Hi, We are trying to use Apple Security API for KeyChain Services. Using the common App Group : Specifying the common app group in the "kSecAttrAccessGroup" field of the KeyChain query, allowed us to have a shared keychains for different apps (targets) in the app group, but this did not work for extensions. Enabling the KeyChain Sharing capability : We enabled the KeyChain Sharing Ability in the extensions and the app target as well, giving a common KeyChain Access group. Specifying this in the kSecAttrAccessGroup field also did not work. This was done in XCode as we were unable to locate it in the Developer portal in Indentifiers. We tried specifying "$AppIdentifier.KeyChainSharingGroup" in the kSecAttrAccessGroup field , but this did not work as well The error code which we get in all these 3 cases when trying to access the Keychain from the extension is error code 25291 (errSecNotAvailable). The Documentation says this error comes when "No Trust Results are available" and printing the error in xcode using the status says "No keychain is available. The online Documentation says that it is possible to share keychain with extensions, but by far we are unable to do it with the methods suggested. Do we need any special entitlement for this or is there something we are missing while using these APIs? We really appreciate any and all help in solving this issue! Thank you

I am trying to activate an application which sends my serial number to a server. The send is being blocked. The app is signed but not sandboxed. I am running Sequoia on a recent iMac. My network firewall is off and I do not have any third party virus software. I have selected Allow Applications from App Store & Known Developers. My local network is wifi using the eero product. There is no firewall or virus scanning installed with this product. Under what circumstances will Mac OS block outgoing internet connections from a non-sandboxed app? How else could the outgoing connection be blocked?

NEAppProxyUDPFlow contains below property: open var localEndpoint: NWEndpoint? { get } Why is localEndpoint not available for NEAppProxyTCPFlow? Is there a way to determine the source port of a flow of type NEAppProxyTCPFlow within the following method of NETransparentProxyProvider? override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool {

Hello, I am new to App development, so I am looking for some advice. I want to develop an app for iPhone, which downloads files (pdf, jpg)from a server to the local storage. I also want to get data from the server to be used in my app. This could be a database access or just simple xml files. I want a secure access based on userid and password. Since in a later version, my app should also run on Android Phones, I am reluctant to use iCloud. I was thinking sftp, but that does not seem to be supported for iOS.

It doesn’t seem like there’s any high level, first-party documentation on how to use what is the recommended API for executing networking logic that you otherwise wouldn’t use URLSession for; which is a lot of things. There’s a sample app, and docs on how to choose the right network API in general, but apparently no high level API docs for Network.framework itself. Am I missing something? How do people learn to use this? Know which classes to use? Know the various ways it can be configured?

This is a major issue. After my iPhone 12 Pro was upgraded to iOS 26 beta 6, Apple's official Wi-Fi Aware Sample APP crashed immediately and couldn't be opened. It just force closes. Has any developer encountered this problem?

If the includeAllNetworks flag to true, we cannot update our app via Xcode, TestFlight or the AppStore. In the AppStore and TestFlight cases, it seems that the packet tunnel process is stopped before the new app is downloaded - once the packet tunnel process is stopped, it can’t be started again via Settings/VPN profiles, nor can it be started via the app.

Hello, A quick background: I am developing an App that receives a data stream from a device through its Wi-Fi network. The device itself is not connected to the internet, so the app won't be either. Now, I am adding a new feature to the App that would require internet connection during the data stream. Consequently, my users would need to use their cellular data. On later versions of iPhone, the phone would occasionally detect the lack of internet connection and asks the user via a pop-up if they want to use their cellular data. However, this behavior is not consistent. So my question is- can we programmatically invoke this pop-up so the user can connect to the internet? Or even better- can we program the App to use cellular data while still being connected to a Wi-Fi network? Note: I have seen mixed answers on the internet whether this is doable or not, and I know that users are able do it themselves by manually configuring their IP in their WiFi settings page, but I doubt this operation can be done through the App for security reasons. Thanks!

I'm a long-time developer, but pretty new to Swift. I'm trying to get information from a web service (and found code online that I adjusted to build the function below). (Note: AAA_Result -- referenced towards the end -- is another class in my project) Trouble is, I'm getting the subject error on the call to session.dataTask. Any help/suggestions/doc pointers will be greatly appreciated!!! var result: Bool = false var cancellable: AnyCancellable? self.name = name let params = "json={\"\"}}" // removed json details let base_url = URL(string: "https://aaa.yyy.com?params=\(params)&format=json")! // removed URL specifics do { let task = URLSession.shared.dataTask(with: base_url) { data, response, error in if let error = error { print("Error: \(error)") } guard let response = response as? HTTPURLResponse, (200...299).contains(response.statusCode) else { print("Error \(String(describing: response))") } do { let decoder = JSONDecoder() let ar = try decoder.decode(AAA_Result.self, from: response.value) // removed specific details... result = true } catch { print(error) } } task.resume() } catch { print(error) } return result }

Hello everyone, I'm developing a macOS application with an integrated Content Filter System Extension. Both the main app and the extension are signed with a Developer ID Application provisioning profile. When building in Xcode, I'm encountering an entitlement mismatch error. I've inspected the provisioning profile using the command: security cms -D -i FilterContentExtension-prod-profile.provisionprofile | grep -A 10 com.apple.developer.networking.networkextension And found that the com.apple.developer.networking.networkextension section only contains values with the -systemextension suffix, for example: content-filter-provider-systemextension. However, when I enable Network Extension → Content Filter in Xcode, the .entitlements file is generated with: content-filter-provider. This leads to the error: "Provisioning profile 'FilterContentExtension-prod-profile' doesn't match the entitlements file’s value for the com.apple.developer.networking.networkextension entitlement." My specific questions are: Why does this error occur? How can I use the content-filter-provider entitlement? If I want to use the content-filter-provider entitlement inside com.apple.developer.networking.networkextension for my Content Filter System Extension, what should I do?

Hi all. Title says it all really. I have an app on MacOS that sends multicast UDP to multiple iOS devices. It shows realtime bar numbers of music played back by a playback software. It was all working until I tried a direct ethernet connection between Mac and phone - a scenario that would be quite common in the theatre world where machines dont have internet connection and people dont rely on wifi. How can I choose which interface my app sends the data through? Here is my connection function: func openConnection() { let params = NWParameters.udp params.allowLocalEndpointReuse = true params.includePeerToPeer = true let endpoint = NWEndpoint.hostPort(host: host, port: port) let conn = NWConnection(to: endpoint, using: params) self.connection = conn conn.stateUpdateHandler = { state in switch state { case .ready: print("Multicast connection ready to \(self.host)") UDPClient.console.log("Multicast connection ready to \(self.host)") case .failed(let error): print("Multicast connection failed: \(error)") default: break } } let udpQueue = DispatchQueue(label: "UDPClientQueue") conn.start(queue: udpQueue) } Thanks for any help in advance!

Samsung's Quick Share uses Wi-Fi Aware to achieve one-to-many concurrent sharing. Can Apple's Wi-Fi Aware achieve one-to-many concurrent sharing? Apple's AirDrop does support one-to-many concurrent sharing.

send a request and it returns with timeout Integration Team are Using Fortigate as a firewall and NGINX for some reasons so we use VPN TO Access , requests always succeed but at once it failed with timeout in randomize request not specific one we are using URLSession as a network layer when I retry the same failed request again, it success the request cannot connect apigee Sec Team concern { app session hits the security gateway with lots of SYN step to try to initiate a new session and doesn’t wait for (SYN-ACK / ACK) steps to happen to make sure the connection initiated correctly and gateway consider it flooding attack }

when i am running this app on Iphone13 facing these errors On starting Publisher: failed(-11992: Wi-Fi Aware) [L1 ready, local endpoint: , parameters: udp, traffic class: 700, interface: nan0, local: ::.0, definite, attribution: developer, server, port: 65041, path satisfied (Path is satisfied), interface: nan0[802.11], ipv4, uses wifi, LQM: unknown, service: com.example.apple-samplecode.Wi-FiAwareSample94KV3E626L._sat-fileservice._udp scope:0 route:0 custom:107]: waiting(POSIXErrorCode(rawValue: 50): Network is down) [L1 cancelled, local endpoint: , parameters: udp, traffic class: 700, interface: nan0, local: ::.0, definite, attribution: developer, server, port: 65041, path , service: com.example.apple-samplecode.Wi-FiAwareSample94KV3E626L._sat-fileservice._udp scope:0 route:0 custom:107]: ready [L1 cancelled, local endpoint: , parameters: udp, traffic class: 700, interface: nan0, local: ::.0, definite, attribution: developer, server, port: 65041, path , service: com.example.apple-samplecode.Wi-FiAwareSample94KV3E626L._sat-fileservice._udp scope:0 route:0 custom:107]: failed(-11992: Wi-Fi Aware) OnStarting Subscriber : -11992: Wi-Fi Aware B1 <nw_browse_descriptor application_service _sat-simulation._udp bundle_id=com.example.apple-samplecode.Wi-FiAwareSample94KV3E626L device_types=7f device_scope=ff custom:108>, generic, interface: nan0, multipath service: interactive, attribution: developer: failed(-11992: Wi-Fi Aware)

I’m trying to use the TLS Session Resumption feature in TLS 1.2 and 1.3. I first tested this on iOS, but it didn’t work as expected. To investigate via packet capture, I ran the same code on macOS and saw the same issue. Using URLSession to establish a WebSocket connection, I captured packets in Wireshark to check if Session Resumption was working. The behavior differed from what I expected: 1st TLS handshake – Client Hello does not contain the session_ticket extension (required for session resumption per the TLS spec). 2nd TLS handshake – Client Hello does not contain a pre_shared_key. Test apps: https://github.com/sf-jed-kyung/tls-session-resumption-test Test environment: Xcode 16.3, macOS 15.6, OpenSSL 3.5.1 This repo contains: tls-urlsession-macos – WebSocket via URLSession (shows missing extensions). tls-openssl-macos – Manual TLS handshake via OpenSSL (shows both session_ticket and pre_shared_key). To run this, adjust Header Search Paths and Library Search Paths for your local OpenSSL install. URLSession – 1st Client Hello Transport Layer Security TLSv1.3 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 512 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 508 Version: TLS 1.2 (0x0303) Random: 0502b10cf04223658... Session ID Length: 32 Session ID: e3b276b14f2deaced... Cipher Suites Length: 42 Cipher Suites (21 suites) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 393 ... Extension: server_name (len=26) name=echo.websocket.events Extension: extended_master_secret (len=0) Extension: renegotiation_info (len=1) Extension: supported_groups (len=12) Extension: ec_point_formats (len=2) Extension: application_layer_protocol_negotiation (len=11) Extension: status_request (len=5) Extension: signature_algorithms (len=22) Extension: signed_certificate_timestamp (len=0) Extension: key_share (len=43) x25519 Extension: psk_key_exchange_modes (len=2) Extension: supported_versions (len=7) TLS 1.3, TLS 1.2 Extension: compress_certificate (len=3) ... URLSession – 2nd Client Hello Transport Layer Security TLSv1.3 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 512 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 508 Version: TLS 1.2 (0x0303) Random: 1e485f35ad66c8598... Session ID Length: 32 Session ID: 99d02000c7ed403a5... Cipher Suites Length: 42 Cipher Suites (21 suites) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 393 ... Extension: server_name (len=26) name=echo.websocket.events Extension: extended_master_secret (len=0) Extension: renegotiation_info (len=1) Extension: supported_groups (len=12) Extension: ec_point_formats (len=2) Extension: application_layer_protocol_negotiation (len=11) Extension: status_request (len=5) Extension: signature_algorithms (len=22) Extension: signed_certificate_timestamp (len=0) Extension: key_share (len=43) x25519 Extension: psk_key_exchange_modes (len=2) Extension: supported_versions (len=7) TLS 1.3, TLS 1.2 Extension: compress_certificate (len=3) ... OpenSSL – 1st Client Hello Transport Layer Security TLSv1.3 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 1564 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 1560 Version: TLS 1.2 (0x0303) Random: aec30b0aad542252... Session ID Length: 32 Session ID: f7ee7178cab8716a625... Cipher Suites Length: 60 Cipher Suites (30 suites) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 1427 Extension: renegotiation_info (len=1) Extension: server_name (len=26) name=echo.websocket.events Extension: ec_point_formats (len=4) Extension: supported_groups (len=18) Extension: session_ticket (len=0) Extension: application_layer_protocol_negotiation (len=11) Extension: encrypt_then_mac (len=0) Extension: extended_master_secret (len=0) Extension: signature_algorithms (len=54) Extension: supported_versions (len=5) TLS 1.3, TLS 1.2 Extension: psk_key_exchange_modes (len=2) Extension: key_share (len=1258) X25519MLKEM768, x25519 OpenSSL – 2nd Client Hello Transport Layer Security TLSv1.3 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 1716 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 1712 Version: TLS 1.2 (0x0303) Random: 3fb3938a88166e4eb... Session ID Length: 32 Session ID: 7f13e54a231c17ccff70... Cipher Suites Length: 60 Cipher Suites (30 suites) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 1579 Extension: renegotiation_info (len=1) Extension: server_name (len=26) name=echo.websocket.events Extension: ec_point_formats (len=4) Extension: supported_groups (len=18) Extension: session_ticket (len=0) Extension: application_layer_protocol_negotiation (len=11) Extension: encrypt_then_mac (len=0) Extension: extended_master_secret (len=0) Extension: signature_algorithms (len=54) Extension: supported_versions (len=5) TLS 1.3, TLS 1.2 Extension: psk_key_exchange_modes (len=2) Extension: key_share (len=1258) X25519MLKEM768, x25519 Extension: pre_shared_key (len=148) Since the Client Hello is generated by the client, I believe the session_ticket should be included in the first handshake regardless of server support. However, URLSession omits it entirely. Question: How can I enable TLS Session Resumption when using URLSession?

I've built a VPN app that is based on wireguard on macOS (I have both AppStore ver. and Developer ID ver). I want to achieve split tunneling function without changing the system route table. Currently, I'm making changes in PacketTunnelProvider: NEPacketTunnelProvider. It has included/excluded routes that function as a split tunnel, just that all changes are immediately reflected on the route table: if I run netstat -rn in terminal, I would see all rules/CIDRs I added, displayed all at once. Since I have a CIDR list of ~800 entries, I'd like to avoid changing the route table directly. I've asked ChatGPT, Claude, DeepSeek, .etc. An idea was to implement an 'interceptor' to intercept all packets in packetFlow(_:readPacketsWithCompletionHandler:), extract the destination IP from each packet, check if it matches your CIDR list, and either reinject it back to the system interface (for local routing) or process it through your tunnel. Well, LLMs could have hallucinations and I've pretty new to macOS programming. I'm asking to make sure I'm on the right track, not going delusional with those LLMs :) So the question is, does the above method sounds feasible? If not, is it possible to achieve split tunneling without changing the route table?

Hi, after upgrading to MacOS Sequoia, my connection to my local IP address does not work. The issue is with the PF (MacOS advanced firewall), as I confirmed that my local application works disabling it temporarily. Does anyone know how can I do to solve this problem? As APP developer, this is a big problem for me. Thanks in advance.

I had noticed that my slaac address changed between one beta and the other, but wasn't sure. Now with the RC 15.4 RC (24E247) I made point of preserving the info before updating from the previous beta. What I noticed is that not only the slaac address changes, but also the my ether address, even though I have it on Fixed in the settings. Is it expected that the ether, and the slaac, not be rotated after a OS update?

how can I prevent handshake when certificate is user installed for example if user is using Proxyman or Charles proxy and they install their own certificates now system is trusting those certificates I wanna prevent that, and exclude those certificates that are installed by user, and accept the handshake if CA certificate is in a real valid certificate defined in OS I know this can be done in android by setting something like <network-security-config> <base-config> <trust-anchors> <certificates src="system" /> </trust-anchors> </base-config> </network-security-config>

Hi all, We've been exploring the capabilities of the Network.framework for peer-to-peer communication and have run into some behavior that we haven't been able to fully explain with the existing documentation. In our tests, we’re working with 12 iOS devices, all disconnected from Wi-Fi to force communication over Apple Wireless Direct Link (AWDL). While using the Network.framework to create peer-to-peer connections, we observed that the number of connected peers never exceeded 8, despite all 12 devices being active and configured identically. Some questions we’re hoping to get clarification or discussion on: Is there a known upper limit to the number of peer-to-peer connections supported via AWDL? Are there conditions under which the framework or system limits or throttles visible peers? Does AWDL behavior vary by hardware model, iOS version, or backgrounding state of the app? Is there any official documentation or guidance around peer discovery or connection limits when using NWBrowser and NWConnection in a peer-to-peer context? We’d appreciate any insights from the Apple engineering team or other developers who have worked with larger peer groups using Network.framework in peer-to-peer mode.