrequirescertificatetransparency: 'Don’t use this key. The current system enforces this behavior, and new certificates can’t meet the requirement on older systems.' I understand that new systems will enable CT (Certificate Transparency) verification by default. However, I created a new demo to verify this on an iOS 13 device, and CT verification was not actually enabled.

I'm unable to reproduce an issue which only seems to occur on App Review devices. It's mainly stuck at a loading screen when trying to sign in with GameCenter. I'm using Microsoft Azure PlayFab as a game backend. I've tested my game on two iPads and three different iPhone models. They're all able to connect to the server. No debug build was installed on those devices via Xcode. I used the same build which was rejected, freshly installed via TestFlight on the internal test track. Looking at my server logs, I can't even find one single request sent from the App Review device. This can only mean that there is some connectivity issue between their device and the server (e.g. a firewall or proxy). I've also implemented a retry mechanism so in case the request times out, it would try it again and after three retries it would eventually display an error message and further details. How shall I figure this issue out, if the only thing the reviewers provided me is a screenshot of the loading screen?

Hi all, My co-worker today noticed that on his Mac running a beta of Sequoia, the IPv6 multicast functionality of our application was no longer working. This same executable works fine under Sonoma and earlier versions of MacOS, and has worked fine for a number of years. Under Sequoia, however, calls to sendto() a packet to an IPv6-link-local-multicast address (e.g. ff12::bead:cede:deed:feed, preceeded by a call to setsockopt(fd, IPPROTO_IPV6, IPV6_MULTICAST_IF, ...) to specify the appropriate network interface index) return -1 and set errno to EHOSTUNREACH aka "No route to host". The interesting thing about it is, this problem only occurs if we launch our app by double-clicking on its icon; if we instead run the app from Terminal (e.g. by entering ./MyApp.app/Contents/MacOS/MyApp), the multicast functionality works as expected. Our app is signed and notarized in all the usual expected ways. My question is, is this "just" a networking regression in the Sequoia beta, or is there some new requirement in macOS/Sequoia for IPv6-link-local-multicast-using apps to have a multicast entitlement (a la iOS) or something?

I have an application that uses Bonjour to communicate with other instances of the app on other devices. If I start an NWBrowser and the user has "Local Network" turned off for my app, the stateUpdateHandler for the browser gets .waiting with an error containing the string "PolicyDenied." This lets me show an alert to the user explaining what's happening, with a link to the app's Settings screen. But if I use NWListener (the counterpart of NWBrowser) and have "Local Network" turned off, there's no indication of any problem. After I start the listener, stateUpdateHandler is called with .ready as the state - even though it's not really ready to listen at all. The FAQ for Local Network Privacy suggests that any Bonjour operation will raise kDNSServiceErr_PolicyDenied if Local Network is off. However, in my application, that only seems to be true for browsing, not listening. Is there a way to detect a missing Local Network entitlement for NWListener? I know there are solutions involving sending a message to localhost, etc, but ideally there would be something simpler.

Due to some challenging corporate network firewall, security filters and certificate management, I would like to implement a TLS server where it initiates the TCP connection to the client side so that once TCP is connected, the client side sends its Client Hello message. Everything then continues as expected. The connection would use Bonjour to locate the TLS client endpoint that is hosted on iOS. The TLS server will be hosted on MacOS. Swapping the normal tcp listener as TLS server will help with certificate management as the Mac will have the server cert installed and the iOS device will have the client cert installed.

Hi! I have been working on one idea for a while but can't figure out the proper way to do that. My app includes Content Filter and DNSProxy providers for filtering logic. And for the NEFilterSocketFlow everything works well, because the connection is first handled from DNSProxy and if it's blocked, NEFilterDataProvider returns datagrams that I wrote from DNSProxy (I return nxdomain). However, for NEFilterBrowserFlow it doesn't work, because webkit generated flows are for some reason intercepted by Content Filter first and at the time when the flow is checked for rules, there're none yet as DNSProxy didn't handle connection yet. So the app returns the following behaviour: In case the requested domain is not filtered by DNSProxy, the user is able to visit requested page, but if it's filtered, the flow just freezes and the page will never load for user. But I wanted to add proper handling and display block page. In case I am using some third-party apps for testing like ICS Dig, filtered domains return nxdomain properly. Not sure if there's a way to achieve desired result, but would be very grateful for any suggestions

Hi, When running my iOS app in Xcode, I got the following message in the console multiple times: [connection] nw_read_request_report [C1] Receive failed with error "Operation timed out" It seems not critical as my app still works, but how can I find out more details of the connection that printed this message? For example, the network request the caused this, or the URL? Xcode: 15.3 iOS 17 SwiftUI app

My company uses a VPN to provide access to cloud services for development purposes. I am unable to reach these services from VMs or devices using Internet Sharing. In both cases, those instances can reach the Internet just fine. Here is what the routing table looks like for the VPN: 100.20.x.x 100.65.0.1 UGHS utun1 100.21.x.x 100.65.0.1 UGHS utun1 100.64/10 utun0 Uc utun0 100.65/16 100.65.0.1 UGSc utun1 If I add a custom pf rule, I can get the VM packets routed to the VPN: nat from 192.168.66.0/24 to 100.65.0.0/16 -&amp;gt; (utun1) But, inexplicably, a similar rule for 192.168.2.0/24 does nothing. Using Wireshark, I still see packets sent out the default interface, instead of being sent through utun1. Two questions: Why doesn't the routing "just work" in this case? I expected that, after the NAT rules installed by the system are applied, the packets destined for 100.64.0.0/15 would be properly routed without the need for any custom rules. What else should I try, either to gather more data or attempt to fix the routing?