Hi Team, We are using the transparent app proxy in macOS and resolving DNS queries using DNSServiceQueryRecord in the TAP process. According to the documentation, when passing the interfaceIndex as 0, it should be queried on all interfaces, and based on IP rules, it assigns the query to that particular interface. However, when we pass 0, it does not query any of the interfaces. We need to provide the specific interface index.

Since my question exceeds 700 words, please check it in the attachment. Thank you! Question

I created a content filter app in iOS (swift). The app lets me toggle the content filter ON or OFF. When the content filter is on, it restricts access to one particular url. This works as intended; however, I would like to generate a log that shows the url from each inspected flow (I'm using NEFilterFlow to inspect the url from each webkit flow). Ideally, I'd like the url, the verdict, and the verdict timestamp appended to the log each time a flow passes through the content filter for a decision. I cannot figure out how to capture any data from the flow. I'm even trying to use the NEFilterReport class, but I can't seem to capture any of the data in the report. Can the url even be extracted from a NEFilterReport? I assume it can, since it's part of the flow. I understand that FilterDataProvider can only communicate with FilterControlProvider (on a very limited basis). However, it is my understanding that FilterControlProvider can communicate with the main target. So how can I send the url from FilterDataProvider over to FilterControlProvider, and then onward to the main target to print to the console? I'm starting to read about IPCConnection. Hopefully that is the answer to my question and I will get there in the coming days. If not, please help. There is very limited information out there on the network extension framework and content filtering.

Hi, mac 14.4 M1 Chip. I can successfully create the utun interface by call out the exec via sudo. the c code for this looks like this. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/kern_control.h> #include <sys/ioctl.h> #include <sys/socket.h> #include <sys/types.h> #include <unistd.h> #include <errno.h> #include <fcntl.h> #include <netinet/in.h> #include <net/if.h> #include <net/if_utun.h> #include <sys/sys_domain.h> #define UTUN_CONTROL_NAME "com.apple.net.utun_control" #define UTUN_OPT_IFNAME 2 int create_utun_interface(char *ifname) { int fd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL); if (fd < 0) { perror("socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL)"); return -1; } struct ctl_info ctlInfo; memset(&ctlInfo, 0, sizeof(ctlInfo)); strncpy(ctlInfo.ctl_name, UTUN_CONTROL_NAME, sizeof(ctlInfo.ctl_name)); if (ioctl(fd, CTLIOCGINFO, &ctlInfo) == -1) { perror("ioctl(CTLIOCGINFO)"); close(fd); return -1; } struct sockaddr_ctl sc; memset(&sc, 0, sizeof(sc)); sc.sc_id = ctlInfo.ctl_id; sc.sc_len = sizeof(sc); sc.sc_family = AF_SYSTEM; sc.ss_sysaddr = AF_SYS_CONTROL; sc.sc_unit = 455; // Let the kernel choose a unit for us. if (connect(fd, (struct sockaddr*)&sc, sizeof(sc)) == -1) { perror("connect(AF_SYSTEM)"); close(fd); return -1; } socklen_t ifname_len = IFNAMSIZ; if (getsockopt(fd, SYSPROTO_CONTROL, UTUN_OPT_IFNAME, ifname, &ifname_len) == -1) { perror("getsockopt(UTUN_OPT_IFNAME)"); close(fd); return -1; } return fd; } void remove_utun_interface(const char *ifname) { char command[256]; snprintf(command, sizeof(command), "ifconfig %s down", ifname); int result = system(command); if (result == -1) { perror("system(ifconfig down)"); } else { printf("Removed utun interface: %s\n", ifname); } } int main(int argc, char *argv[]) { if (argc > 1 && strcmp(argv[1], "remove") == 0) { if (argc != 3) { fprintf(stderr, "Usage: %s remove <interface_name>\n", argv[0]); return 1; } remove_utun_interface(argv[2]); return 0; } char ifname[IFNAMSIZ]; int fd = create_utun_interface(ifname); if (fd < 0) { printf("Failed to create utun interface\n"); return 1; } printf("Created utun interface: %s\n", ifname); // Keep the interface up and running while (1) { sleep(1); } return 0; } But when run the exec and then add ip routes etc...sudo ifconfig utun454 10.0.0.2 10.0.0.100 netmask 255.255.255.0 up sudo ifconfig utun454 mtu 1500 sudo sysctl -w net.inet.ip.forwarding=1 sudo route add -net 10.0.0.0/24 -iface utun454 sudo route add 90.130.70.73 -iface utun454 sudo route add 10.0.0.100 -iface utun454 .. all looks good but when i do a tcpdump -i utun454 i see no traffic. Should be see traffic when i ping or wget to those ip in the route table. Tried the default route see no traffic. If i just add those route to utun0.... and tcpdump it i see a ton of traffic what i'm i missing....

I am building a feature in my iOS app, I need to get list of nearby networks and the strength, frequency of each one. how can I achieve this? is there any public api I can use to achieve this?

My App needs to send and receive messages to the server, but my server does not have SSL, so I can only disable ATS in the development stage. But if I want to put the app on the shelf, then I still disable ATS when I put it on the shelf, and the server still does not have SSL. Will it be packaged? Is pp warned and terminated by Xcode? Will it be rejected by the Apple audit department? Can it be put on the App Store normally and provided to all users? Note: My server is completely safe without any security risks. I didn't apply for SSL just because I didn't have enough funds.

Hello, I am curious about possibilities and implementing WiFi scanning functionality in iOS apps, in relation to the concept of Remote ID for unmanned aircraft systems (UAS). Remote ID refers to the ability to identify and locate UAS while they are flying, for example using a smartphone. UAS broadcast e.g. location, speed, the id of the operator, height, and other information. Information is encoded into Bluetooth or Wi-Fi advertisements. I am developing an iOS application for the purpose of collecting data called DroneScanner. It scans for nearby RemoteID packets transfered using Bluetooth and Wi-Fi. I was able to implement Bluetooth scans using CoreBluetooth API but I did not find a way to implement Wi-Fi scanning. It is crucial for our users to be able to use Wi-Fi scans because it is one of the methods in the Remote ID standard and we also get negative reviews for missing it. I would need to access a list of Wi-Fi points that are visible from the device and also the raw content of the advertisements so I can parse them into Remote ID packets. I am also interested in understanding any limitations or restrictions regarding access to WiFi network information, as well as any recommended approaches for adhering to Apple's guidelines and policies. Do I need to enroll in any developer program? Would the NEHotspotHelper be useful in my use case? Thanks

Looking into making requests using URLSession via a proxy, on watchOS, and found that in URLSessionConfiguration, there's a proxyConfigurations property. However, since ProxyConfiguration is part of the Network framework, does it means that TN3135 low level networking rules also applies in this case?

Is there an easy way to programmatically use SFTP in my SwiftUI macOS app? In my macOS app I need to do things like: upload local files to a remote server create a directory on a remote server download files from a remote server delete files on a remote server I have been researching this subject for awhile and people are recommending things like SwiftNIO and libssh. But those seem pretty low level and kind of a headache to use. Another option is to use the sftp CLI command via the foundation Process object. I like this option and am considering experimenting with this, but it seems like a hack. Will this work on all macOS computers? Is there an easy way to import and use a C/C++ SFTP library in my SwiftUI macOS app? At this point in my research of this subject I feel like I have to go deep down some rabbit hole in order to pull of some SFTP functionality. But I'm wondering, is there some easy way to do this that I'm missing?

Hello, I would like to ask how to connect using OpenVPN in such a way that the connection appears in System Settings > VPN, similar to how it does with NordVPN. Thank you

In some cases the user connects to a WiFi network that doesn't have internet access. The OS itself is able to display a warning in System Settings: However, in my app NWPathMonitor reports that the WiFi path is satisfied. How could I detect that the internet access is not working while WiFi is connected? I could try to connect to my own servers and report failures to the user, but that takes a long time to receive the timeout error. I cannot reduce the timeout, because maybe the user is on a very slow network and long loading time might be expected. But iOS can detect that there is not internet within a few seconds and display a warning, so I wonder how does Apple implement it in System Settings and if there is something I can implement in my app.

anybody test to http request for local printers or resources and with ios18 and macos15 give error on iOS projects?

Hi, We are using HTTP3 only and hence using assumesHTTP3Capable for every request. It worked so far but now encountered one iPhone that never honor this flag and always tries to create a connection using TCP: [tcp] tcp_input [C1:3] flags=[R.] seq=0, ack=2023568485, win=0 state=SYN_SENT rcv_nxt=0, snd_una=2023568484 The request is created like this: let url = URL(string: urlString)! var request = URLRequest(url: url, cachePolicy: .reloadIgnoringLocalCacheData, timeoutInterval: 60.0) request.assumesHTTP3Capable = true return try await urlSession.data(for: request) iOS: 16 XCode: 15.3 In what cases iOS CFNetwork would not honor "assumesHTTP3Capable" ? (or how can I find out why?)

After a week of testing iOS 18. iPhone XS keeps randomly up and down cellular network which shows low signal /no service/ hig signal after I use it for a few minutes. second bugs is keyboard switching , sometimes don’t work auto predictive and auto capitalisation in keyboard. Reported this issue through feedback assistant. Please fix this bug in next iOS 18 beta.

hi, I want to create a VPN application for iOS users. Tell me how this can be implemented, what technologies are best to use. I want to choose as a pet project

Hi. I'm trying to run tunnel_server from https://github.com/networkextension/SimpleTunnel sample on macOS Sonoma. Delegate's method netServiceWillPublish is called, but neither netServiceDidPublish nor netService(didNotPublish) are not. Firewall is enabled, incoming connections to the tunnel_server app are allowed. The app is not sandboxed and signed to run locally. When running the app, Allow Connections prompt pops up which is allowed.

I am using the SIMInserted API on Xcode 16 beta. However, when I checked with a SIM card inserted, it returned "No". [Enviroment] Xcode：16beta iOS：18beta1,18beta2 [The modified implementation area is as follows] 1.Add "CarrierDescriptors" to the plist. <key>CarrierDescriptors</key> <array> <dict> <key>MCC</key> <string>440</string> <key>MNC</key> <string>10</string> </dict> </array> 2.Add "SIM Inserted for Wireless Carriers" to the capabilities. <key>com.apple.developer.coretelephony.sim-inserted</key> <true/> 3.In case of iOS 18 and above, perform SIM detection using "isSIMInserted" of CTSubscriber. - (BOOL)isSIMInseted { if(@available(iOS 18.0,*)){ CTSubscriber* ctSubscriber = [CTSubscriber new]; return = ctSubscriber.isSIMInserted; } return NO; } Is there any mistake in the implementation steps you provided? Why is it not possible to retrieve the desired information with this implementation? Please assistant me.

We have found a VPN that does not work while our TPP is running, and I have a hypothesis why, and it does not make any sense. It only fails when our TPP asks for UDP flows. Their VPN claims to fail at a DNS query, but it's getting EPIPE (this is Twingate for the curious). Looking at all the logs I can on the system, including dtruss and dtrace, I see that it does a sendto, and gets that errno. I can't, of course, determine more. By adding more logging, I can see that their VPN tunnel provider tries to open up a UDP flow to 8.8.8.8 port 53. First red flag: I did not think we were supposed to get DNS queries -- my guess is that only means for apps that use the system DNS libraries, implying (to me) that this VPN has their own DNS code. We look at the app name, and decide we don't care for it -- handleNewUDPFlow(_:initialEndpoint:) returns false/NO. I see this in the system logs: 2024-06-26 11:06:56.342680+0100 0x300c839 Default 0x0 40823 0 ${us}.Redirector: (NetworkExtension) [com.apple.networkextension:] [Extension ${us}]: provider rejected new flow UDP ${them}.macos.tunnelprovider[{length = 20, bytes = 0xca1b405e014154c2e38e20159d033f9b2d3eea18}] local port 0 interface en0(bound) which is all correct. But then the very next log entry is 2024-06-26 11:06:56.342717+0100 0x300cc14 Info 0x0 0 0 kernel: (399482302): received connect result 61 which, there you go, ECONNREFUSED which will be turned into EPIPE by sendto. (ETA: No, that's not what happens at all. I see other port 53 queries in my logs, and they follow the same, er, flow -- TPP refuses them, next log entry for the flow by the system is result 61.) There is no traffic to 8.8.8.8 over any of the interfaces. I have tried using a NENetworkRule that _excludes` port 53, but it does not allow that at all. I am very deeply confused by all of this, to the point I'm not quite sure how to begin to articulate a request for help. If anyone has any thoughts, comments, questions, commiserative howls of agony, I'd appreciate it.

Hi, We are developing react native app, and we are having issue with ATS policy in production build distributed to TestFlight internal testing, requests to https are being killed. The preview build ad-hoc distribution is working fine. (I am testing the app on physical device) I will described what I've tried and supply you with logs from different tools. I tried to disable ATS - requests are working enable ATS (no change to default config) - requests are failing with following error Task <55618987-64A8-4C04-9B00-2EFF074D796C>.<1> finished with error [-1022] Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection., NSErrorFailingURLStringKey=<private>, NSErrorFailingURLKey=<private>, _NSURLErrorRelatedURLSessionTaskErrorKey=<private>, _NSURLErrorFailingURLSessionTaskErrorKey=<private>, NSUnderlyingError=0x30127bb10 {Error Domain=kCFErrorDomainCFNetwork Code=-1022}} I tried to check server if it had met ATS requirements and ran ats-diagnostic ./TLSTool s_client -connect api.rankacy.com:443 * input stream did open * output stream did open * output stream has space * protocol: TLS 1.2 * cipher: ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 * trust result: unspecified * certificate info: * 0 + ecPublicKey 256 ecdsa-with-SHA384 'api.rankacy.com' * 1 + ecPublicKey 384 sha256-with-rsa-signature 'E6' * 2 + rsaEncryption 4096 sha256-with-rsa-signature 'ISRG Root X1' nscurl https://api.rankacy.com/ --verbose --ats-diagnostics Starting ATS Diagnostics Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://api.rankacy.com/. A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error. ================================================================================ Default ATS Secure Connection --- ATS Default Connection ATS Dictionary: { } Result : PASS --- ================================================================================ Allowing Arbitrary Loads --- Allow All Loads ATS Dictionary: { NSAllowsArbitraryLoads = true; } Result : PASS --- ================================================================================ Configuring TLS exceptions for api.rankacy.com --- TLSv1.3 ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionMinimumTLSVersion = "TLSv1.3"; }; }; } Result : PASS --- --- TLSv1.2 ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionMinimumTLSVersion = "TLSv1.2"; }; }; } Result : PASS --- --- TLSv1.1 ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionMinimumTLSVersion = "TLSv1.1"; }; }; } Result : PASS --- --- TLSv1.0 ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionMinimumTLSVersion = "TLSv1.0"; }; }; } Result : PASS --- ================================================================================ Configuring PFS exceptions for api.rankacy.com --- Disabling Perfect Forward Secrecy ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- ================================================================================ Configuring PFS exceptions and allowing insecure HTTP for api.rankacy.com --- Disabling Perfect Forward Secrecy and Allowing Insecure HTTP ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionAllowsInsecureHTTPLoads = true; NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- ================================================================================ Configuring TLS exceptions with PFS disabled for api.rankacy.com --- TLSv1.3 with PFS disabled ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionMinimumTLSVersion = "TLSv1.3"; NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- --- TLSv1.2 with PFS disabled ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionMinimumTLSVersion = "TLSv1.2"; NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- --- TLSv1.1 with PFS disabled ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionMinimumTLSVersion = "TLSv1.1"; NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- --- TLSv1.0 with PFS disabled ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionMinimumTLSVersion = "TLSv1.0"; NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- ================================================================================ Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for api.rankacy.com --- TLSv1.3 with PFS disabled and insecure HTTP allowed ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionAllowsInsecureHTTPLoads = true; NSExceptionMinimumTLSVersion = "TLSv1.3"; NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- --- TLSv1.2 with PFS disabled and insecure HTTP allowed ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionAllowsInsecureHTTPLoads = true; NSExceptionMinimumTLSVersion = "TLSv1.2"; NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- --- TLSv1.1 with PFS disabled and insecure HTTP allowed ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionAllowsInsecureHTTPLoads = true; NSExceptionMinimumTLSVersion = "TLSv1.1"; NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- --- TLSv1.0 with PFS disabled and insecure HTTP allowed ATS Dictionary: { NSExceptionDomains = { "api.rankacy.com" = { NSExceptionAllowsInsecureHTTPLoads = true; NSExceptionMinimumTLSVersion = "TLSv1.0"; NSExceptionRequiresForwardSecrecy = false; }; }; } Result : PASS --- I am running out of ideas. Also it's hard to test because the preview ad-hoc build is working fine. So only after submitting the app to TestFlight I am having this issue Looking for your response Martin

Hello, I am looking into the newly announced Accessory Setup Kit and I'd like to replace my manual WiFi connection setup with it, but I cannot find a way how to specify WiFi password when configuring ASDiscoveryDescriptor, only ssid or ssidPrefix can be specified? Is it really not possible to connect to WiFi with password with this new framework? That kind of makes it unusable for my use case :( Since the accessory has password.