DEV Community: Dmytro Tishchenko The latest articles on DEV Community by Dmytro Tishchenko (@dtisch). https://dev.to/dtisch https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3942885%2F7a15f5d0-d6ca-44f9-8822-4ba564ac2601.png DEV Community: Dmytro Tishchenko https://dev.to/dtisch en How I implemented ping and traceroute on iOS without entitlements Dmytro Tishchenko Thu, 21 May 2026 10:51:49 +0000 https://dev.to/dtisch/how-i-implemented-ping-and-traceroute-on-ios-without-entitlements-2fm https://dev.to/dtisch/how-i-implemented-ping-and-traceroute-on-ios-without-entitlements-2fm <p>I just shipped v1.3 of a network diagnostics app I've been building on evenings and weekends — NetDiag+. It does ping, traceroute, DNS lookups, whois, LAN scanning, port scanning, SSL cert checking, BGP/ASN lookups, plus a host monitor that does background pings and pushes a notification when something goes down.</p> <p>Stack: pure SwiftUI, iOS 16+, Swift Concurrency throughout, Darwin C-interop where it has to be. No third-party networking libraries — everything on raw BSD sockets through C-interop.</p> <p>Wanted to share the implementation notes I would have appreciated finding myself when I started. A few things on iOS work differently than you'd expect from a Unix background, and the gotchas aren't where you think they are.</p> <p>Spoiler on conclusions: the most painful part wasn't networking, it was integrating Google's UMP consent SDK for AdMob.</p> <h2> ICMP ping without entitlements </h2> <p>The first surprise: on iOS, you can open an ICMP socket <strong>without any special entitlement and without root</strong>, which is something you'd need <code>CAP_NET_RAW</code> or setuid for on Linux. Apple exposed this to regular sandboxed processes through <code>SOCK_DGRAM</code> (not <code>SOCK_RAW</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kd">final</span> <span class="kd">class</span> <span class="kt">ICMPSocket</span> <span class="p">{</span> <span class="kd">private</span> <span class="k">let</span> <span class="nv">fd</span><span class="p">:</span> <span class="kt">Int32</span> <span class="nf">init</span><span class="p">()</span> <span class="k">throws</span> <span class="p">{</span> <span class="n">fd</span> <span class="o">=</span> <span class="nf">socket</span><span class="p">(</span><span class="kt">AF_INET</span><span class="p">,</span> <span class="kt">SOCK_DGRAM</span><span class="p">,</span> <span class="kt">IPPROTO_ICMP</span><span class="p">)</span> <span class="k">guard</span> <span class="n">fd</span> <span class="o">&gt;=</span> <span class="mi">0</span> <span class="k">else</span> <span class="p">{</span> <span class="k">throw</span> <span class="kt">SocketError</span><span class="o">.</span><span class="nf">creationFailed</span><span class="p">(</span><span class="n">errno</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">deinit</span> <span class="p">{</span> <span class="nf">close</span><span class="p">(</span><span class="n">fd</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// ...</span> <span class="p">}</span> </code></pre> </div> <p>This is the same model macOS <code>ping(8)</code> has used since some old version when Apple dropped the setuid bit. The kernel writes the correct ICMP header for you (type/code/checksum for echo request), and rewrites the identifier to one it generates. That last bit is the first gotcha: on recv you don't get back the identifier you sent, so the standard logic of matching responses by identifier doesn't work.</p> <p>The fix: match on <strong>sequence number and payload</strong>. I put my own marker in the payload and verify it on receive:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="c1">// Send</span> <span class="k">var</span> <span class="nv">header</span> <span class="o">=</span> <span class="kt">ICMPHeader</span><span class="p">()</span> <span class="n">header</span><span class="o">.</span><span class="n">type</span> <span class="o">=</span> <span class="kt">ICMPType</span><span class="o">.</span><span class="n">echoRequest</span><span class="o">.</span><span class="n">rawValue</span> <span class="n">header</span><span class="o">.</span><span class="n">code</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">header</span><span class="o">.</span><span class="n">identifier</span> <span class="o">=</span> <span class="mi">0</span> <span class="c1">// kernel will overwrite</span> <span class="n">header</span><span class="o">.</span><span class="n">sequence</span> <span class="o">=</span> <span class="n">currentSequence</span><span class="o">.</span><span class="n">bigEndian</span> <span class="k">let</span> <span class="nv">payload</span> <span class="o">=</span> <span class="nf">makePayload</span><span class="p">(</span><span class="nv">sequence</span><span class="p">:</span> <span class="n">currentSequence</span><span class="p">)</span> <span class="k">let</span> <span class="nv">packet</span> <span class="o">=</span> <span class="n">header</span><span class="o">.</span><span class="n">bytes</span> <span class="o">+</span> <span class="n">payload</span> <span class="k">try</span> <span class="n">socket</span><span class="o">.</span><span class="nf">send</span><span class="p">(</span><span class="nv">data</span><span class="p">:</span> <span class="n">packet</span><span class="p">,</span> <span class="nv">to</span><span class="p">:</span> <span class="n">address</span><span class="p">)</span> <span class="c1">// Receive</span> <span class="k">let</span> <span class="p">(</span><span class="nv">data</span><span class="p">,</span> <span class="nv">fromIP</span><span class="p">)</span> <span class="o">=</span> <span class="k">try</span> <span class="n">socket</span><span class="o">.</span><span class="nf">receive</span><span class="p">()</span> <span class="k">guard</span> <span class="k">let</span> <span class="nv">received</span> <span class="o">=</span> <span class="kt">ICMPHeader</span><span class="o">.</span><span class="nf">parse</span><span class="p">(</span><span class="n">data</span><span class="p">),</span> <span class="n">received</span><span class="o">.</span><span class="n">type</span> <span class="o">==</span> <span class="kt">ICMPType</span><span class="o">.</span><span class="n">echoReply</span><span class="o">.</span><span class="n">rawValue</span><span class="p">,</span> <span class="n">received</span><span class="o">.</span><span class="n">sequence</span> <span class="o">==</span> <span class="n">currentSequence</span><span class="o">.</span><span class="n">bigEndian</span> <span class="k">else</span> <span class="p">{</span> <span class="k">continue</span> <span class="p">}</span> </code></pre> </div> <p>Second gotcha: timeouts. <code>recvfrom</code> without <code>SO_RCVTIMEO</code> blocks indefinitely, which in Swift Concurrency means a stuck Task you then can't cancel cleanly. So I set a recv timeout on the socket:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kd">func</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nv">seconds</span><span class="p">:</span> <span class="kt">Double</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="nv">tv</span> <span class="o">=</span> <span class="nf">timeval</span><span class="p">(</span> <span class="nv">tv_sec</span><span class="p">:</span> <span class="kt">Int</span><span class="p">(</span><span class="n">seconds</span><span class="p">),</span> <span class="nv">tv_usec</span><span class="p">:</span> <span class="kt">Int32</span><span class="p">((</span><span class="n">seconds</span><span class="o">.</span><span class="nf">truncatingRemainder</span><span class="p">(</span><span class="nv">dividingBy</span><span class="p">:</span> <span class="mi">1</span><span class="p">))</span> <span class="o">*</span> <span class="mi">1_000_000</span><span class="p">)</span> <span class="p">)</span> <span class="nf">setsockopt</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="kt">SOL_SOCKET</span><span class="p">,</span> <span class="kt">SO_RCVTIMEO</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">tv</span><span class="p">,</span> <span class="nf">socklen_t</span><span class="p">(</span><span class="kt">MemoryLayout</span><span class="o">&lt;</span><span class="n">timeval</span><span class="o">&gt;.</span><span class="n">size</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <p>On <code>EAGAIN</code>/<code>EWOULDBLOCK</code> I throw my own <code>SocketError.timeout</code>, which higher up in the stack becomes a normal "timeout" hop in the result list.</p> <p>Apple's SimplePing sample is the OG reference here — it's Objective-C, dated, but you can crib a lot from it. I ended up writing my own thin wrapper because SimplePing doesn't play nicely with modern Swift Concurrency and gets awkward for multi-host pings. No regrets.</p> <h2> Traceroute that actually works </h2> <p>Standard Unix traceroute has three flavors: ICMP echo (the Windows <code>tracert</code> style), UDP to closed ports (classic BSD), or TCP SYN (paris-traceroute, traceroute-tcp).</p> <p>I tried the ICMP variant first. The idea is straightforward — send ICMP echo with a low TTL, listen for ICMP Time Exceeded from an intermediate hop, increment TTL. On paper, fine. In practice I hit two problems on iOS:</p> <ol> <li> <strong><code>setsockopt(IP_TTL)</code> on a SOCK_DGRAM ICMP socket behaves inconsistently.</strong> Some networks worked, others wouldn't return Time Exceeded reliably.</li> <li> <strong>Matching incoming responses.</strong> On receive you get back an ICMP Time Exceeded, and the inner payload contains the original packet you sent. Matching the response to a specific TTL step means parsing inner payloads, which felt fragile.</li> </ol> <p>So I switched to the classic BSD approach: UDP packets to closed ports with incrementing TTL, with a passive ICMP socket listening for Time Exceeded:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="k">let</span> <span class="nv">icmpSock</span> <span class="o">=</span> <span class="k">try</span> <span class="kt">ICMPSocket</span><span class="p">()</span> <span class="c1">// receive-only</span> <span class="n">icmpSock</span><span class="o">.</span><span class="nf">setTimeout</span><span class="p">(</span><span class="nv">seconds</span><span class="p">:</span> <span class="n">timeout</span><span class="p">)</span> <span class="k">for</span> <span class="n">ttl</span> <span class="k">in</span> <span class="mi">1</span><span class="o">...</span><span class="n">maxHops</span> <span class="p">{</span> <span class="k">let</span> <span class="nv">udpSock</span> <span class="o">=</span> <span class="k">try</span> <span class="kt">UDPSocket</span><span class="p">()</span> <span class="n">udpSock</span><span class="o">.</span><span class="nf">setTTL</span><span class="p">(</span><span class="n">ttl</span><span class="p">)</span> <span class="k">var</span> <span class="nv">dest</span> <span class="o">=</span> <span class="n">address</span> <span class="n">dest</span><span class="o">.</span><span class="n">sin_port</span> <span class="o">=</span> <span class="p">(</span><span class="n">port</span> <span class="o">+</span> <span class="kt">UInt16</span><span class="p">(</span><span class="n">ttl</span> <span class="o">-</span> <span class="mi">1</span><span class="p">))</span><span class="o">.</span><span class="n">bigEndian</span> <span class="c1">// 33434, 33435, ...</span> <span class="k">let</span> <span class="nv">probe</span> <span class="o">=</span> <span class="kt">Data</span><span class="p">(</span><span class="nv">repeating</span><span class="p">:</span> <span class="mh">0x40</span><span class="p">,</span> <span class="nv">count</span><span class="p">:</span> <span class="mi">32</span><span class="p">)</span> <span class="k">let</span> <span class="nv">sendTime</span> <span class="o">=</span> <span class="kt">CFAbsoluteTimeGetCurrent</span><span class="p">()</span> <span class="k">try</span> <span class="n">udpSock</span><span class="o">.</span><span class="nf">send</span><span class="p">(</span><span class="nv">data</span><span class="p">:</span> <span class="n">probe</span><span class="p">,</span> <span class="nv">to</span><span class="p">:</span> <span class="n">dest</span><span class="p">)</span> <span class="k">let</span> <span class="p">(</span><span class="nv">data</span><span class="p">,</span> <span class="nv">fromIP</span><span class="p">)</span> <span class="o">=</span> <span class="k">try</span> <span class="n">icmpSock</span><span class="o">.</span><span class="nf">receive</span><span class="p">()</span> <span class="k">let</span> <span class="nv">rtt</span> <span class="o">=</span> <span class="kt">CFAbsoluteTimeGetCurrent</span><span class="p">()</span> <span class="o">-</span> <span class="n">sendTime</span> <span class="c1">// ...</span> <span class="p">}</span> </code></pre> </div> <p>The 33434+TTL port choice is <code>traceroute(8)</code>'s historical pick from the 80s — those ports are unlikely to be open on the destination, so you're guaranteed to get either ICMP Time Exceeded from an intermediate hop or ICMP Port Unreachable from the destination, and both cases are handled uniformly.</p> <p>Key insight: <strong>UDP_TTL works fine on iOS</strong> via <code>setsockopt(IP_TTL)</code>, unlike the ICMP variant. The ICMP socket is purely a passive receiver — we never send from it, only read incoming Time Exceeded packets.</p> <p>Final hop detection is two-way:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="k">let</span> <span class="nv">isFinal</span> <span class="o">=</span> <span class="n">fromIP</span> <span class="o">==</span> <span class="n">destIP</span> <span class="o">||</span> <span class="n">header</span><span class="o">.</span><span class="n">type</span> <span class="o">==</span> <span class="kt">ICMPType</span><span class="o">.</span><span class="n">destinationUnreachable</span><span class="o">.</span><span class="n">rawValue</span> </code></pre> </div> <p>Either the response came from the destination IP (meaning it sent us Port Unreachable), or the ICMP type is Destination Unreachable.</p> <h2> LAN scanner: no ARP for you </h2> <p>This is where iOS cuts harder. You <strong>don't get the system ARP table</strong> in userspace. There's no <code>getarp()</code>, no <code>/proc/net/arp</code> like on Linux. So the obvious "read the ARP table and list neighbors" idea is dead on arrival.</p> <p>What you do get:</p> <ol> <li> <strong>Concurrent TCP connect</strong> on common ports (80, 443, 22, 8080, etc). If a host responds (SYN+ACK or RST), it's alive. Raw SYN is locked down — only a full TCP handshake works.</li> <li> <strong>mDNS / Bonjour discovery</strong> via <code>NetServiceBrowser</code> or <code>NWBrowser</code>. Partial coverage — only sees devices that advertise services.</li> <li> <strong><code>NSLocalNetworkUsageDescription</code></strong> in Info.plist is <strong>mandatory</strong>. Without it, the first attempt to connect to a local IP triggers a "Local Network Access" alert, and nothing works until the user answers. Burned half an evening figuring this out the first time.</li> </ol> <p>I went with the TCP connect approach via <code>withThrowingTaskGroup</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kd">private</span> <span class="kd">static</span> <span class="k">let</span> <span class="nv">maxConcurrentProbes</span> <span class="o">=</span> <span class="mi">20</span> <span class="kd">func</span> <span class="nf">discoverHosts</span><span class="p">(</span><span class="nv">localIP</span><span class="p">:</span> <span class="kt">String</span><span class="p">,</span> <span class="nv">subnetMask</span><span class="p">:</span> <span class="kt">String</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="kt">AsyncThrowingStream</span><span class="o">&lt;</span><span class="kt">LANDevice</span><span class="p">,</span> <span class="kt">Error</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kt">AsyncThrowingStream</span> <span class="p">{</span> <span class="n">continuation</span> <span class="k">in</span> <span class="kt">Task</span><span class="o">.</span><span class="n">detached</span> <span class="p">{</span> <span class="k">let</span> <span class="nv">range</span> <span class="o">=</span> <span class="k">Self</span><span class="o">.</span><span class="nf">calculateSubnetRange</span><span class="p">(</span><span class="nv">ip</span><span class="p">:</span> <span class="n">localIP</span><span class="p">,</span> <span class="nv">mask</span><span class="p">:</span> <span class="n">subnetMask</span><span class="p">)</span> <span class="k">try</span> <span class="k">await</span> <span class="nf">withThrowingTaskGroup</span><span class="p">(</span><span class="nv">of</span><span class="p">:</span> <span class="kt">LANDevice</span><span class="p">?</span><span class="o">.</span><span class="k">self</span><span class="p">)</span> <span class="p">{</span> <span class="n">group</span> <span class="k">in</span> <span class="k">var</span> <span class="nv">activeCount</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">ip</span> <span class="k">in</span> <span class="n">range</span> <span class="p">{</span> <span class="k">if</span> <span class="n">activeCount</span> <span class="o">&gt;=</span> <span class="k">Self</span><span class="o">.</span><span class="n">maxConcurrentProbes</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nv">device</span> <span class="o">=</span> <span class="k">try</span><span class="p">?</span> <span class="k">await</span> <span class="n">group</span><span class="o">.</span><span class="nf">next</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nv">d</span> <span class="o">=</span> <span class="n">device</span> <span class="p">{</span> <span class="n">continuation</span><span class="o">.</span><span class="nf">yield</span><span class="p">(</span><span class="n">d</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="n">activeCount</span> <span class="o">-=</span> <span class="mi">1</span> <span class="p">}</span> <span class="n">group</span><span class="o">.</span><span class="n">addTask</span> <span class="p">{</span> <span class="k">try</span> <span class="k">await</span> <span class="k">Self</span><span class="o">.</span><span class="nf">probeHost</span><span class="p">(</span><span class="nv">ip</span><span class="p">:</span> <span class="n">ip</span><span class="p">)</span> <span class="p">}</span> <span class="n">activeCount</span> <span class="o">+=</span> <span class="mi">1</span> <span class="p">}</span> <span class="k">for</span> <span class="k">try</span> <span class="k">await</span> <span class="n">device</span> <span class="k">in</span> <span class="n">group</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nv">d</span> <span class="o">=</span> <span class="n">device</span> <span class="p">{</span> <span class="n">continuation</span><span class="o">.</span><span class="nf">yield</span><span class="p">(</span><span class="n">d</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="n">continuation</span><span class="o">.</span><span class="nf">finish</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>One <code>connect()</code> to port 80 with a 500ms timeout per IP across a /24 — the host responds with SYN+ACK (alive), RST (alive but port closed, also counts as alive), or times out (dead or filtered). With <code>maxConcurrentProbes = 20</code> the whole /24 finishes in 2-3 seconds.</p> <p>iOS 17 gotcha: the "Local Network Access" alert shows only once. If the user denies it, subsequent <code>connect()</code> calls just silently time out, with no clear error. Had to add a UI hint nudging the user to Settings.</p> <h2> Host monitor: BGTaskScheduler as it is </h2> <p>The most engineering-painful part of the app. The user-facing requirement: "I add hosts to monitor, and if one goes down I get a push, like UptimeRobot." On iOS you can't do this properly because:</p> <ol> <li> <strong>No persistent background thread.</strong> iOS kills your app ~30 seconds after backgrounding.</li> <li> <strong>Silent push as a wake mechanism</strong> exists but needs a server, and I wanted everything local.</li> <li> <strong><code>BGTaskScheduler</code></strong> gives you ~30 sec of CPU <strong>maybe</strong> once every 15+ minutes. iOS decides when based on user behavior patterns.</li> </ol> <p>So monitoring precision on iOS is fundamentally worse than on a server. You have to accept that and design around it.</p> <p>What I do:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kt">BGTaskScheduler</span><span class="o">.</span><span class="n">shared</span><span class="o">.</span><span class="nf">register</span><span class="p">(</span><span class="nv">forTaskWithIdentifier</span><span class="p">:</span> <span class="s">"com.netdiag.hostmonitor"</span><span class="p">,</span> <span class="nv">using</span><span class="p">:</span> <span class="kc">nil</span><span class="p">)</span> <span class="p">{</span> <span class="n">task</span> <span class="k">in</span> <span class="kt">Task</span> <span class="p">{</span> <span class="k">await</span> <span class="kt">HostMonitorService</span><span class="o">.</span><span class="n">shared</span><span class="o">.</span><span class="nf">runMonitoringPass</span><span class="p">()</span> <span class="n">task</span><span class="o">.</span><span class="nf">setTaskCompleted</span><span class="p">(</span><span class="nv">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">)</span> <span class="p">}</span> <span class="nf">submitNext</span><span class="p">()</span> <span class="p">}</span> <span class="k">let</span> <span class="nv">request</span> <span class="o">=</span> <span class="kt">BGAppRefreshTaskRequest</span><span class="p">(</span><span class="nv">identifier</span><span class="p">:</span> <span class="s">"com.netdiag.hostmonitor"</span><span class="p">)</span> <span class="n">request</span><span class="o">.</span><span class="n">earliestBeginDate</span> <span class="o">=</span> <span class="kt">Date</span><span class="p">(</span><span class="nv">timeIntervalSinceNow</span><span class="p">:</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span><span class="p">)</span> <span class="k">try</span> <span class="kt">BGTaskScheduler</span><span class="o">.</span><span class="n">shared</span><span class="o">.</span><span class="nf">submit</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> </code></pre> </div> <p>Inside <code>runMonitoringPass()</code>:</p> <ol> <li>Fetch all monitored hosts</li> <li>Ping them <strong>in parallel</strong> (<code>withTaskGroup</code>) — fit within the 30-second budget</li> <li>For each: if state changed (up→down or down→up), fire a local notification</li> <li>If state unchanged, stay quiet</li> </ol> <p>No "host still up every 5 minutes" pings. Only state transitions. This both helps with iOS background limits and respects the user.</p> <p>Debugging gotcha: <strong>BGTaskScheduler doesn't fire in the simulator</strong> unless you manually trigger it via debugger:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight objective_c"><code><span class="n">e</span> <span class="k">-</span><span class="n">l</span> <span class="n">objc</span> <span class="o">--</span> <span class="p">(</span><span class="kt">void</span><span class="p">)[[</span><span class="n">BGTaskScheduler</span> <span class="nf">sharedScheduler</span><span class="p">]</span> <span class="nf">_simulateLaunchForTaskWithIdentifier</span><span class="p">:</span><span class="s">@"com.netdiag.hostmonitor"</span><span class="p">]</span> </code></pre> </div> <p>Found this in some old DTS thread. Without that command, debugging background logic is impossible. On real devices the system runs your tasks unpredictably.</p> <h2> AdMob and UMP — the part that actually hurt </h2> <p>Networking was a pleasure to write. AdMob integration was a separate ordeal.</p> <p>AdMob via the <code>GoogleMobileAds</code> Swift Package itself is fine — <code>MobileAds.shared.start()</code>, banners through <code>BannerView</code> in a <code>UIViewRepresentable</code>, standard stuff.</p> <p>The pain begins with <strong>GDPR / CCPA consent</strong>, which Google requires through their UMP SDK (<code>GoogleUserMessagingPlatform</code>). Two problems:</p> <ol> <li> <strong>SwiftUI documentation</strong> is essentially nonexistent. Every Google example is Objective-C or old UIKit. You figure out the SwiftUI integration by trial and error.</li> <li> <strong>AdMob won't activate your privacy message until you ship a "revocation link" in the live app</strong> — that is, a button in Settings that re-opens the consent form. The business logic is: build the revocation link in code → <strong>ship that build</strong> → then go back to AdMob and confirm "yes, my app has the revocation link, please activate the message." Nowhere is this clearly stated. I sat on a configured but inactive consent message for a week before figuring it out.</li> </ol> <p>The integration looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kd">@MainActor</span> <span class="kd">final</span> <span class="kd">class</span> <span class="kt">ConsentManager</span><span class="p">:</span> <span class="kt">ObservableObject</span> <span class="p">{</span> <span class="kd">static</span> <span class="k">let</span> <span class="nv">shared</span> <span class="o">=</span> <span class="kt">ConsentManager</span><span class="p">()</span> <span class="kd">@Published</span> <span class="kd">private(set)</span> <span class="k">var</span> <span class="nv">adsStarted</span> <span class="o">=</span> <span class="kc">false</span> <span class="kd">@Published</span> <span class="kd">private(set)</span> <span class="k">var</span> <span class="nv">privacyOptionsRequired</span> <span class="o">=</span> <span class="kc">false</span> <span class="kd">func</span> <span class="nf">requestConsentAndStartAds</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="nv">parameters</span> <span class="o">=</span> <span class="kt">RequestParameters</span><span class="p">()</span> <span class="kt">ConsentInformation</span><span class="o">.</span><span class="n">shared</span><span class="o">.</span><span class="nf">requestConsentInfoUpdate</span><span class="p">(</span><span class="nv">with</span><span class="p">:</span> <span class="n">parameters</span><span class="p">)</span> <span class="p">{</span> <span class="p">[</span><span class="k">weak</span> <span class="k">self</span><span class="p">]</span> <span class="n">error</span> <span class="k">in</span> <span class="kt">ConsentForm</span><span class="o">.</span><span class="nf">loadAndPresentIfRequired</span><span class="p">(</span><span class="nv">from</span><span class="p">:</span> <span class="k">Self</span><span class="o">.</span><span class="nf">topViewController</span><span class="p">())</span> <span class="p">{</span> <span class="p">[</span><span class="k">weak</span> <span class="k">self</span><span class="p">]</span> <span class="n">formError</span> <span class="k">in</span> <span class="k">self</span><span class="p">?</span><span class="o">.</span><span class="nf">updatePrivacyOptionsAvailability</span><span class="p">()</span> <span class="k">self</span><span class="p">?</span><span class="o">.</span><span class="nf">startAdsIfNeeded</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">func</span> <span class="nf">presentPrivacyOptionsForm</span><span class="p">()</span> <span class="p">{</span> <span class="k">guard</span> <span class="k">let</span> <span class="nv">root</span> <span class="o">=</span> <span class="k">Self</span><span class="o">.</span><span class="nf">topViewController</span><span class="p">()</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="p">}</span> <span class="kt">ConsentForm</span><span class="o">.</span><span class="nf">presentPrivacyOptionsForm</span><span class="p">(</span><span class="nv">from</span><span class="p">:</span> <span class="n">root</span><span class="p">)</span> <span class="p">{</span> <span class="p">[</span><span class="k">weak</span> <span class="k">self</span><span class="p">]</span> <span class="n">error</span> <span class="k">in</span> <span class="k">self</span><span class="p">?</span><span class="o">.</span><span class="nf">updatePrivacyOptionsAvailability</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">private</span> <span class="kd">func</span> <span class="nf">startAdsIfNeeded</span><span class="p">()</span> <span class="p">{</span> <span class="k">guard</span> <span class="kt">ConsentInformation</span><span class="o">.</span><span class="n">shared</span><span class="o">.</span><span class="n">canRequestAds</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="p">}</span> <span class="kt">MobileAds</span><span class="o">.</span><span class="n">shared</span><span class="o">.</span><span class="n">start</span> <span class="p">{</span> <span class="p">[</span><span class="k">weak</span> <span class="k">self</span><span class="p">]</span> <span class="n">_</span> <span class="k">in</span> <span class="k">self</span><span class="p">?</span><span class="o">.</span><span class="n">adsStarted</span> <span class="o">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// ...</span> <span class="p">}</span> </code></pre> </div> <p>The key part: <code>MobileAds.shared.start()</code> is only called <strong>after</strong> the UMP flow returns <code>canRequestAds == true</code>. If a user in the EEA refuses, <code>canRequestAds</code> stays true anyway, ads just become non-personalized. The same flow covers both GDPR (EEA/UK) and US state privacy (CCPA in California and other regulated states), because UMP under the hood inspects geo and serves the matching message.</p> <p>Another gotcha: <code>ATTrackingManager.requestTrackingAuthorization</code> (the ATT prompt) <strong>must come before</strong> the UMP flow, because UMP checks the ATT state when building the request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kt">ATTManager</span><span class="o">.</span><span class="n">requestTrackingIfNeeded</span> <span class="p">{</span> <span class="kt">ConsentManager</span><span class="o">.</span><span class="n">shared</span><span class="o">.</span><span class="nf">requestConsentAndStartAds</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <p>Wrong order and UMP might think tracking is granted, then ATT denies, creating a mismatch AdMob can later flag.</p> <p>For debug builds I force the geography to test the flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="cp">#if DEBUG</span> <span class="k">let</span> <span class="nv">debugSettings</span> <span class="o">=</span> <span class="kt">DebugSettings</span><span class="p">()</span> <span class="n">debugSettings</span><span class="o">.</span><span class="n">geography</span> <span class="o">=</span> <span class="o">.</span><span class="kt">EEA</span> <span class="c1">// or .regulatedUSState</span> <span class="n">parameters</span><span class="o">.</span><span class="n">debugSettings</span> <span class="o">=</span> <span class="n">debugSettings</span> <span class="cp">#endif</span> </code></pre> </div> <p>Without this, from a non-EEA IP the consent form never shows and you can't validate the flow at all.</p> <h2> Localization </h2> <p>12 languages (en, ru, uk, de, es, pt-BR, fr, it, pl, ja, ko, tr) using the new Xcode <strong>String Catalogs</strong> (<code>.xcstrings</code>). After years of <code>Localizable.strings</code>, the Catalog format is just nice — JSON, diffs reasonably in git, Xcode has a usable GUI for translation, automatic pluralization. If you're still on <code>.strings</code>, migrate, you're losing nothing.</p> <h2> What I'd do differently </h2> <ol> <li><p><strong>Don't skimp on tests</strong> for ICMP header parsing. I have decent tests on DNS resolver and whois parser, but I debugged the ICMP path against live networks. It worked for 30 hosts; then two days after release I found a bug with big-endian sequence numbers. Embarrassing.</p></li> <li><p><strong>Build UMP from day one</strong>, before submitting to TestFlight. Retrofitting UMP after the fact rewrites your AdMob initialization order, ATT timing, etc. Just bake it in.</p></li> <li><p><strong>Don't trust the simulator</strong> for anything touching background tasks, mDNS, or push notifications. I had several "green in simulator, dead on device" moments.</p></li> </ol> <h2> Numbers and context </h2> <p>App went live a few weeks ago. ~30 total installs at the time of writing — basically zero marketing happened. This post is part of changing that.</p> <p>AdMob after the first week post-approval: $1.19 eCPM, 85% match rate — "normal for a utility at launch" according to indie folks I've asked.</p> <p>If you've done iOS network programming and hit different walls, I'd love to compare notes. Apple's networking stack isn't where most iOS devs spend their time and good references are scattered.</p> <h2> Links </h2> <ul> <li>App Store: <a href="https://apps.apple.com/app/id6761954529" rel="noopener noreferrer">https://apps.apple.com/app/id6761954529</a> </li> <li>Apple's SimplePing sample (historical reference): <a href="https://developer.apple.com/library/archive/samplecode/SimplePing/Introduction/Intro.html" rel="noopener noreferrer">https://developer.apple.com/library/archive/samplecode/SimplePing/Introduction/Intro.html</a> </li> <li>BGTaskScheduler docs: <a href="https://developer.apple.com/documentation/backgroundtasks" rel="noopener noreferrer">https://developer.apple.com/documentation/backgroundtasks</a> </li> <li>Google UMP SDK docs: <a href="https://developers.google.com/admob/ios/privacy" rel="noopener noreferrer">https://developers.google.com/admob/ios/privacy</a> </li> </ul> <p>App is free with a banner, one-time IAP to remove ads. No accounts, no analytics beyond AdMob, no tracking SDK beyond what AdMob requires.</p> ios swift networking tutorial