If I run an app with a Message Filter Extension on a handset with iOS 18.2 then it runs fine, however if I run the exact same app with no changes on a different phone which has iOS 17.6.1 installed then the following error occurs when the extension is enabled within Settings: dyld[631]: Symbol not found: _$sSo40ILMessageFilterCapabilitiesQueryResponseC14IdentityLookupE21promotionalSubActionsSaySo0abI6ActionVGvs

Hello Everyone, I'm currently working on a cross-platform application that uses IP-based multicast for device discovery across both Apple and non-Apple devices running the same app. All devices join a multicast group "X.X.X.X" on port Y. For Apple devices, I am using NWConnectionGroup for multicast discovery, while for non-Apple devices, I am using BSD sockets. The issue arises when I attempt to send a multicast message to the group using NWConnectionGroup. The message is sent from a separate ephemeral port rather than the multicast port Y. As a result, all Apple processes that are using NWConnectionGroup can successfully receive the multicast message. However, the processes running on the non-Apple devices (using BSD sockets) do not receive the message. My Questions: Is there a way to configure NWConnectionGroup to send multicast messages from the same multicast port Y rather than an ephemeral port? Is there any known behavior or limitation in how NWConnectionGroup handles multicast that could explain why non-Apple devices using BSD sockets cannot receive the message? How can I ensure cross-platform multicast compatibility between Apple devices using NWConnectionGroup and non-Apple devices using BSD sockets? Any guidance or suggestions would be greatly appreciated! Thanks, Harshal

Hello Everyone, I’m working on a project that involves multicast communication between processes running on different devices within the same network. For all my Apple devices (macOS, iOS, etc.), I am using NWConnectionGroup, which listens on a multicast address "XX.XX.XX.XX" and a specific multicast port. The issue occurs when a requestor (such as a non-Apple process) sends a multicast request, and the server, which is a process running on an Apple device using NWConnectionGroup (the responder), attempts to reply. The problem is that the response is sent from a different ephemeral port rather than the port on which the multicast request was received. If the client is behind a firewall that blocks unsolicited traffic, the firewall only allows incoming packets on the same multicast port used for the initial request. Since the multicast response is sent from a different ephemeral port, the firewall blocks this response, preventing the requestor from receiving it. Questions: Is there a recommended approach within the NWConnectionGroup or Network.framework to ensure that responses to multicast requests are sent from the same port used for the request? Are there any best practices for handling multicast responses in scenarios where the requestor is behind a restrictive firewall? Any insights or suggestions on how to account for this behavior and ensure reliable multicast communication in such environments would be greatly appreciated. Thanks, Harshal

I am developing an application that processes a video file stored on a server. I use URLSessionDataTask with a delegate handler to download the file. It is not necessary to download the entire file at once. Instead, I can load small chunks of the file as needed. This approach helps minimize memory consumption. I am trying to design a network layer that supports this behavior. Ideally, I would like to have an interface similar to: func readMoreData(length: Int) async throws -> Data Problems I Encountered: It seems that URLSessionDataTask does not allow controlling how many bytes will be downloaded. It always downloads the entire request. If I call suspend on URLSessionDataTask, the network activity does not stop, and the file keeps downloading. If I upgrade the dataTask to a StreamTask, the file still downloads, though reading bytes can be done through the StreamTask API. I would prefer behavior similar to AsyncHTTPClient (a Swift Server library) or Network Framework. These frameworks allow controlling the number of bytes downloaded at a time. Unfortunately, they do not fit the specific requirements of my project. Am I correct in understanding that controlling the download process is not possible with URLSessionDataTask? As a possible solution, I am considering using HTTP Range Requests, though this would increase the number of additional server requests, which I would like to avoid.

on MacOS I am using raw socket and PF_Route options to monitor the routing table changes but looks like that is not supported in iOS what are the other ways to achieve real time monitoring in iOS ?

Hi everyone, is there any ways we can remove the weak ciphers as part of TLS handshake (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) I checked here but still do not see anyways to print out and change the ciphers suite we want to use https://forums.developer.apple.com/forums/thread/43230 https://forums.developer.apple.com/forums/thread/700406?answerId=706382022#706382022

I asked this question of AI and it said that yes it was possible, and gave some sample code override class func filterConfiguration() -> ILMessageFilterExtensionConfiguration { let config = ILMessageFilterExtensionConfiguration() // You can specify multiple network URLs config.networkURLs = [ URL(string: "https://api1.example.com/filter")!, URL(string: "https://api2.example.com/filter")! ] return config } And said the OS will try the first, and if there's no response within the first few seconds it'll move onto the second. However, there is no such class as ILMessageFilterExtensionConfiguration AFAICT, if there is then how to access/use it, if there isn't, then I wonder how the AI counjured it up? If multiple urls can be specified, then can the extension also specify a particular API to use and switch between them at some point? When does the OS call filterConfiguration()?

In order to create a Message Filter Extension it is necessary to set up Shared Web Credentials. I'd like to form an understanding of what role SWC plays when the OS is making request to the associated network service (when the extension has called deferQueryRequestToNetwork()) and how this differs from when an app directly uses Shared Web Credentials itself. When an app is making direct use of SWC, it makes a request to obtain the user's credentials from the web site. However in the case of a Message Filter Extension, there aren't any individual user credentials, so what is happening behind the scenes when the OS makes a server request on behalf of a Message Filtering Extension? A more general question - the documentation for Shared Web Credentials says "Associated domains establish a secure association between domains and your app.". Thank you

With the new macOS 15, Apple introduced the new Local Network Privacy feature. This is causing issues for our customers as - even though they granted the required permission for our software - connections to a server in their local network are being blocked. The situation is not fixed by recent macOS updates. As far as I know, this issue exists for machines running on Apple Silicon. Systems running macOS versions (e.g. Sonoma) are not affected. Currently, the workaround is to re-enable the permission under Settings > Privacy & Security > Local Network. The list shows our application with an enabled checkbox. Users now have to de-select the box and then re-select it again for the application to work. They have to do this after each and every reboot of their system, which is slightly annoying (so at the moment we recommend to not upgrade macOS to Sequoia, if possible) I did some research and saw that other products are also affected by this bug. Is there a solution to this issue or any plans to fix it?

I have a TVML style app on the app store that no longer seems to work. I'm working on converting it to SwiftUI after seeing the WWDC video "Migrate your TVML app to SwiftUI". I've got most of the code working up until I'm trying to display video from a remote source (my website). It looks like the network connection is blocked, maybe. On a macOS app I see a App Sandbox capabilities that include Network access. I don't see that option for the tvOS app. Am I missing something or is it not needed, and I should look elsewhere? Thanks, David

I'm building a bluetooth device that is connected to my app. The device I'm building will be connected to the phone as much as possible, and when the user leaves the device's range and then comes back later, I expect the OS to wake the app up when it reconnects in the background using the CoreBluetooth willRestoreState wake up method. Using just CoreBluetooth for pairing, I've confirmed that the phone will reconnect to the device while in the background and the app gets woken up when that happens. I'm hoping to use ASK for pairing instead as it's a much nicer user experience. When I initiate and confirm pairing via ASK, I can see that it's connected and paired successfully and I see my device and app connected as I expect. But when the device goes away, and the app has been in the background, and then I come in range of the phone, the device never reconnects automatically in Bluetooth settings. When I manually tap the device in settings to connect, it does connect, but I don't think my app gets woken up and restored as I don't see the requests I expect happening when it's in the background. Does ASK support scanning for peripherals via CoreBluetooth while in the background, or automatic reconnection? I assumed that when my app is launched, I activate the ASAccessorySession session, and the .activated callback will fire, but I'm not seeing that happen.

Is this technical solution reasonable about WKWebView on cross-domain issues ? Hi，all My project use WKWebView to load offline package, such as .html/.css/.js，and also request some resources from remote server to update pages. So there is a cross-domain problem with local file(file://***) and remote domain (https://***), is this following technical solution reasonable to fix this problem: 1. Create a custom URLSchemeHandler which conforms to WKURLSchemeHandler 2.Unify local file and remote domain request to https request 3. Hook WKWebView https request 4. Implement WKURLSchemeHandler delegate method (void)webView:(WKWebView *)webView startURLSchemeTask:(id)urlSchemeTask { NSURL *url = urlSchemeTask.request.URL; if ([url.pathExtension isEqualToString:@"html"]) { NSData *data = [[NSData alloc] initWithContentsOfFile:localFilePath]; NSMutableDictionary resHeader = [NSMutableDictionary new]; [resHeader setValue:@"" forKey:@"Access-Control-Allow-Origin"]; [resHeader setValue:@"charset=UTF-8" forKey:@"Content-Type"]; [resHeader setValue:@"text/html" forKey:@"Content-Type"]; NSHTTPURLResponse *response = [[NSHTTPURLResponse alloc] initWithURL:url statusCode:200 HTTPVersion:@"HTTP/1.1" headerFields:resHeader]; [urlSchemeTask didReceiveResponse:response]; [urlSchemeTask didReceiveData:data]; [urlSchemeTask didFinish]; } else { NSURLSession *defaultSession = [NSURLSession sharedSession]; NSURLSessionTask *dataTask = [defaultSession dataTaskWithRequest:urlSchemeTask.request completionHandler:^(NSData * _Nullable data, NSURLResponse * _Nullable response, NSError * _Nullable error) { [urlSchemeTask didReceiveResponse:response]; [urlSchemeTask didReceiveData:data]; [urlSchemeTask didFinish]; }]; [dataTask resume]; } } Is this technical solution reasonable? and is there any issues that I haven't considered? Sincerely, Looking forward to your reply

We are implementing a Transparent Proxy for HTTPS (via TCP and QUIC). The following rules are set in startProxy: settings.includedNetworkRules = [ NENetworkRule(destinationNetwork: NWHostEndpoint(hostname: "0.0.0.0", port: "443"), prefix: 0, protocol: .TCP), NENetworkRule(destinationNetwork: NWHostEndpoint(hostname: "::", port: "443"), prefix: 0, protocol: .TCP), NENetworkRule(destinationNetwork: NWHostEndpoint(hostname: "0.0.0.0", port: "443"), prefix: 0, protocol: .UDP), NENetworkRule(destinationNetwork: NWHostEndpoint(hostname: "::", port: "443"), prefix: 0, protocol: .UDP) ] Handling TCP connections seems to work fine. But opening UDP flows from Chrome (or Brave) always fails with Error Domain=NEAppProxyFlowErrorDomain Code=2 "The peer closed the flow" (Doing the same for Firefox works!) BTW: We first create a remote UDP connection (using the Network framework) and when it is in the ready state, we use connection?.currentPath?.localEndpoint as the localEndpoint parameter in the open method of the flow. Is it a known issue that QUIC connections from Chrome cannot be handled by a Transparent Proxy Provider?

I just want Mac Catalyst app can look up the SSID of the currently connected WiFI. Xcode returns I can't use CoreWLan in Mac Catalyst, so I used NEHotspotNetwork, although I do not have convince whether Mac Catalyst allows it. The same code of destination works fine on iPhone, but not on Mac Catalyst and Mac(Designed for iPad). What is the proper way to get SSID of WiFI in Mac Catalyst? Is there another way to do this? The code I tried is below and I used CoreLocation API before call this function. func getWiFiSsid() { NEHotspotNetwork.fetchCurrent { network in if let network = network { print(network) } else { print("network is nil!") } } } Below is Entitlement file. Entitlements for app sandbox is removed when I run in Mac(Designed for iPad). <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.HotspotConfiguration</key> <true/> <key>com.apple.developer.networking.networkextension</key> <array/> <key>com.apple.developer.networking.wifi-info</key> <true/> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> <key>com.apple.security.personal-information.location</key> <true/> </dict> </plist> Below is Info.plist file. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CFBundleDevelopmentRegion</key> <string>$(DEVELOPMENT_LANGUAGE)</string> <key>CFBundleExecutable</key> <string>$(EXECUTABLE_NAME)</string> <key>CFBundleIdentifier</key> <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string> <key>CFBundleInfoDictionaryVersion</key> <string>6.0</string> <key>CFBundleName</key> <string>$(PRODUCT_NAME)</string> <key>CFBundlePackageType</key> <string>APPL</string> <key>CFBundleShortVersionString</key> <string>1.0</string> <key>CFBundleVersion</key> <string>1</string> <key>LSRequiresIPhoneOS</key> <true/> <key>UILaunchStoryboardName</key> <string>LaunchScreen</string> <key>UIMainStoryboardFile</key> <string>Main</string> <key>UIRequiredDeviceCapabilities</key> <array> <string>armv7</string> </array> <key>UISupportedInterfaceOrientations</key> <array> <string>UIInterfaceOrientationPortrait</string> <string>UIInterfaceOrientationLandscapeLeft</string> <string>UIInterfaceOrientationLandscapeRight</string> </array> <key>UISupportedInterfaceOrientations~ipad</key> <array> <string>UIInterfaceOrientationPortrait</string> <string>UIInterfaceOrientationPortraitUpsideDown</string> <string>UIInterfaceOrientationLandscapeLeft</string> <string>UIInterfaceOrientationLandscapeRight</string> </array> <key>NSLocationUsageDescription</key> <string>Determine whether the ssid of current Wi-Fi connection</string> <key>NSLocationWhenInUseUsageDescription</key> <string>Determine whether the ssid of current Wi-Fi connection</string> </dict> </plist> The console log is below. NEHotspotNetwork nehelper sent invalid result code [1] for Wi-Fi information request

We are developing a tunnel based on transparent proxy system extension. We want to be able to decide whether to handle certain TCP flows based on FQDN. So, is there a way to peek into TCPFlow data like we can in ContentFilter which will allow use to parse and check for SNI or Host-header? As far as I understand, we can read data from flows until we have returned a decision from handleNewFlow.

Hi, my app makes tcp connection successfully on macOS 15. But, after restarting Mac, the app fails to make tcp connection. The app is allowed in Settings > Privacy & Security > Local Network. If I deny it and then allow it again, the app can make tcp connection successfully. Is it a macOS Sequoia bug?

I'm trying to detect the state of Local Network privacy on macOS Sequoia via NWBrowser, as recommended in https://developer.apple.com/documentation/technotes/tn3179-understanding-local-network-privacy Regardless of the state of Local Network privacy - undetermined, allowed or denied, NWBrowser receives an update indicating that its in the ready state. Scanning does not seem to trigger the Local Network privacy alert for me - I have to use the other recommended method to trigger the prompt. Enabling or disabling Local Network privacy does not seem to send any updates for NWBrowser. https://developer.apple.com/forums/thread/666431 seems related, and implies that they did receive further updates to NWBrowser. Filed as FB16077972

Hi, For one our requirement sendProviderMessage is been used to send some event/message from app to system extension, In my requirement, responseHandler in system extension would get explicitly called approximately after 1 min due to some async download file task. But observing some strange behavior that responseHandler is getting called implicitly after ~20-30 seconds even before the code hit the place where its called explicitly. And that is the only place I'm calling responseHandler. Can somebody please help about this strange behavior, Is there any implicit timeout interval associated with the responseHandler. Thanks &amp;amp; Regards, Preethi

Hello everyone, We have a use case where we need to disable the sending and receiving of fragmented packets on the network while using NWConnection. However, even after setting the disableFragmentation flag to true, the connection still sends fragmented packets.We’ve tried setting the flag as follows, but the packets are still being fragmented: var connection : NWConnection var udp_options : NWProtocolUDP.Optionsudp_options = NWProtocolUDP.Options() var connection_parameters = NWParameters(dtls: nil, udp: udp_options) let ip_options = connection_parameters.defaultProtocolStack.internetProtocol! as! NWProtocolIP.Options ip_options.disableFragmentation = true connection = NWConnection (host: "XX.XX.XX.***", port: NWEndpoint.Port(25000), using: connection_parameters) The issue we are encountering is that even though we’ve set disableFragmentation to true on the sender, the receiver still receives fragmented UDP packets. This can be observed using Wireshark, where we are sending a 10k byte data from the sender and receiving the fragmented datagram packets on the receiver end while both the devices are on the same WiFi network. Additionally, Wireshark shows that the packet has the "DF" bit set to '0', indicating that fragmentation is allowed. What is exactly expected from the disableFragmentation flag? Are we misunderstanding how this flag works? Or is there something else we should be doing to ensure that fragmentation is completely disabled? Looking forward to your insights!

Hello everyone, I have a question regarding the behavior of network listeners in my application. Here's the scenario I'm seeing: When I open a .v6 listener, it accepts both IPv4 and IPv6 traffic. However, when I run the netstat -tln command, the socket is shown as udp6. When I open a NWListener with the IP version set to .any, I receive both IPv4 and IPv6 traffic on the listener. In this case, running netstat -tln shows a udp46 socket. My understanding is that if I create a socket with .v6, it should only accept IPv6 connections, not both IPv4 and IPv6. However, the .v6 listener appears to be accepting both types of traffic, which is causing some confusion. Additionally, I am seeking to understand the difference between a udp6 socket and a udp46 socket, and also the difference between sockets created using .v6 and .any. What exactly does udp46 represent, and how is it different from udp6 in terms of accepting traffic? Is this expected behavior, or is there something I am missing in how the listeners are set up? Looking forward to hearing your insights!