CarPlay woes. I think it's unacceptable that it silently kills an ongoing WiFi connection that has been established using ASAccessoryKit and NEHotspotHelper which is in active use. This is responsible for angry clients because their processes break a lot when they are in reach of the connected car. (And yes, they have to be in the reach of the car, because it is a diagnostic/maintenance app for cars…) Do I really need to ask my clients to unpair from CarPlay before using our app or is there another way?

Hello, I encountered a memory management issue while developing VPN functionality and would like to seek your advice. The specific phenomenon is as follows: Problem description: After multiple calls to the 'createTCPConnectToEndpoint' and 'create UDPSessionToEndpoint' interfaces to create connection objects, the application memory continues to grow. Even if the cancel interface is immediately called to actively release the object, the memory does not fall back. 3. Confirm that there is no other code referencing these objects, but the system does not seem to automatically reclaim memory. Attempted measures: Immediately call the cancel method after creating the object, and the memory is not reduced Use tools such as Profiler to monitor memory and confirm that objects have not been released. doubt: Is this phenomenon normal? Is there a known memory management mechanism (such as cache pooling) that causes delayed release? 2. Are there any other interfaces or methods (such as release, dispose) that need to be explicitly called? Supplementary Information: Development environment: [iOS 16, 14pm] Reproduction steps: After continuously creating connection objects, the memory grows without falling back. Could you please help confirm if there are any abnormalities and the correct memory release posture. Thank you for your support!

send a request and it returns with timeout Integration Team are Using Fortigate as a firewall and NGINX for some reasons so we use VPN TO Access , requests always succeed but at once it failed with timeout in randomize request not specific one we are using URLSession as a network layer when I retry the same failed request again, it success the request cannot connect apigee Sec Team concern { app session hits the security gateway with lots of SYN step to try to initiate a new session and doesn’t wait for (SYN-ACK / ACK) steps to happen to make sure the connection initiated correctly and gateway consider it flooding attack }

Hi there. How can I do for the title? URLRequest seems not to have property for protocols. NSURLSessionWebSocketTask seems to have either URLRequest or protocols, but have neither of them. What I want to do is setting both protocols and headers when using WebSocket. Should I use Network.framework instead?

Hi, I’m trying to download a remote file in the background, but I keep getting a strange behaviour where URLSession download my file indefinitely during a few minutes, without calling urlSession(_:downloadTask:didFinishDownloadingTo:) until the download eventually times out. To find out that it’s looping, I’ve observed the total bytes written on disk by implementing urlSession(_:downloadTask:didWriteData:totalBytesWritten:totalBytesExpectedToWrite:). Note that I can't know the size of the file. The server is not able to calculate the size. Below is my implementation. I create an instance of URLSession like this: private lazy var session: URLSession = { let configuration = URLSessionConfiguration.background(withIdentifier: backgroundIdentifier) configuration.isDiscretionary = false configuration.sessionSendsLaunchEvents = true return URLSession(configuration: configuration, delegate: self, delegateQueue: nil) }() My service is using async/await so I have implemented an AsyncThrowingStream : private var downloadTask: URLSessionDownloadTask? private var continuation: AsyncThrowingStream<(URL, URLResponse), Error>.Continuation? private var stream: AsyncThrowingStream<(URL, URLResponse), Error> { AsyncThrowingStream<(URL, URLResponse), Error> { continuation in self.continuation = continuation self.continuation?.onTermination = { @Sendable [weak self] data in self?.downloadTask?.cancel() } downloadTask?.resume() } } Then to start the download, I do : private func download(with request: URLRequest) async throws -> (URL, URLResponse) { do { downloadTask = session.downloadTask(with: request) for try await (url, response) in stream { return (url, response) } throw NetworkingError.couldNotBuildRequest } catch { throw error } } Then in the delegate : public func urlSession(_ session: URLSession, downloadTask: URLSessionDownloadTask, didFinishDownloadingTo location: URL) { guard let response = downloadTask.response, downloadTask.error == nil, (response as? HTTPURLResponse)?.statusCode == 200 else { continuation?.finish(throwing: downloadTask.error) return } do { let documentsURL = try FileManager.default.url(for: .documentDirectory, in: .userDomainMask, appropriateFor: nil, create: false) let savedURL = documentsURL.appendingPathComponent(location.lastPathComponent) try FileManager.default.moveItem(at: location, to: savedURL) continuation?.yield((savedURL, response)) continuation?.finish() } catch { continuation?.finish(throwing: error) } } I also tried to replace let configuration = URLSessionConfiguration.background(withIdentifier: backgroundIdentifier) by let configuration = URLSessionConfiguration.default and this time I get a different error at the end of the download: Task <0457F755-9C52-4CFB-BDB2-F378D0C94912>.<1> failed strict content length check - expected: 0, received: 530692, received (uncompressed): 0 Task <0457F755-9C52-4CFB-BDB2-F378D0C94912>.<1> finished with error [-1005] Error Domain=NSURLErrorDomain Code=-1005 "The network connection was lost." UserInfo={NSLocalizedDescription=The network connection was lost., NSErrorFailingURLStringKey=https:/<host>:8190/proxy?Func=downloadVideoByUrl&SessionId=slufzwrMadvyJad8Lkmi9RUNAeqeq, NSErrorFailingURLKey=https://<host>:8190/proxy?Func=downloadVideoByUrl&SessionId=slufzwrMadvyJad8Lkmi9RUNAeqeq, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDownloadTask <0457F755-9C52-4CFB-BDB2-F378D0C94912>.<1>" ), _NSURLErrorFailingURLSessionTaskErrorKey=LocalDownloadTask <0457F755-9C52-4CFB-BDB2-F378D0C94912>.<1>, NSUnderlyingError=0x300d9a7c0 {Error Domain=kCFErrorDomainCFNetwork Code=-1005 "(null)" UserInfo={NSErrorPeerAddressKey=<CFData 0x302139db0 [0x1fcb1f598]>{length = 16, capacity = 16, bytes = 0x10021ffe91e227500000000000000000}}}} The log "failed strict content length check” made me look into the response header, which has the following: content-length: 0 Content-Type: application/force-download Transfer-encoding: chunked Connection: KEEP-ALIVE Content-Transfer-Encoding: binary So it should be fine the way I setup my URLSession. The download works fine in Chrome/Safari/Chrome or Postman. My code used to work a couple of weeks before, so I expect something has changed on the server side, but I can’t find what, and I don’t get much help from the guys on the server side. Has anyone an idea of what’s going on?

Hello, I'm running into an issue while developing an iOS app that requires local network access. I’m using the latest MacBook Air M4 with macOS sequoia 15.5 and Xcode 16.1. In the iOS Simulator, my app fails to discover devices connected to the same local network. I’ve already added the necessary key to the Info.plist: NSLocalNetworkUsageDescription This app needs access to local network devices. When I run the app on a real device and M2 Chip Macbook's simulators, it works fine for local network permission as expected. However, in the M4 Chip Macbook's Simulator: The app can’t find any devices on the local network Bonjour/mDNS seems not to be working as well I’ve tried the following without success: Restarting Simulator and Mac Resetting network settings in Simulator Confirming app permissions under System Settings > Privacy & Security Has anyone else encountered this issue with the new Xcode/macOS combo? Is local network access just broken in the Simulator for now, or is there a workaround? Thanks in advance!

Recently, while developing a network extension on macOS, I encountered a very interesting issue. When the App Sandbox entitlement is included, the NE (Network Extension) can be called and run normally. However, when the App Sandbox is removed, with everything else remaining unchanged, an error occurs. The logs are as follows: Failed to find an app extension with identifier app.acmeVpnM.extension and extension point com.apple.networkextension.packet-tunnel: (null) Found 0 registrations for app.acmeVpnM.extension (com.apple.networkextension.packet-tunnel) If you add app sandbox, it will run normally. this is my container app entitlement this is my NE extension (without App SandBox) I want to know the reason for this. App sandbox shouldn't be mandatory. How can I make my NE run in an environment without app sandbox?

Greetings I'm trying to get on iPad the SSID from the wifi I'm connected to. For that, I added the wifi entitlement and I'm requesting permission to the user for Location. Once I have it, I'm using the function CNCopySupportedInterfaces to get the interfaces, but I can only receive the en0, which using the method CNCopyCurrentNetworkInfo returns nil. I also tried using the NEHotspotNetwork.fetchCurrent and the SSID keeps being nil. So right now I'm drawing a blank. Is there any way to make it work? Thanks.

I upgraded my Mac to Sequoia 15.4.1 an i hat to upgrade XCode to Version 16.3. I access a MQTT Broker by an sending an mosquitto_sub request to the Broker. Now its no longer possible the request fails i granted Network permission to my App

We have a setup where the system uses proxy settings configured via a PAC file. We are investigating how NWConnection behaves inside a Network Extension (NETransparentProxyProvider) with a transparent proxy configuration based on this PAC file. Scenario: The browser makes a connection which the PAC file resolves as "DIRECT" (bypassing the proxy) Our Network Extension intercepts this traffic for analysis The extension creates a new connection using NWConnection to the original remote address. The issue: despite the PAC file’s "DIRECT" decision, NWConnection still respects the system proxy settings and routes the connection through the proxy. Our questions: Is it correct that NWConnection always uses the system proxy if configured ? Does setting preferNoProxies = true guarantee bypassing the system proxy? Additionally: Whitelisting IPs in the Network Extension to avoid interception is not a viable solution because IPs may correspond to multiple services, and the extension only sees IP addresses, not domains (e.g., we want to skip scanning meet.google.com traffic but still scan other Google services on the same IP range). Are there any recommended approaches or best practices to ensure that connections initiated from a Network Extension can truly bypass the proxy (for example, for specific IP ranges or domains)?

Hi all, We've been exploring the capabilities of the Network.framework for peer-to-peer communication and have run into some behavior that we haven't been able to fully explain with the existing documentation. In our tests, we’re working with 12 iOS devices, all disconnected from Wi-Fi to force communication over Apple Wireless Direct Link (AWDL). While using the Network.framework to create peer-to-peer connections, we observed that the number of connected peers never exceeded 8, despite all 12 devices being active and configured identically. Some questions we’re hoping to get clarification or discussion on: Is there a known upper limit to the number of peer-to-peer connections supported via AWDL? Are there conditions under which the framework or system limits or throttles visible peers? Does AWDL behavior vary by hardware model, iOS version, or backgrounding state of the app? Is there any official documentation or guidance around peer discovery or connection limits when using NWBrowser and NWConnection in a peer-to-peer context? We’d appreciate any insights from the Apple engineering team or other developers who have worked with larger peer groups using Network.framework in peer-to-peer mode.

Hi, We're in the process of following Apple’s guidance on transitioning away from Packet Filter (pf) and migrating to a Network Extension-based solution that functions as a firewall. During this transition, we've encountered several limitations with the current Content Filter API and wanted to share our findings. Our VPN client relies on firewall functionality to enforce strict adherence to split tunneling rules defined via the routing table. This ensures that no traffic leaks outside the VPN tunnel, which is critical for our users for a variety of reasons. To enforce this, our product currently uses interface-scoped rules to block all non-VPN traffic outside the tunnel. Replicating this behavior with the Content Filter API (NEFilterDataProvider) appears to be infeasible today. The key limitation we've encountered is that the current Content Filter API does not expose information about the network interface associated with a flow. As a workaround, we considered using the flow’s local endpoint IP to infer the interface, but this data is not available until after returning a verdict to peek into the flow’s data—at which point the connection has already been established. This can result in connection metadata leaking outside the tunnel, which may contain sensitive information depending on the connection. What is the recommended approach for this use case? NEFilterPacketProvider? This may work, but it has a negative impact on network performance. Using a Packet Tunnel Provider and purely relying on enforceRoutes? Would this indeed ensure that no traffic can leak by targeting a specific interface or by using a second VPN extension? And more broadly—especially if no such approach is currently feasible with the existing APIs—we're interpreting TN3165 as a signal that pf should be considered deprecated and may not be available in the next major macOS release. Is that a reasonable interpretation?

I have written an App which extracts data, over WiFi, from an instrument that creates its own WiFi Hotspot. The instrument provides no internet connection. The iPad version of this App is connects fine and is assigned an IP address by DHCP server running on a MicroChip RN171 wifi module. iOS assigns an obscure IP address on a completely different subnet. I understand this is iOS' way of "Complaining" that is wasn't assigned an IP address. Consequently in the case of the iPhone I am forced to manually assign an IP address for the iPhone, the mask and the gateway. Only then is the connection successful. Anyone know why the iPhone won't talk DHCP to a WiFi module not connected to the internet? Are there perhaps some parameters that I need to adjust on either the iPhone or WiFi module?

Hello everyone, I'm trying to figure out how to transmit a UIImage (png or tiff) securely to an application running in my desktop browser (Mac or PC). The desktop application and iOS app would potentially be running on the same local network (iOS hotspot or something) or have no internet connection at all. I'm trying to securely send over an image that the running desktop app could ingest. I was thinking something like a local server securely accepting image data from an iPhone. Any suggestions ideas or where to look for more info would be greatly appreciated! Thank you for your help.

I have read all the information and forum posts about local network, such as TN3179, etc., and have added NSLocalNetworkUsageDescription, but it does not solve my problem. The problem I encountered is described as follows: Device: iOS18.1.1 Signing method: automatic Xcode debug directly runs, and the app can access 17.25.11.128 normally. However, relase run or packaged into adhoc installation, this IP cannot be accessed. There is a phenomenon that the app package of the App Store can also be used. Our test team has few iOS18+ devices, and internal testing is not possible. Please contact us as soon as possible, thank you. ======= 我已经了解了所有关于local network 相关的资料和论坛帖子，比如TN3179 等等， 已经添加了 NSLocalNetworkUsageDescription， 但是不解决我的问题。 我遇到的问题描述如下： 设备：iOS18.1.1 签名方式：自动 xcode debug 直接运行，app是可以正常访问17.25.11.128的。 但是 relase run 或者 打包成 adhoc 安装，就无法访问这个IP了。 有一个现象， App Store 的app包 也是可以的。 我们的测试团队，iOS18+的设备就没几个，还不能内部测试了。请尽快联系我们，谢谢。

i unfortunatly upgraded to Sequoia since then I see when: i select XCode ->Product->run i see Error: No route to host i cannot grant access to local network for XCode i can no longer debug my program as i did with Sonora

As a third-party application on Apple Watch, can it be located in the same LAN httpServer? Currently, when testing to initiate an http request in the LAN, the connection timeout is returned, code: -1001 self.customSession.request("http://10.15.48.191:9000/hello").response { response in switch response.result { case .success(let data): dlog("✅ 请求成功，收到数据：") if let html = String(data: data ?? Data(), encoding: .utf8) { dlog(html) } case .failure(let error): dlog("❌ 请求失败：\(error.localizedDescription)") } } 执行后报错 Task <B71BE820-FD0E-4880-A6DD-1F8F6EAF98B0>.<1> finished with error [-1001] Error Domain=NSURLErrorDomain Code=-1001 "请求超时。" UserInfo={_kCFStreamErrorCodeKey=-2102, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <B71BE820-FD0E-4880-A6DD-1F8F6EAF98B0>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <B71BE820-FD0E-4880-A6DD-1F8F6EAF98B0>.<1>", "LocalDataPDTask <B71BE820-FD0E-4880-A6DD-1F8F6EAF98B0>.<1>", "LocalDataTask <B71BE820-FD0E-4880-A6DD-1F8F6EAF98B0>.<1>" ), NSLocalizedDescription=请求超时。, _kCFStreamErrorDomainKey=4, NSErrorFailingURLStringKey=http://10.15.48.191:9000/hello, NSErrorFailingURLKey=http://10.15.48.191:9000/hello}

We are implementing a connection between iPad and iPhone devices using LocalPushConnectivity, and have introduced SimplePushProvider into the project. We will have it switch between roles of Server and Client within a single project. ※ iPad will be Server and the iPhone will be Client. Communication between Server and Client is via TLS, with Server reading p12 file and Client setting public key. Currently, a TLS error code of "-9836" (invalid protocol version) is occurring when communicating from Client's SimplePushProvider to Server. I believe that Client is sending TLS1.3, and Server is set to accept TLS1.2 to 1.3. Therefore, I believe that the actual error is not due to TLS protocol version, but is an error that is related to security policy or TLS communication setting. Example: P12 file does not meet some requirement NWProtocolTLS.Options setting is insufficient etc... I'm not sure what the problem is, so please help. For reference, I will attach you implementation of TLS communication settings. P12 file is self-signed and was created by exporting it from Keychain Access. Test environment: iPad (OS: 16.6) iPhone (OS: 18.3.2) ConnectionOptions: TLS communication settings public enum ConnectionOptions { public enum TCP { public static var options: NWProtocolTCP.Options { let options = NWProtocolTCP.Options() options.noDelay = true options.enableFastOpen return options } } public enum TLS { public enum Error: Swift.Error { case invalidP12 case unableToExtractIdentity case unknown } public class Server { public let p12: URL public let passphrase: String public init(p12 url: URL, passphrase: String) { self.p12 = url self.passphrase = passphrase } public var options: NWProtocolTLS.Options? { guard let data = try? Data(contentsOf: p12) else { return nil } let pkcs12Options = [kSecImportExportPassphrase: passphrase] var importItems: CFArray? let status = SecPKCS12Import(data as CFData, pkcs12Options as CFDictionary, &amp;importItems) guard status == errSecSuccess, let items = importItems as? [[String: Any]], let importItemIdentity = items.first?[kSecImportItemIdentity as String], let identity = sec_identity_create(importItemIdentity as! SecIdentity) else { return nil } let options = NWProtocolTLS.Options() sec_protocol_options_set_min_tls_protocol_version(options.securityProtocolOptions, .TLSv12) sec_protocol_options_set_max_tls_protocol_version(options.securityProtocolOptions, .TLSv13) sec_protocol_options_set_local_identity(options.securityProtocolOptions, identity) sec_protocol_options_append_tls_ciphersuite(options.securityProtocolOptions, tls_ciphersuite_t.RSA_WITH_AES_128_GCM_SHA256) return options } } public class Client { public let publicKeyHash: String private let dispatchQueue = DispatchQueue(label: "ConnectionParameters.TLS.Client.dispatchQueue") public init(publicKeyHash: String) { self.publicKeyHash = publicKeyHash } // Attempt to verify the pinned certificate. public var options: NWProtocolTLS.Options { let options = NWProtocolTLS.Options() sec_protocol_options_set_min_tls_protocol_version(options.securityProtocolOptions, .TLSv12) sec_protocol_options_set_max_tls_protocol_version(options.securityProtocolOptions, .TLSv13) sec_protocol_options_set_verify_block( options.securityProtocolOptions, verifyClosure, dispatchQueue ) return options } private func verifyClosure( secProtocolMetadata: sec_protocol_metadata_t, secTrust: sec_trust_t, secProtocolVerifyComplete: @escaping sec_protocol_verify_complete_t ) { let trust = sec_trust_copy_ref(secTrust).takeRetainedValue() guard let serverPublicKeyData = publicKey(from: trust) else { secProtocolVerifyComplete(false) return } let keyHash = cryptoKitSHA256(data: serverPublicKeyData) guard keyHash == publicKeyHash else { // Presented certificate doesn't match. secProtocolVerifyComplete(false) return } // Presented certificate matches the pinned cert. secProtocolVerifyComplete(true) } private func cryptoKitSHA256(data: Data) -&gt; String { let rsa2048Asn1Header: [UInt8] = [ 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00 ] let data = Data(rsa2048Asn1Header) + data let hash = SHA256.hash(data: data) return Data(hash).base64EncodedString() } private func publicKey(from trust: SecTrust) -&gt; Data? { guard let certificateChain = SecTrustCopyCertificateChain(trust) as? [SecCertificate], let serverCertificate = certificateChain.first else { return nil } let publicKey = SecCertificateCopyKey(serverCertificate) return SecKeyCopyExternalRepresentation(publicKey!, nil)! as Data } } } }

Hello, I have encountered an issue with an iPhone 15PM with iOS 18.5. The NSHTTPCookieStorage failed to clear cookies, but even after clearing them, I was still able to retrieve them. However, on the same system It is normal on iPhone 14PM. I would like to know the specific reason and whether there are any adaptation related issues. Following code: NSHTTPCookie *cookie; NSHTTPCookieStorage *storage = [NSHTTPCookieStorage sharedHTTPCookieStorage]; for (cookie in [storage cookies]) { [storage deleteCookie:cookie]; }

Hi! I'm working on a solution (iOS 18) that uses Network Extensions PacketTunnelProvider and Content Filter. Currently I'm trying to integrate it with another extension – DNSProxyProvider. My goal is to process dns queries and use resolved ips and names for additional routing inside of the packet tunnel. I'm running into a major issue: whenever both VPN and DNS proxy are active simultaneously, the device completely loses internet connectivity — no traffic goes through, and DNS resolution seems to stop working entirely. I know about the mdm supervision requirement to use DNSProxyProvider and that's covered as I work with a managed device and install a DNS proxy profile, here's how its .mobileconfig file looks like: The DNS proxy itself works fine when working by itself (without VPN being turned on), as I implemented it that it successfully processes DNS packets flows while collecting information about domains etc, and everything works perfectly. Problems begin when using VPN at the same time. I'm aware that tunnel settings include dns related options that can affect this, but I haven't had much luck with tweaking them. Here's how they look right now for reference: let settings: NEPacketTunnelNetworkSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: "240.0.0.1") // let dnsSettings = NEDNSSettings(servers: "8.8.8.8,8.8.4.4".components(separatedBy: ",")) // dnsSettings.matchDomains = [""] // settings.dnsSettings = dnsSettings settings.proxySettings = nil /* ipv4 settings */ let ipv4Settings = NEIPv4Settings(addresses: ["240.0.0.2"], subnetMasks: ["255.255.255.0"]) ipv4Settings.includedRoutes = [NEIPv4Route.default()] settings.ipv4Settings = ipv4Settings /* MTU */ settings.mtu = 1500 return settings I've tried excluding some dns related ip routes and dns settings shenanigans but nothing. I haven't found any information that might suggest that using both of these extensions at the same time doesn't work, on the contrary, this page in the official documentation about the expected use of packet tunnel provider the expected use of packet tunnel provider, as it talks about the fact that you should not use it for interception of all of DNS traffic, as the use of DNSPRoxyProvider (or dns settings) are built for that, which in my mind, suggests that there should be no problem with using them both and just splitting the dns traffic handling to the proxy. Will be thankful for any help!