Most apps perform ordinary network operations, like fetching an HTTP resource with URLSession and opening a TCP connection to a mail server with Network framework. These operations are not without their challenges, but they’re the well-trodden path. If your app performs ordinary networking, see TN3151 Choosing the right networking API for recommendations as to where to start. Some apps have extra-ordinary networking requirements. For example, apps that: Help the user configure a Wi-Fi accessory Require a connection to run over a specific interface Listen for incoming connections Building such an app is tricky because: Networking is hard in general. Apple devices support very dynamic networking, and your app has to work well in whatever environment it’s running in. Documentation for the APIs you need is tucked away in man pages and doc comments. In many cases you have to assemble these APIs in creative ways. If you’re developing an app with extra-ordinary networking requirements, this post is for you. Note If you have questions or comments about any of the topics discussed here, put them in a new thread here on DevForums. Make sure I see it by putting it in the App & System Services > Networking area. And feel free to add tags appropriate to the specific technology you’re using, like Foundation, CFNetwork, Network, or Network Extension. Links, Links, and More Links Each topic is covered in a separate post: The iOS Wi-Fi Lifecycle describes how iOS joins and leaves Wi-Fi networks. Understanding this is especially important if you’re building an app that works with a Wi-Fi accessory. Network Interface Concepts explains how Apple platforms manage network interfaces. If you’ve got this far, you definitely want to read this. Network Interface Techniques offers a high-level overview of some of the more common techniques you need when working with network interfaces. Network Interface APIs describes APIs and core techniques for working with network interfaces. It’s referenced by many other posts. Running an HTTP Request over WWAN explains why most apps should not force an HTTP request to run over WWAN, what they should do instead, and what to do if you really need that behaviour. If you’re building an iOS app with an embedded network server, see Showing Connection Information in an iOS Server for details on how to get the information to show to your user so they can connect to your server. Many folks run into trouble when they try to find the device’s IP address, or other seemingly simple things, like the name of the Wi-Fi interface. Don’t Try to Get the Device’s IP Address explains why these problems are hard, and offers alternative approaches that function correctly in all network environments. Similarly, folks also run into trouble when trying to get the host name. On Host Names explains why that’s more complex than you might think. If you’re working with broadcasts or multicasts, see Broadcasts and Multicasts, Hints and Tips. If you’re building an app that works with a Wi-Fi accessory, see Working with a Wi-Fi Accessory. If you’re trying to gather network interface statistics, see Network Interface Statistics. There are also some posts that are not part of this series but likely to be of interest if you’re working in this space: TN3179 Understanding local network privacy discusses the local network privacy feature. Calling BSD Sockets from Swift does what it says on the tin, that is, explains how to call BSD Sockets from Swift. When doing weird things with the network, you often find yourself having to use BSD Sockets, and that API is not easy to call from Swift. The code therein is primarily for the benefit of test projects, oh, and DevForums posts like these. TN3111 iOS Wi-Fi API overview is a critical resource if you’re doing Wi-Fi specific stuff on iOS. TLS For Accessory Developers tackles the tricky topic of how to communicate securely with a network-based accessory. A Peek Behind the NECP Curtain discusses NECP, a subsystem that control which programs have access to which network interfaces. Networking Resources has links to many other useful resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Revision History 2025-07-31 Added a link to A Peek Behind the NECP Curtain. 2025-03-28 Added a link to On Host Names. 2025-01-16 Added a link to Broadcasts and Multicasts, Hints and Tips. Updated the local network privacy link to point to TN3179. Made other minor editorial changes. 2024-04-30 Added a link to Network Interface Statistics. 2023-09-14 Added a link to TLS For Accessory Developers. 2023-07-23 First posted.

We are currently working on enhancing our iOS app with satellite mode support, allowing users to access a limited set of core features even in the absence of traditional cellular or Wi-Fi connectivity. As part of this capability, we're introducing a chatbot feature that relies on both WebSocket and HTTP connections for real-time interaction and data exchange. Given the constrained nature of satellite networks—especially in terms of latency, bandwidth, and connection stability—we're evaluating the feasibility of supporting these communication protocols under such conditions. Could you please advise whether WebSocket and HTTP connections are expected to work over satellite networks?

I have few API's written with URLSession. Will they work in Carrier-constrained network / satellite mode ?

If I was to build an app that opened a web server at local host on a random port that resolved subdomains for local host at that port, but there was no certificate authority, signed certificate available to provide HTTPS security, would this be in violation of apples ATS policy

We have an application which is written in Swift, which activates Transparent Proxy network extension. We want to use MDM deployment for this network system extension. Our Transparent Proxy module is a system extension, which is exposing an app proxy provider interface (We are using NETransparentProxyProvider class and in extension’s Info.plist we use com.apple.networkextension.app-proxy key.) We don’t have any remote server setup to forward the traffic, instead we open a connection with a certain localhost:port (127.0.0.1:3128) to redirect the traffic which is received in our transparent proxy. We have another module that listens to the particular localhost:port to process the traffic further. As per https://developer.apple.com/documentation/devicemanagement/vpn/transparentproxy documentation, we noticed that we can use the VPN payload with app-proxy as Provider Type for Transparent Proxy. By referring this document, we created the profile. If we provide "127.0.0.1" as RemoteAddress field, we were able to install the profile and also while installing our product, the Transparent Proxy gets mapped with the one which is installed via profile. However after that the network is broken and hence unable to browse anything. We are suspecting the remote server(RemoteAddress) filed is causing this. What value should be provided in the RemoteAddress field?

We are developing a client server application using TCP bsd sockets. When our client is connected to the server, copying another client .app bundle from a file server on the same machine (using Finder or terminal using cp), occasionally causes the first client to disconnect. The client receives an EBROKENPIPE error when attempting to write to its socket. In the Console, the following message appears just before the disconnection: necp_socket_find_policy_match: Marking socket in state 258 as defunct This issue seems to occur only when copying an .app bundle signed with the same TeamIdentifier as the running client. Copying arbitrary files or bundles with a different TeamIdentifier does not trigger the problem. We are running on macOS 15.5. The issue appears specific to macOS 15 and was not observed on earlier versions. Any help or pointers would be greatly appreciated!

We are a Layer 3 VPN provider offering a comprehensive SASE (Secure Access Service Edge) solution that includes TLS inspection, threat protection, granular access control, and secure access to private resources. One of the key challenges we face involves TLS inspection. Many mobile applications, especially on iOS, implement certificate pinning, which causes them to fail when TLS inspection is applied. These apps expect connections to be secured with a specific certificate or trusted certificate authority, and inspection disrupts this trust model. On iOS, the current limitation is that the Packet Tunnel Provider extension does not provide visibility into the originating application (i.e., there is no API to obtain the app’s bundle ID or package name associated with a given network connection). Due to this, we are unable to dynamically determine whether TLS inspection should be bypassed for a particular app. While Apple’s Per-App VPN is one possible solution, it introduces a significant drawback: any applications that are excluded from the VPN configuration are entirely outside the VPN tunnel. This means they do not benefit from any of our SASE features — including secure access to internal resources, DNS/web content filtering, or threat detection. This limits the effectiveness of our solution in environments where both inspection and secure access are critical. We would like to understand whether iOS has any current or planned capabilities to associate a network flow (e.g., a 5-tuple: source IP, destination IP, source port, destination port, and protocol) with the originating app. Such a capability would allow us to programmatically identify certificate-pinned apps and selectively disable TLS inspection without excluding them entirely from the VPN, thereby preserving the full set of SASE protections. Is there any guidance or roadmap update from Apple that addresses this use case?

Context I'm working on a DNS proxy network extension and would like to be able to parse replies from the upstream DNS server for extracting the TTL for caching purposes. I already have a working DNS proxy network extension, but at the moment I am not handling the responses and just forward all queries to an upstream DNS server. My understanding is that I have to take care of result caching myself because I cannot use the system resolver in the DNS proxy network extension. Question What is the best way to parse DNS replies in Swift to extract e.g. the TTL? I found an old thread (https://forums.swift.org/t/parse-dns-packet-requests-and-responses/41797/5) describing a way to achieve this using dns_util. The solution described there works - but dns_parse_packet in dns_util have been marked deprecated since iOS 16. So, I am wondering if there is a better way to achieve the parser. I tried to utilize the dnssd framework but was unable to figure out how to achieve only parsing of the raw DNS reply. If that is possible it would be great to get some pointers.

My application needs local network access. When it is started for the first time, the user gets a prompt to enable local network access (as expected). The application is then shown as enabled in Privacy & Security / Local Network and local network access is working. If macOS is then shutdown and restarted, local network access is blocked for the application even though it is still shown as enabled in Privacy & Security / Local Network. Local network access can be restored either by toggling permission off and on in Privacy & Security / Local Network or by disabling and enabling Wi-Fi. This behaviour is consistent on Sequoia 15.1. It happens sometimes on 15.0 and 15.0.1 but not every time. Is my application doing something wrong or is this a Sequoia issue? If it is a Sequoia issue, is there some change I can make to my application to work around it?

I am trying to intercept localhost connections within NETransparentProxyProvider system extension. As per NENetworkRule documentation If the address is a wildcard address (0.0.0.0 or ::) then the rule will match all destinations except for loopback (127.0.0.1 or ::1). To match loopback traffic set the address to the loopback address. I tried to add NWHostEndpoint *localhostv4 = [NWHostEndpoint endpointWithHostname:@"127.0.0.1" port:@""]; NENetworkRule *localhostv4Rule = [[NENetworkRule alloc] initWithDestinationNetwork:localhostv4 prefix:32 protocol:NENetworkRuleProtocolAny]; in the include network rules. I tried several variations of this rule like port 0, prefix 0 and some others. But the provider disregards the rule and the never receives any traffic going to localhost on any port. Is there any other configuration required to receive localhost traffic in NETransparentProxyProvider?

On macOS Tahoe26.0, iOS 26.0 (23A5287g), Xcode 26.0 beta 3 (17A5276g) 1、Follow this tutorial Downloading asset packs hosted by Apple When i download a background asset packs hosted by Apple, Xcode callback "Download failed: The helper received an invalid server response with the status code “400”." Before downloading, I uploaded the three aar files to the Apple server using the Transporter app. Three Manifest.json content is： {"assetPackID":"bdassets2","downloadPolicy":{"onDemand":{}},"fileSelectors":[{"file":"1.jpg"},{"file":"2.pag"},{"file":"3.mp4"}],"platforms":["iOS"]} and {"assetPackID":"bdassets1","downloadPolicy":{"prefetch":{"installationEventTypes":["firstInstallation","subsequentUpdate"]}},"fileSelectors":[{"file":"1.jpg"},{"file":"2.pag"},{"file":"3.mp4"},{"directory":"a1"}],"platforms":["iOS"]} and {"assetPackID":"bdassets0","downloadPolicy":{"essential":{"installationEventTypes":["firstInstallation","subsequentUpdate"]}},"fileSelectors":[{"file":"1.jpg"},{"file":"2.pag"},{"file":"3.mp4"},{"directory":"a1"}],"platforms":["iOS"]} The same error was reported when the three aar files were obtained. I obtained it using the following code: do {       let assetPack = try await AssetPackManager.shared.assetPack(withID: "bdassets2")       try await AssetPackManager.shared.ensureLocalAvailability(of: assetPack)     } catch {       print("Download failed:", error)     } 2、Follow this tutorial Testing your asset packs locally I use this command line to start the test server：xcrun ba-serve --host 172.17.9.62 bdassets2.aar, The content displayed on the terminal is： Loading asset packs… Loading the asset pack at “bdassets2.aar”… Choose an identity in the panel to continue. Listening on port 56061… When running the project, Xcode reports an error:Download failed: Could not connect to the server. I use iPhone directly visit this website: https://172.17.9.62:56061, on the page display "Hello, world!" There are too few error messages in both of the above questions. I have no idea what the specific reasons are.I hope someone can offer some guidance. Best Regards.

(related post: How to optimize my app for for a carrier-provided satellite network? ) I am trying to implement an app so that it works under a carrier-provided satellite network. The app uses (AS)WebAuthenticationSession for signing in. If the app is entitled to access a satellite network, will (AS)WebAuthenticationSession work as well? How about WKWebView and SFSafariViewController? Is there a way to test(simulate) a ultra-constrained network on a device or a simulator to see the expected behavior? Thanks,

when i am running this app on Iphone13 facing these errors On starting Publisher: failed(-11992: Wi-Fi Aware) [L1 ready, local endpoint: , parameters: udp, traffic class: 700, interface: nan0, local: ::.0, definite, attribution: developer, server, port: 65041, path satisfied (Path is satisfied), interface: nan0[802.11], ipv4, uses wifi, LQM: unknown, service: com.example.apple-samplecode.Wi-FiAwareSample94KV3E626L._sat-fileservice._udp scope:0 route:0 custom:107]: waiting(POSIXErrorCode(rawValue: 50): Network is down) [L1 cancelled, local endpoint: , parameters: udp, traffic class: 700, interface: nan0, local: ::.0, definite, attribution: developer, server, port: 65041, path , service: com.example.apple-samplecode.Wi-FiAwareSample94KV3E626L._sat-fileservice._udp scope:0 route:0 custom:107]: ready [L1 cancelled, local endpoint: , parameters: udp, traffic class: 700, interface: nan0, local: ::.0, definite, attribution: developer, server, port: 65041, path , service: com.example.apple-samplecode.Wi-FiAwareSample94KV3E626L._sat-fileservice._udp scope:0 route:0 custom:107]: failed(-11992: Wi-Fi Aware) OnStarting Subscriber : -11992: Wi-Fi Aware B1 <nw_browse_descriptor application_service _sat-simulation._udp bundle_id=com.example.apple-samplecode.Wi-FiAwareSample94KV3E626L device_types=7f device_scope=ff custom:108>, generic, interface: nan0, multipath service: interactive, attribution: developer: failed(-11992: Wi-Fi Aware)

Our app uses NEVPNManager with IPsec to create VPN. It uses certificate authentication(.p12) and VPN connectivity is working as expected. Now I am trying to apply On demand rules to manage this VPN. let onDemandRule = NEOnDemandRuleConnect() onDemandRule.interfaceTypeMatch = .wiFi onDemandRule.ssidMatch = ["DNET"] NEOnDemandRuleConnect with interfaceTypeMatch and ssidMatch is starting VPN when the rule matches. When I add onDemandRule.dnsSearchDomainMatch = ["pa.test2.com"], it is not switching ON the VPN when I browse the "pa.test2.com" in the safari. I also tried *.test2.com and *.com. None of these domains switching ON the VPN. Can you please help me if I am missing anything?

I'm new to Control Filter Extensions and have a question about their network capabilities. I'm building an app that processes network data and need to send some results to a remote server. My main questions: Are Control Filter Extensions officially permitted to make outbound UDP connections? I want to confirm this is a supported capability before implementing the network export functionality. What specific entitlements are required for outbound network access? Currently using content-filter-provider - do I need additional network-related entitlements? Are there any restrictions or considerations for UDP data export in production vs development builds? I want to ensure I'm following Apple's guidelines and using the correct entitlements for this type of data export from a Control Filter Extension. Any guidance on the official network capabilities and required setup would be greatly appreciated!

Our app is connected to a hardware wifi without network. Under normal circumstances, we can communicate with the device. At some point, the communication suddenly stops, and the ping prompts "No route to host". The only way to reconnect is to restart the device. It feels like the system has marked ARP. Is there any way to reconnect the device without restarting the device?

Hi, I run a PacketTunnelProvider embedded within a system extension. We have been having success using this; however we have problems with accessing certificates/private keys manually imported in the file-based keychain. As per this, we are explicitly targeting the file-based keychain. However when attempting to access the certificate and private key we get the following error: System error using certificate key from keychain: Error Domain=NSOSStatusErrorDomain Code=-25308 "CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION" (errKCInteractionNotAllowed / errSecInteractionNotAllowed: / Interaction is not allowed As per the online documentation, I would expect to be prompted for the access to the application: When an app attempts to access a keychain item for a particular purpose—like using a private key to sign a document—the system looks for an entry in the item’s ACL containing the operation. If there’s no entry that lists the operation, then the system denies access and it’s up to the calling app to try something else or to notify the user. If there is an entry that lists the operation, the system checks whether the calling app is among the entry’s trusted apps. If so, the system grants access. Otherwise, the system prompts the user for confirmation. The user may choose to Deny, Allow, or Always Allow the access. In the latter case, the system adds the app to the list of trusted apps for that entry, enabling the app to gain access in the future without prompting the user again But I do not see that prompt, and I only see the permission denied error in my program. I can work around this one of two ways Change the access control of the keychain item to Allow all applications to access this item. This is not preferable, as it essentially disables any ACLs for this item. Embed the certificate in a configuration profile that is pushed down to the device via MDM or something similar. This works at a larger scale, but if I'm trying to manually test out a certificate, I don't always want to have to set this up. Is there another way that I go about adding my application to the ACL of the keychain item? Thanks!

[Q] Has there been a change in macOS 15.3.2 and later that can explain why some UDP traffic is not seen by some Network Extensions when it is in previous macOS minor and major versions?

Hello everyone, 👋🏼🤠 I've been struggling with a persistent issue for several weeks and would greatly appreciate any insights or suggestions from the community. ❗️Problem Summary We are sending JSON requests (~100 KB in size) via URLSession from a Swift app running on Windows. These requests consistently time out after a while. Specifically, we receive the following error: Error Domain=NSURLErrorDomain Code=-1001 "(null)" This only occurs on Windows – under macOS and Linux, the same requests work perfectly. 🔍 Details The server responds in under 5 seconds, and we have verified that the backend (a Vapor app in Kubernetes) is definitely not the bottleneck. The request always hits the timeout interval, no matter how high we configure it: 60, 120, 300, 600 seconds – the error remains the same. (timeoutForRequest) The request flow: Swift App (Windows) ---> HTTPS ---> Load Balancer (NGINX) ---> HTTP ---> Ingress Controller ---> Vapor App (Kubernetes) On the load balancer we see this error: client prematurely closed connection, so upstream connection is closed too (104: Connection reset by peer) The Ingress Controller never receives the complete body in these error cases. The content length set by the Swift app exceeds the data actually received. We disabled request buffering in the Ingress Controller, but the issue persists. We even tested a setup where we inserted a Caddy server in between to strip away TLS. The Swift app sent unencrypted HTTP requests to Caddy, which then forwarded them. This slightly improved stability but did not solve the issue. 🧪 Additional Notes The URLSession is configured in an actor, with a nonisolated URLSession instance: actor DataConnectActor { nonisolated let session : URLSession = URLSession(configuration: { let urlSessionConfiguration : URLSessionConfiguration = URLSessionConfiguration.default urlSessionConfiguration.httpMaximumConnectionsPerHost = ProcessInfo.processInfo.environment["DATACONNECT_MAX_CONNECTIONS"]?.asInt() ?? 16 urlSessionConfiguration.timeoutIntervalForRequest = TimeInterval(ProcessInfo.processInfo.environment["DATACONNECT_REQUEST_TIMEOUT"]?.asInt() ?? 120) urlSessionConfiguration.timeoutIntervalForResource = TimeInterval(ProcessInfo.processInfo.environment["DATACONNECT_RESSOURCE_TIMEOUT"]?.asInt() ?? 300) urlSessionConfiguration.httpAdditionalHeaders = ["User-Agent": "DataConnect Agent (\(Environment.version))"] return urlSessionConfiguration }()) public internal(set) var accessToken: UUID? = nil ... } Requests are sent via a TaskGroup, limited to 5 concurrent tasks. The more concurrent tasks we allow, the faster the timeout occurs. We already increased the number of ephemeral ports in Windows. This made things slightly better, but the problem remains. Using URLSessionDebugLibcurl=1 doesn't reveal any obvious issue related to libcurl. We have also implemented a retry mechanism, but all retries also time out. 🔧 Request Flow (Code Snippet Summary) let data = try JSONEncoder().encode(entries) var request = URLRequest(url: url) request.httpMethod = "POST" request.httpBody = data request.setValue("Bearer \(token)", forHTTPHeaderField: "Authorization") request.setValue("application/json; charset=UTF-8", forHTTPHeaderField: "Content-Type") // additional headers... let (responseData, response) = try await urlSession.data(for: request) ✅ What We’ve Tried Tested with and without TLS Increased timeout and connection settings Disabled buffering on Ingress Increased ephemeral ports on Windows Limited concurrent requests Used URLSessionDebugLibcurl=1 We don't know how we can look any further here. Thank you in advance for any guidance!

This is the log on the publisher side. Publisher discovered the subscriber, but could not pair. Follow up is sent with response rejected