DEV Community: Dmytro Tishchenko The latest articles on DEV Community by Dmytro Tishchenko (@dtisch). https://dev.to/dtisch https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3942885%2F7a15f5d0-d6ca-44f9-8822-4ba564ac2601.png DEV Community: Dmytro Tishchenko https://dev.to/dtisch en What I learned building 9 network tools on iOS without entitlements Dmytro Tishchenko Thu, 04 Jun 2026 09:08:23 +0000 https://dev.to/dtisch/what-i-learned-building-9-network-tools-on-ios-without-entitlements-10ii https://dev.to/dtisch/what-i-learned-building-9-network-tools-on-ios-without-entitlements-10ii <p>A few weeks ago I shipped NetDiag+, an iOS network toolkit — ping, traceroute,<br> DNS, whois, port/LAN scan — built entirely on BSD sockets through C-interop, with<br> <strong>no private entitlements</strong>. <a href="https://dev.to/dtisch/how-i-implemented-ping-and-traceroute-on-ios-without-entitlements-2fm">I wrote up the ping/traceroute internals here</a>.</p> <p>Then I spent a month adding <strong>9 more tools</strong>. I expected "more of the same" — wrap a<br> socket, draw a SwiftUI list. Instead almost every tool turned into its own little<br> research project. Here are the parts that surprised me.</p> <h3> 1. MTR — a continuous traceroute that can't be slow </h3> <p><code>mtr</code> keeps probing every hop and accumulates per-hop loss + RTT stats. My first<br> version probed hops <strong>sequentially</strong>: TTL=1, wait for reply or timeout, TTL=2, wait…<br> On a 12-hop path where a couple of routers rate-limit ICMP, one cycle took <strong>5-7<br> seconds</strong>. Set the interval to "1 second" and the cycle counter ticks every five.</p> <p>Fix: fire all probes in a cycle <strong>at once</strong> and collect replies in a single window.<br> The trick is matching an incoming ICMP reply to the TTL that triggered it. I give<br> each probe a unique destination UDP port (<code>base + ttl + cycle_offset</code>). When a router<br> returns ICMP Time Exceeded it includes the first bytes of the original packet — UDP<br> header included — so I demultiplex on that port:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="c1">/// Pull the dest port out of the UDP header embedded in an ICMP Time-Exceeded</span> <span class="c1">/// error, so we know which outstanding probe this reply belongs to.</span> <span class="kd">static</span> <span class="kd">func</span> <span class="nf">extractInnerDestPort</span><span class="p">(</span><span class="n">from</span> <span class="nv">data</span><span class="p">:</span> <span class="kt">Data</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="kt">UInt16</span><span class="p">?</span> <span class="p">{</span> <span class="k">let</span> <span class="nv">bytes</span> <span class="o">=</span> <span class="kt">Array</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="k">let</span> <span class="nv">icmpHeader</span> <span class="o">=</span> <span class="mi">8</span> <span class="k">guard</span> <span class="n">bytes</span><span class="o">.</span><span class="n">count</span> <span class="o">&gt;</span> <span class="n">icmpHeader</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">nil</span> <span class="p">}</span> <span class="k">let</span> <span class="nv">ihlBytes</span> <span class="o">=</span> <span class="kt">Int</span><span class="p">(</span><span class="n">bytes</span><span class="p">[</span><span class="n">icmpHeader</span><span class="p">]</span> <span class="o">&amp;</span> <span class="mh">0x0F</span><span class="p">)</span> <span class="o">*</span> <span class="mi">4</span> <span class="c1">// inner IP header length</span> <span class="k">guard</span> <span class="n">ihlBytes</span> <span class="o">&gt;=</span> <span class="mi">20</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">nil</span> <span class="p">}</span> <span class="k">let</span> <span class="nv">innerUDP</span> <span class="o">=</span> <span class="n">icmpHeader</span> <span class="o">+</span> <span class="n">ihlBytes</span> <span class="k">guard</span> <span class="n">bytes</span><span class="o">.</span><span class="n">count</span> <span class="o">&gt;=</span> <span class="n">innerUDP</span> <span class="o">+</span> <span class="mi">4</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">nil</span> <span class="p">}</span> <span class="nf">return</span> <span class="p">(</span><span class="kt">UInt16</span><span class="p">(</span><span class="n">bytes</span><span class="p">[</span><span class="n">innerUDP</span> <span class="o">+</span> <span class="mi">2</span><span class="p">])</span> <span class="o">&lt;&lt;</span> <span class="mi">8</span><span class="p">)</span> <span class="o">|</span> <span class="kt">UInt16</span><span class="p">(</span><span class="n">bytes</span><span class="p">[</span><span class="n">innerUDP</span> <span class="o">+</span> <span class="mi">3</span><span class="p">])</span> <span class="p">}</span> </code></pre> </div> <p>Now cycle time ≈ <code>probeTimeout</code>, independent of how many hops are timing out.</p> <p>For the stats, storing every RTT and recomputing stddev leaks memory in a tool that<br> runs forever. <strong>Welford's online algorithm</strong> updates mean + variance in O(1):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="n">recv</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">let</span> <span class="nv">delta</span> <span class="o">=</span> <span class="n">rttMs</span> <span class="o">-</span> <span class="n">mean</span> <span class="n">mean</span> <span class="o">+=</span> <span class="n">delta</span> <span class="o">/</span> <span class="kt">Double</span><span class="p">(</span><span class="n">recv</span><span class="p">)</span> <span class="n">m2</span> <span class="o">+=</span> <span class="n">delta</span> <span class="o">*</span> <span class="p">(</span><span class="n">rttMs</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="c1">// ...</span> <span class="k">var</span> <span class="nv">stdDevMs</span><span class="p">:</span> <span class="kt">Double</span><span class="p">?</span> <span class="p">{</span> <span class="k">guard</span> <span class="n">recv</span> <span class="o">&gt;=</span> <span class="mi">2</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">nil</span> <span class="p">}</span> <span class="nf">return</span> <span class="p">(</span><span class="n">m2</span> <span class="o">/</span> <span class="kt">Double</span><span class="p">(</span><span class="n">recv</span> <span class="o">-</span> <span class="mi">1</span><span class="p">))</span><span class="o">.</span><span class="nf">squareRoot</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <h3> 2. Path MTU — the obvious approach silently lied </h3> <p>Path MTU = the largest packet that reaches the destination unfragmented. Classic VPN<br> debugging: if your tunnel caps MTU at 1420 and the app sends 1500 with DF set, packets<br> vanish and "the internet works but half the sites don't load."</p> <p>The algorithm is a binary search: send a Don't-Fragment packet of growing size, watch<br> for ICMP "Fragmentation Needed." My first version sent <strong>UDP</strong> to a random high port<br> and treated ICMP Port Unreachable as the "it arrived" signal.</p> <p>Testing against <code>1.1.1.1</code> it reported <strong>Path MTU = 688 bytes</strong> — nonsense. Cloudflare<br> (like most well-run hosts) <strong>silently drops</strong> UDP to random ports, so Port Unreachable<br> never comes back. Every timeout looked like "too big" and the search converged on junk.</p> <p>Rewrote it on <strong>ICMP Echo with DF</strong>. Public hosts answer pings reliably, so "it fit"<br> became a real signal. And when a router returns Frag-Needed it includes its <strong>next-hop<br> MTU</strong> (RFC 1191), so you can jump straight to the answer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kd">static</span> <span class="kd">func</span> <span class="nf">extractNextHopMTU</span><span class="p">(</span><span class="n">from</span> <span class="nv">data</span><span class="p">:</span> <span class="kt">Data</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="kt">Int</span><span class="p">?</span> <span class="p">{</span> <span class="k">let</span> <span class="nv">bytes</span> <span class="o">=</span> <span class="kt">Array</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="k">guard</span> <span class="n">bytes</span><span class="o">.</span><span class="n">count</span> <span class="o">&gt;=</span> <span class="mi">8</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">nil</span> <span class="p">}</span> <span class="k">let</span> <span class="nv">mtu</span> <span class="o">=</span> <span class="p">(</span><span class="kt">UInt16</span><span class="p">(</span><span class="n">bytes</span><span class="p">[</span><span class="mi">6</span><span class="p">])</span> <span class="o">&lt;&lt;</span> <span class="mi">8</span><span class="p">)</span> <span class="o">|</span> <span class="kt">UInt16</span><span class="p">(</span><span class="n">bytes</span><span class="p">[</span><span class="mi">7</span><span class="p">])</span> <span class="k">return</span> <span class="n">mtu</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="p">?</span> <span class="kt">Int</span><span class="p">(</span><span class="n">mtu</span><span class="p">)</span> <span class="p">:</span> <span class="kc">nil</span> <span class="p">}</span> </code></pre> </div> <p>Bonus: the discovered value hints at the link type — 1492 → PPPoE, 1480 → GRE,<br> 1420-1440 → WireGuard, 1400 → OpenVPN/IPSec.</p> <h3> 3. Site Reach — TCP success doesn't mean "reachable" </h3> <p>A tool that checks whether popular sites are reachable. Naive version: TCP-connect to<br> 443, success = "reachable." That <strong>misses the dominant modern block</strong>.</p> <p>National/corporate DPI often lets the TCP handshake complete and only injects RST after<br> seeing the forbidden hostname in the <strong>SNI</strong> field of the TLS Client Hello. From the<br> device's view, TCP <strong>connected</strong> — so a TCP-only probe reports "reachable" while HTTPS<br> is actually dead.</p> <p>To catch it, go all the way to the TLS handshake. Two probes, compared:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>TCP</th> <th>TLS</th> <th>Verdict</th> </tr> </thead> <tbody> <tr> <td>fail</td> <td>fail</td> <td>IP block (or DNS pointing at a dead IP)</td> </tr> <tr> <td><strong>ok</strong></td> <td><strong>fail</strong></td> <td> <strong>SNI / TLS block</strong> — DPI killed the Client Hello by hostname</td> </tr> <tr> <td>ok</td> <td>ok</td> <td>actually reachable</td> </tr> </tbody> </table></div> <p>The TLS probe uses <code>NWConnection</code> with <code>NWProtocolTLS</code>, which sets SNI to the<br> connection's hostname automatically — exactly what trips SNI-aware DPI. Flagged sites<br> get an "SNI" badge so they're distinct from plain unreachable ones.</p> <h3> The other six, briefly </h3> <ul> <li> <strong>TLS Inspector</strong> — probes TLS 1.0–1.3 in parallel (one <code>NWConnection</code> per version, min/max pinned), shows the negotiated cipher, flags deprecated 1.0/1.1 and weak ciphers.</li> <li> <strong>Encrypted DNS</strong> — resolves a domain over DoH and DoT at Cloudflare/Google/Quad9/ NextDNS, compares answers + latency. Hand-rolled minimal DNS wire codec.</li> <li> <strong>STUN / NAT</strong> — real RFC 5389 Binding Request to several servers, parses XOR-Mapped-Address, classifies NAT (Open / Cone / Symmetric) by whether the external port differs per server. The signal for whether VoIP/WebRTC/P2P will work.</li> <li> <strong>Bonjour browser</strong> — <code>NWBrowser</code> over ~20 mDNS service types (AirPlay, Chromecast, HomeKit, printers) with TXT-record parsing.</li> <li> <strong>HTTP/3 (QUIC)</strong> — real QUIC handshake via <code>NWConnection</code> + <code>NWProtocolQUIC</code> with ALPN "h3" on UDP/443. URLSession won't attempt QUIC without a cached Alt-Svc hint, so this is the only honest way to check whether your network passes QUIC.</li> <li> <strong>IPv6 Check</strong> — local v6 enumeration with tunnel awareness (utun → iCloud Private Relay / NAT66), NAT64/DNS64 detection (RFC 7050), v4-vs-v6 latency.</li> </ul> <h3> Four takeaways </h3> <ol> <li> <strong>The "obvious" probe usually lies.</strong> UDP-to-random-port (Path MTU), TCP-only (Site Reach) — both give false results on real networks. Only a real protocol exchange — ICMP Echo with DF, a full TLS handshake — tells the truth.</li> <li> <strong>Raw ICMP/UDP on iOS is more accessible than you'd think</strong> — a <code>SOCK_DGRAM</code> ICMP socket needs no entitlements and covers ping, traceroute, MTR, Path MTU. Raw SYN, ARP, and packet capture are still off-limits.</li> <li> <strong>Test on two networks.</strong> Half my bugs only showed up comparing a clean European Wi-Fi against a cellular CGNAT/symmetric-NAT link — the false "blocks" lived there.</li> <li> <strong><code>Network.framework</code> is the right tool for TLS/QUIC.</strong> Where ICMP means BSD sockets, TLS Inspector and HTTP/3 are cleaner with <code>NWConnection</code>: version pinning, ALPN, a real QUIC handshake — all built in.</li> </ol> <p>Everything still runs without private entitlements and collects no data — results stay<br> on the device.</p> <p>NetDiag+ on the App Store: <a href="https://apps.apple.com/app/id6761954529" rel="noopener noreferrer">https://apps.apple.com/app/id6761954529</a> (12 languages, 25 tools)</p> <p>Happy to answer implementation questions in the comments.</p> ios networking swift security How I implemented ping and traceroute on iOS without entitlements Dmytro Tishchenko Thu, 21 May 2026 10:51:49 +0000 https://dev.to/dtisch/how-i-implemented-ping-and-traceroute-on-ios-without-entitlements-2fm https://dev.to/dtisch/how-i-implemented-ping-and-traceroute-on-ios-without-entitlements-2fm <p>I just shipped v1.3 of a network diagnostics app I've been building on evenings and weekends — NetDiag+. It does ping, traceroute, DNS lookups, whois, LAN scanning, port scanning, SSL cert checking, BGP/ASN lookups, plus a host monitor that does background pings and pushes a notification when something goes down.</p> <p>Stack: pure SwiftUI, iOS 16+, Swift Concurrency throughout, Darwin C-interop where it has to be. No third-party networking libraries — everything on raw BSD sockets through C-interop.</p> <p>Wanted to share the implementation notes I would have appreciated finding myself when I started. A few things on iOS work differently than you'd expect from a Unix background, and the gotchas aren't where you think they are.</p> <p>Spoiler on conclusions: the most painful part wasn't networking, it was integrating Google's UMP consent SDK for AdMob.</p> <h2> ICMP ping without entitlements </h2> <p>The first surprise: on iOS, you can open an ICMP socket <strong>without any special entitlement and without root</strong>, which is something you'd need <code>CAP_NET_RAW</code> or setuid for on Linux. Apple exposed this to regular sandboxed processes through <code>SOCK_DGRAM</code> (not <code>SOCK_RAW</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kd">final</span> <span class="kd">class</span> <span class="kt">ICMPSocket</span> <span class="p">{</span> <span class="kd">private</span> <span class="k">let</span> <span class="nv">fd</span><span class="p">:</span> <span class="kt">Int32</span> <span class="nf">init</span><span class="p">()</span> <span class="k">throws</span> <span class="p">{</span> <span class="n">fd</span> <span class="o">=</span> <span class="nf">socket</span><span class="p">(</span><span class="kt">AF_INET</span><span class="p">,</span> <span class="kt">SOCK_DGRAM</span><span class="p">,</span> <span class="kt">IPPROTO_ICMP</span><span class="p">)</span> <span class="k">guard</span> <span class="n">fd</span> <span class="o">&gt;=</span> <span class="mi">0</span> <span class="k">else</span> <span class="p">{</span> <span class="k">throw</span> <span class="kt">SocketError</span><span class="o">.</span><span class="nf">creationFailed</span><span class="p">(</span><span class="n">errno</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">deinit</span> <span class="p">{</span> <span class="nf">close</span><span class="p">(</span><span class="n">fd</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// ...</span> <span class="p">}</span> </code></pre> </div> <p>This is the same model macOS <code>ping(8)</code> has used since some old version when Apple dropped the setuid bit. The kernel writes the correct ICMP header for you (type/code/checksum for echo request), and rewrites the identifier to one it generates. That last bit is the first gotcha: on recv you don't get back the identifier you sent, so the standard logic of matching responses by identifier doesn't work.</p> <p>The fix: match on <strong>sequence number and payload</strong>. I put my own marker in the payload and verify it on receive:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="c1">// Send</span> <span class="k">var</span> <span class="nv">header</span> <span class="o">=</span> <span class="kt">ICMPHeader</span><span class="p">()</span> <span class="n">header</span><span class="o">.</span><span class="n">type</span> <span class="o">=</span> <span class="kt">ICMPType</span><span class="o">.</span><span class="n">echoRequest</span><span class="o">.</span><span class="n">rawValue</span> <span class="n">header</span><span class="o">.</span><span class="n">code</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">header</span><span class="o">.</span><span class="n">identifier</span> <span class="o">=</span> <span class="mi">0</span> <span class="c1">// kernel will overwrite</span> <span class="n">header</span><span class="o">.</span><span class="n">sequence</span> <span class="o">=</span> <span class="n">currentSequence</span><span class="o">.</span><span class="n">bigEndian</span> <span class="k">let</span> <span class="nv">payload</span> <span class="o">=</span> <span class="nf">makePayload</span><span class="p">(</span><span class="nv">sequence</span><span class="p">:</span> <span class="n">currentSequence</span><span class="p">)</span> <span class="k">let</span> <span class="nv">packet</span> <span class="o">=</span> <span class="n">header</span><span class="o">.</span><span class="n">bytes</span> <span class="o">+</span> <span class="n">payload</span> <span class="k">try</span> <span class="n">socket</span><span class="o">.</span><span class="nf">send</span><span class="p">(</span><span class="nv">data</span><span class="p">:</span> <span class="n">packet</span><span class="p">,</span> <span class="nv">to</span><span class="p">:</span> <span class="n">address</span><span class="p">)</span> <span class="c1">// Receive</span> <span class="k">let</span> <span class="p">(</span><span class="nv">data</span><span class="p">,</span> <span class="nv">fromIP</span><span class="p">)</span> <span class="o">=</span> <span class="k">try</span> <span class="n">socket</span><span class="o">.</span><span class="nf">receive</span><span class="p">()</span> <span class="k">guard</span> <span class="k">let</span> <span class="nv">received</span> <span class="o">=</span> <span class="kt">ICMPHeader</span><span class="o">.</span><span class="nf">parse</span><span class="p">(</span><span class="n">data</span><span class="p">),</span> <span class="n">received</span><span class="o">.</span><span class="n">type</span> <span class="o">==</span> <span class="kt">ICMPType</span><span class="o">.</span><span class="n">echoReply</span><span class="o">.</span><span class="n">rawValue</span><span class="p">,</span> <span class="n">received</span><span class="o">.</span><span class="n">sequence</span> <span class="o">==</span> <span class="n">currentSequence</span><span class="o">.</span><span class="n">bigEndian</span> <span class="k">else</span> <span class="p">{</span> <span class="k">continue</span> <span class="p">}</span> </code></pre> </div> <p>Second gotcha: timeouts. <code>recvfrom</code> without <code>SO_RCVTIMEO</code> blocks indefinitely, which in Swift Concurrency means a stuck Task you then can't cancel cleanly. So I set a recv timeout on the socket:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kd">func</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nv">seconds</span><span class="p">:</span> <span class="kt">Double</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="nv">tv</span> <span class="o">=</span> <span class="nf">timeval</span><span class="p">(</span> <span class="nv">tv_sec</span><span class="p">:</span> <span class="kt">Int</span><span class="p">(</span><span class="n">seconds</span><span class="p">),</span> <span class="nv">tv_usec</span><span class="p">:</span> <span class="kt">Int32</span><span class="p">((</span><span class="n">seconds</span><span class="o">.</span><span class="nf">truncatingRemainder</span><span class="p">(</span><span class="nv">dividingBy</span><span class="p">:</span> <span class="mi">1</span><span class="p">))</span> <span class="o">*</span> <span class="mi">1_000_000</span><span class="p">)</span> <span class="p">)</span> <span class="nf">setsockopt</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="kt">SOL_SOCKET</span><span class="p">,</span> <span class="kt">SO_RCVTIMEO</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">tv</span><span class="p">,</span> <span class="nf">socklen_t</span><span class="p">(</span><span class="kt">MemoryLayout</span><span class="o">&lt;</span><span class="n">timeval</span><span class="o">&gt;.</span><span class="n">size</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <p>On <code>EAGAIN</code>/<code>EWOULDBLOCK</code> I throw my own <code>SocketError.timeout</code>, which higher up in the stack becomes a normal "timeout" hop in the result list.</p> <p>Apple's SimplePing sample is the OG reference here — it's Objective-C, dated, but you can crib a lot from it. I ended up writing my own thin wrapper because SimplePing doesn't play nicely with modern Swift Concurrency and gets awkward for multi-host pings. No regrets.</p> <h2> Traceroute that actually works </h2> <p>Standard Unix traceroute has three flavors: ICMP echo (the Windows <code>tracert</code> style), UDP to closed ports (classic BSD), or TCP SYN (paris-traceroute, traceroute-tcp).</p> <p>I tried the ICMP variant first. The idea is straightforward — send ICMP echo with a low TTL, listen for ICMP Time Exceeded from an intermediate hop, increment TTL. On paper, fine. In practice I hit two problems on iOS:</p> <ol> <li> <strong><code>setsockopt(IP_TTL)</code> on a SOCK_DGRAM ICMP socket behaves inconsistently.</strong> Some networks worked, others wouldn't return Time Exceeded reliably.</li> <li> <strong>Matching incoming responses.</strong> On receive you get back an ICMP Time Exceeded, and the inner payload contains the original packet you sent. Matching the response to a specific TTL step means parsing inner payloads, which felt fragile.</li> </ol> <p>So I switched to the classic BSD approach: UDP packets to closed ports with incrementing TTL, with a passive ICMP socket listening for Time Exceeded:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="k">let</span> <span class="nv">icmpSock</span> <span class="o">=</span> <span class="k">try</span> <span class="kt">ICMPSocket</span><span class="p">()</span> <span class="c1">// receive-only</span> <span class="n">icmpSock</span><span class="o">.</span><span class="nf">setTimeout</span><span class="p">(</span><span class="nv">seconds</span><span class="p">:</span> <span class="n">timeout</span><span class="p">)</span> <span class="k">for</span> <span class="n">ttl</span> <span class="k">in</span> <span class="mi">1</span><span class="o">...</span><span class="n">maxHops</span> <span class="p">{</span> <span class="k">let</span> <span class="nv">udpSock</span> <span class="o">=</span> <span class="k">try</span> <span class="kt">UDPSocket</span><span class="p">()</span> <span class="n">udpSock</span><span class="o">.</span><span class="nf">setTTL</span><span class="p">(</span><span class="n">ttl</span><span class="p">)</span> <span class="k">var</span> <span class="nv">dest</span> <span class="o">=</span> <span class="n">address</span> <span class="n">dest</span><span class="o">.</span><span class="n">sin_port</span> <span class="o">=</span> <span class="p">(</span><span class="n">port</span> <span class="o">+</span> <span class="kt">UInt16</span><span class="p">(</span><span class="n">ttl</span> <span class="o">-</span> <span class="mi">1</span><span class="p">))</span><span class="o">.</span><span class="n">bigEndian</span> <span class="c1">// 33434, 33435, ...</span> <span class="k">let</span> <span class="nv">probe</span> <span class="o">=</span> <span class="kt">Data</span><span class="p">(</span><span class="nv">repeating</span><span class="p">:</span> <span class="mh">0x40</span><span class="p">,</span> <span class="nv">count</span><span class="p">:</span> <span class="mi">32</span><span class="p">)</span> <span class="k">let</span> <span class="nv">sendTime</span> <span class="o">=</span> <span class="kt">CFAbsoluteTimeGetCurrent</span><span class="p">()</span> <span class="k">try</span> <span class="n">udpSock</span><span class="o">.</span><span class="nf">send</span><span class="p">(</span><span class="nv">data</span><span class="p">:</span> <span class="n">probe</span><span class="p">,</span> <span class="nv">to</span><span class="p">:</span> <span class="n">dest</span><span class="p">)</span> <span class="k">let</span> <span class="p">(</span><span class="nv">data</span><span class="p">,</span> <span class="nv">fromIP</span><span class="p">)</span> <span class="o">=</span> <span class="k">try</span> <span class="n">icmpSock</span><span class="o">.</span><span class="nf">receive</span><span class="p">()</span> <span class="k">let</span> <span class="nv">rtt</span> <span class="o">=</span> <span class="kt">CFAbsoluteTimeGetCurrent</span><span class="p">()</span> <span class="o">-</span> <span class="n">sendTime</span> <span class="c1">// ...</span> <span class="p">}</span> </code></pre> </div> <p>The 33434+TTL port choice is <code>traceroute(8)</code>'s historical pick from the 80s — those ports are unlikely to be open on the destination, so you're guaranteed to get either ICMP Time Exceeded from an intermediate hop or ICMP Port Unreachable from the destination, and both cases are handled uniformly.</p> <p>Key insight: <strong>UDP_TTL works fine on iOS</strong> via <code>setsockopt(IP_TTL)</code>, unlike the ICMP variant. The ICMP socket is purely a passive receiver — we never send from it, only read incoming Time Exceeded packets.</p> <p>Final hop detection is two-way:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="k">let</span> <span class="nv">isFinal</span> <span class="o">=</span> <span class="n">fromIP</span> <span class="o">==</span> <span class="n">destIP</span> <span class="o">||</span> <span class="n">header</span><span class="o">.</span><span class="n">type</span> <span class="o">==</span> <span class="kt">ICMPType</span><span class="o">.</span><span class="n">destinationUnreachable</span><span class="o">.</span><span class="n">rawValue</span> </code></pre> </div> <p>Either the response came from the destination IP (meaning it sent us Port Unreachable), or the ICMP type is Destination Unreachable.</p> <h2> LAN scanner: no ARP for you </h2> <p>This is where iOS cuts harder. You <strong>don't get the system ARP table</strong> in userspace. There's no <code>getarp()</code>, no <code>/proc/net/arp</code> like on Linux. So the obvious "read the ARP table and list neighbors" idea is dead on arrival.</p> <p>What you do get:</p> <ol> <li> <strong>Concurrent TCP connect</strong> on common ports (80, 443, 22, 8080, etc). If a host responds (SYN+ACK or RST), it's alive. Raw SYN is locked down — only a full TCP handshake works.</li> <li> <strong>mDNS / Bonjour discovery</strong> via <code>NetServiceBrowser</code> or <code>NWBrowser</code>. Partial coverage — only sees devices that advertise services.</li> <li> <strong><code>NSLocalNetworkUsageDescription</code></strong> in Info.plist is <strong>mandatory</strong>. Without it, the first attempt to connect to a local IP triggers a "Local Network Access" alert, and nothing works until the user answers. Burned half an evening figuring this out the first time.</li> </ol> <p>I went with the TCP connect approach via <code>withThrowingTaskGroup</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kd">private</span> <span class="kd">static</span> <span class="k">let</span> <span class="nv">maxConcurrentProbes</span> <span class="o">=</span> <span class="mi">20</span> <span class="kd">func</span> <span class="nf">discoverHosts</span><span class="p">(</span><span class="nv">localIP</span><span class="p">:</span> <span class="kt">String</span><span class="p">,</span> <span class="nv">subnetMask</span><span class="p">:</span> <span class="kt">String</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="kt">AsyncThrowingStream</span><span class="o">&lt;</span><span class="kt">LANDevice</span><span class="p">,</span> <span class="kt">Error</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kt">AsyncThrowingStream</span> <span class="p">{</span> <span class="n">continuation</span> <span class="k">in</span> <span class="kt">Task</span><span class="o">.</span><span class="n">detached</span> <span class="p">{</span> <span class="k">let</span> <span class="nv">range</span> <span class="o">=</span> <span class="k">Self</span><span class="o">.</span><span class="nf">calculateSubnetRange</span><span class="p">(</span><span class="nv">ip</span><span class="p">:</span> <span class="n">localIP</span><span class="p">,</span> <span class="nv">mask</span><span class="p">:</span> <span class="n">subnetMask</span><span class="p">)</span> <span class="k">try</span> <span class="k">await</span> <span class="nf">withThrowingTaskGroup</span><span class="p">(</span><span class="nv">of</span><span class="p">:</span> <span class="kt">LANDevice</span><span class="p">?</span><span class="o">.</span><span class="k">self</span><span class="p">)</span> <span class="p">{</span> <span class="n">group</span> <span class="k">in</span> <span class="k">var</span> <span class="nv">activeCount</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">ip</span> <span class="k">in</span> <span class="n">range</span> <span class="p">{</span> <span class="k">if</span> <span class="n">activeCount</span> <span class="o">&gt;=</span> <span class="k">Self</span><span class="o">.</span><span class="n">maxConcurrentProbes</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nv">device</span> <span class="o">=</span> <span class="k">try</span><span class="p">?</span> <span class="k">await</span> <span class="n">group</span><span class="o">.</span><span class="nf">next</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nv">d</span> <span class="o">=</span> <span class="n">device</span> <span class="p">{</span> <span class="n">continuation</span><span class="o">.</span><span class="nf">yield</span><span class="p">(</span><span class="n">d</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="n">activeCount</span> <span class="o">-=</span> <span class="mi">1</span> <span class="p">}</span> <span class="n">group</span><span class="o">.</span><span class="n">addTask</span> <span class="p">{</span> <span class="k">try</span> <span class="k">await</span> <span class="k">Self</span><span class="o">.</span><span class="nf">probeHost</span><span class="p">(</span><span class="nv">ip</span><span class="p">:</span> <span class="n">ip</span><span class="p">)</span> <span class="p">}</span> <span class="n">activeCount</span> <span class="o">+=</span> <span class="mi">1</span> <span class="p">}</span> <span class="k">for</span> <span class="k">try</span> <span class="k">await</span> <span class="n">device</span> <span class="k">in</span> <span class="n">group</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nv">d</span> <span class="o">=</span> <span class="n">device</span> <span class="p">{</span> <span class="n">continuation</span><span class="o">.</span><span class="nf">yield</span><span class="p">(</span><span class="n">d</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="n">continuation</span><span class="o">.</span><span class="nf">finish</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>One <code>connect()</code> to port 80 with a 500ms timeout per IP across a /24 — the host responds with SYN+ACK (alive), RST (alive but port closed, also counts as alive), or times out (dead or filtered). With <code>maxConcurrentProbes = 20</code> the whole /24 finishes in 2-3 seconds.</p> <p>iOS 17 gotcha: the "Local Network Access" alert shows only once. If the user denies it, subsequent <code>connect()</code> calls just silently time out, with no clear error. Had to add a UI hint nudging the user to Settings.</p> <h2> Host monitor: BGTaskScheduler as it is </h2> <p>The most engineering-painful part of the app. The user-facing requirement: "I add hosts to monitor, and if one goes down I get a push, like UptimeRobot." On iOS you can't do this properly because:</p> <ol> <li> <strong>No persistent background thread.</strong> iOS kills your app ~30 seconds after backgrounding.</li> <li> <strong>Silent push as a wake mechanism</strong> exists but needs a server, and I wanted everything local.</li> <li> <strong><code>BGTaskScheduler</code></strong> gives you ~30 sec of CPU <strong>maybe</strong> once every 15+ minutes. iOS decides when based on user behavior patterns.</li> </ol> <p>So monitoring precision on iOS is fundamentally worse than on a server. You have to accept that and design around it.</p> <p>What I do:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kt">BGTaskScheduler</span><span class="o">.</span><span class="n">shared</span><span class="o">.</span><span class="nf">register</span><span class="p">(</span><span class="nv">forTaskWithIdentifier</span><span class="p">:</span> <span class="s">"com.netdiag.hostmonitor"</span><span class="p">,</span> <span class="nv">using</span><span class="p">:</span> <span class="kc">nil</span><span class="p">)</span> <span class="p">{</span> <span class="n">task</span> <span class="k">in</span> <span class="kt">Task</span> <span class="p">{</span> <span class="k">await</span> <span class="kt">HostMonitorService</span><span class="o">.</span><span class="n">shared</span><span class="o">.</span><span class="nf">runMonitoringPass</span><span class="p">()</span> <span class="n">task</span><span class="o">.</span><span class="nf">setTaskCompleted</span><span class="p">(</span><span class="nv">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">)</span> <span class="p">}</span> <span class="nf">submitNext</span><span class="p">()</span> <span class="p">}</span> <span class="k">let</span> <span class="nv">request</span> <span class="o">=</span> <span class="kt">BGAppRefreshTaskRequest</span><span class="p">(</span><span class="nv">identifier</span><span class="p">:</span> <span class="s">"com.netdiag.hostmonitor"</span><span class="p">)</span> <span class="n">request</span><span class="o">.</span><span class="n">earliestBeginDate</span> <span class="o">=</span> <span class="kt">Date</span><span class="p">(</span><span class="nv">timeIntervalSinceNow</span><span class="p">:</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span><span class="p">)</span> <span class="k">try</span> <span class="kt">BGTaskScheduler</span><span class="o">.</span><span class="n">shared</span><span class="o">.</span><span class="nf">submit</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> </code></pre> </div> <p>Inside <code>runMonitoringPass()</code>:</p> <ol> <li>Fetch all monitored hosts</li> <li>Ping them <strong>in parallel</strong> (<code>withTaskGroup</code>) — fit within the 30-second budget</li> <li>For each: if state changed (up→down or down→up), fire a local notification</li> <li>If state unchanged, stay quiet</li> </ol> <p>No "host still up every 5 minutes" pings. Only state transitions. This both helps with iOS background limits and respects the user.</p> <p>Debugging gotcha: <strong>BGTaskScheduler doesn't fire in the simulator</strong> unless you manually trigger it via debugger:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight objective_c"><code><span class="n">e</span> <span class="k">-</span><span class="n">l</span> <span class="n">objc</span> <span class="o">--</span> <span class="p">(</span><span class="kt">void</span><span class="p">)[[</span><span class="n">BGTaskScheduler</span> <span class="nf">sharedScheduler</span><span class="p">]</span> <span class="nf">_simulateLaunchForTaskWithIdentifier</span><span class="p">:</span><span class="s">@"com.netdiag.hostmonitor"</span><span class="p">]</span> </code></pre> </div> <p>Found this in some old DTS thread. Without that command, debugging background logic is impossible. On real devices the system runs your tasks unpredictably.</p> <h2> AdMob and UMP — the part that actually hurt </h2> <p>Networking was a pleasure to write. AdMob integration was a separate ordeal.</p> <p>AdMob via the <code>GoogleMobileAds</code> Swift Package itself is fine — <code>MobileAds.shared.start()</code>, banners through <code>BannerView</code> in a <code>UIViewRepresentable</code>, standard stuff.</p> <p>The pain begins with <strong>GDPR / CCPA consent</strong>, which Google requires through their UMP SDK (<code>GoogleUserMessagingPlatform</code>). Two problems:</p> <ol> <li> <strong>SwiftUI documentation</strong> is essentially nonexistent. Every Google example is Objective-C or old UIKit. You figure out the SwiftUI integration by trial and error.</li> <li> <strong>AdMob won't activate your privacy message until you ship a "revocation link" in the live app</strong> — that is, a button in Settings that re-opens the consent form. The business logic is: build the revocation link in code → <strong>ship that build</strong> → then go back to AdMob and confirm "yes, my app has the revocation link, please activate the message." Nowhere is this clearly stated. I sat on a configured but inactive consent message for a week before figuring it out.</li> </ol> <p>The integration looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kd">@MainActor</span> <span class="kd">final</span> <span class="kd">class</span> <span class="kt">ConsentManager</span><span class="p">:</span> <span class="kt">ObservableObject</span> <span class="p">{</span> <span class="kd">static</span> <span class="k">let</span> <span class="nv">shared</span> <span class="o">=</span> <span class="kt">ConsentManager</span><span class="p">()</span> <span class="kd">@Published</span> <span class="kd">private(set)</span> <span class="k">var</span> <span class="nv">adsStarted</span> <span class="o">=</span> <span class="kc">false</span> <span class="kd">@Published</span> <span class="kd">private(set)</span> <span class="k">var</span> <span class="nv">privacyOptionsRequired</span> <span class="o">=</span> <span class="kc">false</span> <span class="kd">func</span> <span class="nf">requestConsentAndStartAds</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="nv">parameters</span> <span class="o">=</span> <span class="kt">RequestParameters</span><span class="p">()</span> <span class="kt">ConsentInformation</span><span class="o">.</span><span class="n">shared</span><span class="o">.</span><span class="nf">requestConsentInfoUpdate</span><span class="p">(</span><span class="nv">with</span><span class="p">:</span> <span class="n">parameters</span><span class="p">)</span> <span class="p">{</span> <span class="p">[</span><span class="k">weak</span> <span class="k">self</span><span class="p">]</span> <span class="n">error</span> <span class="k">in</span> <span class="kt">ConsentForm</span><span class="o">.</span><span class="nf">loadAndPresentIfRequired</span><span class="p">(</span><span class="nv">from</span><span class="p">:</span> <span class="k">Self</span><span class="o">.</span><span class="nf">topViewController</span><span class="p">())</span> <span class="p">{</span> <span class="p">[</span><span class="k">weak</span> <span class="k">self</span><span class="p">]</span> <span class="n">formError</span> <span class="k">in</span> <span class="k">self</span><span class="p">?</span><span class="o">.</span><span class="nf">updatePrivacyOptionsAvailability</span><span class="p">()</span> <span class="k">self</span><span class="p">?</span><span class="o">.</span><span class="nf">startAdsIfNeeded</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">func</span> <span class="nf">presentPrivacyOptionsForm</span><span class="p">()</span> <span class="p">{</span> <span class="k">guard</span> <span class="k">let</span> <span class="nv">root</span> <span class="o">=</span> <span class="k">Self</span><span class="o">.</span><span class="nf">topViewController</span><span class="p">()</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="p">}</span> <span class="kt">ConsentForm</span><span class="o">.</span><span class="nf">presentPrivacyOptionsForm</span><span class="p">(</span><span class="nv">from</span><span class="p">:</span> <span class="n">root</span><span class="p">)</span> <span class="p">{</span> <span class="p">[</span><span class="k">weak</span> <span class="k">self</span><span class="p">]</span> <span class="n">error</span> <span class="k">in</span> <span class="k">self</span><span class="p">?</span><span class="o">.</span><span class="nf">updatePrivacyOptionsAvailability</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">private</span> <span class="kd">func</span> <span class="nf">startAdsIfNeeded</span><span class="p">()</span> <span class="p">{</span> <span class="k">guard</span> <span class="kt">ConsentInformation</span><span class="o">.</span><span class="n">shared</span><span class="o">.</span><span class="n">canRequestAds</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="p">}</span> <span class="kt">MobileAds</span><span class="o">.</span><span class="n">shared</span><span class="o">.</span><span class="n">start</span> <span class="p">{</span> <span class="p">[</span><span class="k">weak</span> <span class="k">self</span><span class="p">]</span> <span class="n">_</span> <span class="k">in</span> <span class="k">self</span><span class="p">?</span><span class="o">.</span><span class="n">adsStarted</span> <span class="o">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// ...</span> <span class="p">}</span> </code></pre> </div> <p>The key part: <code>MobileAds.shared.start()</code> is only called <strong>after</strong> the UMP flow returns <code>canRequestAds == true</code>. If a user in the EEA refuses, <code>canRequestAds</code> stays true anyway, ads just become non-personalized. The same flow covers both GDPR (EEA/UK) and US state privacy (CCPA in California and other regulated states), because UMP under the hood inspects geo and serves the matching message.</p> <p>Another gotcha: <code>ATTrackingManager.requestTrackingAuthorization</code> (the ATT prompt) <strong>must come before</strong> the UMP flow, because UMP checks the ATT state when building the request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kt">ATTManager</span><span class="o">.</span><span class="n">requestTrackingIfNeeded</span> <span class="p">{</span> <span class="kt">ConsentManager</span><span class="o">.</span><span class="n">shared</span><span class="o">.</span><span class="nf">requestConsentAndStartAds</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <p>Wrong order and UMP might think tracking is granted, then ATT denies, creating a mismatch AdMob can later flag.</p> <p>For debug builds I force the geography to test the flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="cp">#if DEBUG</span> <span class="k">let</span> <span class="nv">debugSettings</span> <span class="o">=</span> <span class="kt">DebugSettings</span><span class="p">()</span> <span class="n">debugSettings</span><span class="o">.</span><span class="n">geography</span> <span class="o">=</span> <span class="o">.</span><span class="kt">EEA</span> <span class="c1">// or .regulatedUSState</span> <span class="n">parameters</span><span class="o">.</span><span class="n">debugSettings</span> <span class="o">=</span> <span class="n">debugSettings</span> <span class="cp">#endif</span> </code></pre> </div> <p>Without this, from a non-EEA IP the consent form never shows and you can't validate the flow at all.</p> <h2> Localization </h2> <p>12 languages (en, ru, uk, de, es, pt-BR, fr, it, pl, ja, ko, tr) using the new Xcode <strong>String Catalogs</strong> (<code>.xcstrings</code>). After years of <code>Localizable.strings</code>, the Catalog format is just nice — JSON, diffs reasonably in git, Xcode has a usable GUI for translation, automatic pluralization. If you're still on <code>.strings</code>, migrate, you're losing nothing.</p> <h2> What I'd do differently </h2> <ol> <li><p><strong>Don't skimp on tests</strong> for ICMP header parsing. I have decent tests on DNS resolver and whois parser, but I debugged the ICMP path against live networks. It worked for 30 hosts; then two days after release I found a bug with big-endian sequence numbers. Embarrassing.</p></li> <li><p><strong>Build UMP from day one</strong>, before submitting to TestFlight. Retrofitting UMP after the fact rewrites your AdMob initialization order, ATT timing, etc. Just bake it in.</p></li> <li><p><strong>Don't trust the simulator</strong> for anything touching background tasks, mDNS, or push notifications. I had several "green in simulator, dead on device" moments.</p></li> </ol> <h2> Numbers and context </h2> <p>App went live a few weeks ago. ~30 total installs at the time of writing — basically zero marketing happened. This post is part of changing that.</p> <p>AdMob after the first week post-approval: $1.19 eCPM, 85% match rate — "normal for a utility at launch" according to indie folks I've asked.</p> <p>If you've done iOS network programming and hit different walls, I'd love to compare notes. Apple's networking stack isn't where most iOS devs spend their time and good references are scattered.</p> <h2> Links </h2> <ul> <li>App Store: <a href="https://apps.apple.com/app/id6761954529" rel="noopener noreferrer">https://apps.apple.com/app/id6761954529</a> </li> <li>Apple's SimplePing sample (historical reference): <a href="https://developer.apple.com/library/archive/samplecode/SimplePing/Introduction/Intro.html" rel="noopener noreferrer">https://developer.apple.com/library/archive/samplecode/SimplePing/Introduction/Intro.html</a> </li> <li>BGTaskScheduler docs: <a href="https://developer.apple.com/documentation/backgroundtasks" rel="noopener noreferrer">https://developer.apple.com/documentation/backgroundtasks</a> </li> <li>Google UMP SDK docs: <a href="https://developers.google.com/admob/ios/privacy" rel="noopener noreferrer">https://developers.google.com/admob/ios/privacy</a> </li> </ul> <p>App is free with a banner, one-time IAP to remove ads. No accounts, no analytics beyond AdMob, no tracking SDK beyond what AdMob requires.</p> ios swift networking tutorial