Starting with macOS 15 (Sequoia), applications that perform network discovery operations now trigger a permission prompt: "Allow [AppName] to find devices on local networks". I am using sysctl() with NET_RT_FLAGS and RTF_LLINFO to access the ARP table and retrieve gateway MAC addresses: int mib[6]; mib[0] = CTL_NET; mib[1] = PF_ROUTE; mib[2] = 0; mib[3] = AF_INET; mib[4] = NET_RT_FLAGS; mib[5] = RTF_LLINFO; // This flag accesses ARP table entries if (sysctl(mib, 6, buf, &needed, NULL, 0) < 0) return nil; From my testing, the Local Network Access prompt does not always appear. It looks like if the MAC address is already cached in the ARP table, no prompt is shown, and the prompt only appears when the system needs to resolve a new MAC address. Is this correct behavior? Does ARP resolution by itself triggering the prompt?

We are a Layer 3 VPN provider offering a comprehensive SASE (Secure Access Service Edge) solution that includes TLS inspection, threat protection, granular access control, and secure access to private resources. One of the key challenges we face involves TLS inspection. Many mobile applications, especially on iOS, implement certificate pinning, which causes them to fail when TLS inspection is applied. These apps expect connections to be secured with a specific certificate or trusted certificate authority, and inspection disrupts this trust model. On iOS, the current limitation is that the Packet Tunnel Provider extension does not provide visibility into the originating application (i.e., there is no API to obtain the app’s bundle ID or package name associated with a given network connection). Due to this, we are unable to dynamically determine whether TLS inspection should be bypassed for a particular app. While Apple’s Per-App VPN is one possible solution, it introduces a significant drawback: any applications that are excluded from the VPN configuration are entirely outside the VPN tunnel. This means they do not benefit from any of our SASE features — including secure access to internal resources, DNS/web content filtering, or threat detection. This limits the effectiveness of our solution in environments where both inspection and secure access are critical. We would like to understand whether iOS has any current or planned capabilities to associate a network flow (e.g., a 5-tuple: source IP, destination IP, source port, destination port, and protocol) with the originating app. Such a capability would allow us to programmatically identify certificate-pinned apps and selectively disable TLS inspection without excluding them entirely from the VPN, thereby preserving the full set of SASE protections. Is there any guidance or roadmap update from Apple that addresses this use case?

Hi, I'm developing a security-focused iOS application and would like to detect potentially suspicious rogue access points. Specifically, I need to access the BSSID of the currently connected Wi-Fi network to analyze and identify inconsistencies (e.g. multiple APs using the same SSID). I understand that access to certain network information is restricted on iOS. Is it possible to use the Network Extension framework (or any approved API) to retrieve the BSSID? If so, are there any specific entitlements or usage descriptions required to ensure App Store approval? My goal is to implement this functionality in full compliance with App Store Review Guidelines and user privacy policies.

Hello, I have a question about developing an iOS app for general public. Can such an app use DNS Proxy Provider? The TN3134: Network Extension provider deployment article states that DNS Proxy Provider has the following restriction: "per-app on managed devices". Does this imply that a DNS Proxy Provider that can be used in a regular iOS App Store app? On the other hand, NEDNSProxyProvider only works with NEAppProxyFlow, is it possible to make it NOT per-app?

I'm writing an application that implements a Bonjour service and browser for the purpose of connecting to Logic Pro and interacting with a MIDI Device Script. Because it's connecting to Logic Pro running on the same system as the application, the service and browser do not need to access anything else on the local network. I'm creating the service and browser with calls like this: err = DNSServiceRegister( &serviceRef, 0, kDNSServiceInterfaceIndexLocalOnly, "MyService", "_osc._udp", "local", nullptr, 52854, txtLen, txtRecord, static_cast<DNSServiceRegisterReply>(myCallback), context ); err = DNSServiceBrowse( &browserRef, 0, kDNSServiceInterfaceIndexLocalOnly, "_osc._udp", nullptr, static_cast<DNSServiceBrowseReply>(browserCallback), context ); Despite the fact that I'm passing in kDNSServiceInterfaceIndexLocalOnly for the network interface, it still triggers an "Allow 'Application' to find devices on local networks?" permissions prompt. How can I avoid that prompt? It is both a significant failure point (in case users don't notice it or click 'Don't Allow' by mistake) but it may also scare them away, since it strongly implies my application is scanning devices on the local network, even though it's doing no such thing!

Hi, I built a system that can detect and block Short Form Videos like Instagram Reels and Youtube Shorts. It works by connecting the iphone to a VPN and then do statistics on network packets (no decryption). I was wondering the feasibility of porting this to run on device. Functionality wise I would need: packet interception, packet drop, DNS query interception. I saw that Content filter providers could be something to look into, but then I read an article of how you would have to have a managed device which is not ideal for the end user. New to apple development, the lack of snippets and code examples is confusing.

I would like to understand the behaviour of Network framework when I have established a connection between 2 iOS devices which are connected through LAN and the same Wifi. Assumptions: Enabled includePeerToPeer. Devices are discovered and connected through Bonjour: When the connection establishes for the first time, does it automatically decide which interface to pick? I see some posts which point to Happy Eyeball algorithm but that seem to point more towards ipv4 vs ipv6 rather than Wifi vs LAN vs P2P. In the middle of a connection, if the established connection has issues, does the Network framework automatically switch to the best available interface? If not, I would assume the app will have to handle the switching in betterPathUpdateHandler callback? I’m curious what needs to be done here. Do I just create a new connection and hope that it picks the actual better path? The NWInterface.InterfaceType doesnt have a type for peer to peer wifi. Does that mean that when the interface actually switches to peer to peer, the InterfaceType will be other? It would be great if there is a workflow or example of how this needs to be handled with multiple available Interfaces.

Hello, I have encountered an issue with an iPhone 15PM with iOS 18.5. The NSHTTPCookieStorage failed to clear cookies, after clearing them, I was still able to retrieve them. However, on the same system NSHTTPCookie *cookie; NSHTTPCookieStorage *storage = [NSHTTPCookieStorage sharedHTTPCookieStorage]; for (cookie in [storage cookies]) { [storage deleteCookie:cookie]; } NSArray *cookies = [[NSHTTPCookieStorage sharedHTTPCookieStorage] cookiesForURL:[[self url] absoluteURL]]; // still able to get cookies,why???

Hello, We've been working on an app that uses the new NEUrlFilter API and we've got a question. Currently, the system is designed with the assumption that a single app == usecase == single remote database. But what if we would like to give the user the ability to use different blocklists? For example, the user may want to: Block scam domains Block tracking domains Block adult domains Or any composition of these 3 What should we do to give the user this option? It seems that we could differentiate different databases by using different PIR service hostnames, but that would also mean that we'll have to send several requests for the same usecase but with different PIR service hostnames (and they'll all share the same app bundle ID). Will these requests be accepted then? If not, is there an alternative? PS: By sending a request I mean submitting this form

Hi everyone, I'm building a health-focused iOS and watchOS app that uses WatchConnectivity to sync real-time heart rate and core body temperature data from iPhone to Apple Watch. While the HealthKit integration works correctly on the iPhone side, I'm facing persistent issues with WatchConnectivity — the data either doesn't arrive on the Watch, or session(_:didReceiveMessage:) never gets triggered. Here's the setup: On iPhone: Using WCSession.default.sendMessage(_:replyHandler:errorHandler:) to send real-time values every few seconds. On Apple Watch: Implemented WCSessionDelegate, and session(_:didReceiveMessage:) is supposed to update the UI. Both apps have WCSession.isSupported() checks, activate the session, and assign delegates correctly. The session state shows isPaired = true and isWatchAppInstalled = true. Bluetooth and Wi-Fi are on, both devices are unlocked and nearby. Despite all this, the Watch never receives messages in real-time. Sometimes, data comes through in bulk much later or not at all. I've double-checked Info.plist configurations and made sure background modes include "Uses Bluetooth LE accessories" and "Background fetch" where appropriate. I would really appreciate guidance on: Best practices for reliable, low-latency message delivery with WatchConnectivity. Debugging steps or sample code to validate message transmission and reception. Any pitfalls related to UI updates from the delegate method. Happy to share further details. Thanks in advance!

Question: Best Practice for NEFilterRule and NENetworkRule Initializers with Deprecated NEHostEndpoint? Hi all, I'm looking for guidance on the right way to construct an NEFilterRule that takes a NENetworkRule parameter. Reading the latest documentation, it looks like: All initializers for NENetworkRule that accept an NEHostEndpoint are now deprecated, including initWithDestinationHost:protocol: and those using the various *Network:prefix: forms. NEHostEndpoint itself is also deprecated; Apple recommends using the nw_endpoint_t type from the Network framework instead. However, NEFilterRule still requires a NENetworkRule for its initializer (docs). With all NENetworkRule initializers that take NEHostEndpoint deprecated, it’s unclear what the recommended way is to create a NENetworkRule (and thus an NEFilterRule) that matches host/domain or network traffic. What’s the proper way to construct these objects now—should we create the endpoints using nw_endpoint_t and use new/undocumented initializers, or is there an updated approach that’s considered best practice? Helpful doc links for reference: NEFilterRule docs NENetworkRule docs NWHostEndpoint (now deprecated)

Configure the App ID in the Apple Developer Portal. In the Network Extensions section, the Packet Tunnel section is not displayed How to proceed with the configuration of App ID. In the Network Extensions section: Display the Packet Tunnel section Our account is a China region account

Simulator: iPhone 16 pro (iOS 26) Minimum Deployments: iOS 16.0+, not iOS 17. Here is the demo: import SwiftUI import NetworkExtension struct ContentView: View { private var monitor = NWPathMonitor() var body: some View { VStack { Text("Hello, world!") } .task { let _ = URLSession.shared } } }

I have checked the storage space of my phone. There is still over a hundred gigabytes of space left. An error occurred when the app was checking the network interface status. The error message is as follows:Error : Error Domain=NSPOSIXErrorDomain Code=28 "No space left on device" UserInfo={_NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <7DB1CBFD-B9BE-422D-9C9A-78D8FC04DC1B>.<76>, _kCFStreamErrorDomainKey=1, _kCFStreamErrorCodeKey=28, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <7DB1CBFD-B9BE-422D-9C9A-78D8FC04DC1B>.<76>" ), _NSURLErrorNWPathKey=satisfied (Path is satisfied), interface: pdp_ip0[lte], ipv4, ipv6, dns, expensive, estimated upload: 65536Bps, uses cell}

Hello all, Does anyone know how long it will take Apple to approve multicast entitlement approval after the Apple form is submitted? Any input would be appreciated. Thank you Allyson

Our app supports live streaming (RTSP, RTMP, WebRTC) functionality. After updating to the 18.5 Developer Beta version, we’ve encountered an issue where streaming over LTE is not working for customers using SKT (SK Telecom) as their carrier. Upon investigation, it seems that a similar issue might be occurring with a streaming service app called "SOOP." I would appreciate it if you could share any information regarding this bug. Thank you.

Hi, I have created an application for NFC tag scanning and read the tag data. For that, i enabled the capability: NearField Communication Tag reading. Then I added 2 tag formats in the entitlement then i added info.plist: NFCReaderUsageDescription We need to use NFC com.apple.developer.nfc.readersession.felica.systemcodes 8005 8008 0003 fe00 90b7 927a 12FC 86a7 com.apple.developer.nfc.readersession.iso7816.select-identifiers D2760000850100 D2760000850101 but even though when i run the app and tap the nfc card im getting some error: NFCTag didBecomeActive 2025-08-29 19:08:12.272278+0530 SAFRAN_NFC[894:113090] NFCTag didDetectTags 2025-08-29 19:08:12.282869+0530 SAFRAN_NFC[894:113520] [CoreNFC] -[NFCTagReaderSession _connectTag:error:]:730 Error Domain=NFCError Code=2 "Missing required entitlement" UserInfo={NSLocalizedDescription=Missing required entitlement} 2025-08-29 19:08:12.284044+0530 SAFRAN_NFC[894:113090] NFCTag restarting polling 2025-08-29 19:08:12.372116+0530 SAFRAN_NFC[894:113090] NFCTag didDetectTags 2025-08-29 19:08:12.381535+0530 SAFRAN_NFC[894:113378] [CoreNFC] -[NFCTagReaderSession _connectTag:error:]:730 Error Domain=NFCError Code=2 "Missing required entitlement" UserInfo={NSLocalizedDescription=Missing required entitlement} 2025-08-29 19:08:12.382246+0530 SAFRAN_NFC[894:113090] NFCTag restarting polling 2025-08-29 19:08:12.470667+0530 SAFRAN_NFC[894:113090] NFCTag didDetectTags 2025-08-29 19:08:12.479336+0530 SAFRAN_NFC[894:113378] [CoreNFC] -[NFCTagReaderSession _connectTag:error:]:730 Error Domain=NFCError Code=2 "Missing required entitlement" UserInfo={NSLocalizedDescription=Missing required entitlement} 2025-08-29 19:08:12.480101+0530 SAFRAN_NFC[894:113090] NFCTag restarting polling Could you please help me wha tis the issue and give solution for that?

We are developing an iOS application with a key feature designed to enhance user safety: real-time assessment of Wi-Fi network security. The "Safe Wi-Fi" feature aims to inform users about the security level of the Wi-Fi network they are currently connected to. Our goal is to provide this information seamlessly and continuously, even when the user isn't actively using the app. Currently, we've implemented this feature using a NWPathMonitor. The limitation of NWPathMonitor is that it doesn't function when the app is in a kill state. We are looking for guidance on how to achieve persistent Wi-Fi security monitoring in the background or when the app is killed. Is there any API (Public, Special API, etc) or a recommended approach that allows for real-time Wi-Fi connection monitoring (including connection changes and network details) even when the app is not actively running or is in a kill state. Thank you in advance for your help.

Hi, I developed a network extension program on macOS. I tried to update the program by changing the version number. My update process was to first turn off network filtering via "NEFilterManager.sharedManager.enabled = NO", and then use "[OSSystemExtensionRequest activationRequestForExtension:bundleid queue:dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0)];" to let the system replace the old network extension program. However, sometimes the old network extension process will become a zombie process like pid=86621 in the figure. As long as the zombie process exists, the network cannot be used. After about 10 minutes, it will be cleared and the network will be available. Restarting Wi-Fi can also clear the zombie process immediately. Why is this? How to avoid this problem?

This is the log on the publisher side. Publisher discovered the subscriber, but could not pair. Follow up is sent with response rejected