I'm debugging an app I'm building and everything I'm seeing suggests I need to put in a request to Apple to turn on NetworkExtension → Packet Tunnel Provider entitlement for our Team ID and bundle IDs. 1: Is this true? 2: Doesn't the option in xcode handle this?

I've been able to run this sample project with the PIRServer. But the urls are still not blocked. https://developer.apple.com/documentation/networkextension/filtering-traffic-by-url https://github.com/apple/pir-service-example I got this on the log Received filter status change: <FilterStatus: 'running'>

During Apple Pay in-app provisioning (EV_ECC_v2), our iOS app successfully obtains the issuer provisioning certificates and generates cryptographic material. The flow fails when Apple posts the card blob to Apple’s broker (card creation step), returning HTTP 500 from .../broker/v4/devices/{SEID}/cards. Steps: Call issuerProvisioningCertificates?encryptionVersion=EV_ECC_v2 → 200 OK; returns ECC leaf + Apple Root CA chain; nonce=2a831be4. 2. Build {encryptedCardData, activationData, ephemeralPublicKey} 3. POST /broker/v4/devices/{SEID}/cards Expected: 200 OK on /broker/v4/devices/{SEID}/cards, or 5xx with a descriptive error if payload/cryptography is invalid. Observed: 500 Internal Server Error from Apple broker on /cards (labeled “eligibility” in PassKit logs), causing a terminal failure in Wallet UI.

Not quite but maybe sorta related to the errOSAInternalTableOverflow problem I asked about in a different thread, this one deals with crashes our app gets (and much more frequently lately after recent OS updates (15.7.3) are OK'd by our IT department). Our app can run multiple jobs concurrently, each in their own NSOperation. Each op creates its own SBApplication instance that controls unique instances of InDesignServer. What I'm seeing recently is lots of crashes happening while multiple ops are calling into ScriptingBridge. Shown at the bottom is one of the stack crawls from one of the threads. I've trimmed all but the last of our code. Other threads have a similar stack crawl. In searching for answers, Google's AI overview mentions "If you must use multiple threads, ensure that each thread creates its own SBApplication instance…" Which is what we do. No thread can reach another thread's SBApplication instance. Is that statement a lie? Do I need to lock around every ScriptingBridge call (which is going to severely slow things down)? 0 AE 0x1a7dba8d4 0x1a7d80000 + 239828 1 AE 0x1a7d826d8 AEProcessMessage + 3496 2 AE 0x1a7d8f210 0x1a7d80000 + 61968 3 AE 0x1a7d91978 0x1a7d80000 + 72056 4 AE 0x1a7d91764 0x1a7d80000 + 71524 5 CoreFoundation 0x1a0396a64 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 28 6 CoreFoundation 0x1a03969f8 __CFRunLoopDoSource0 + 172 7 CoreFoundation 0x1a0396764 __CFRunLoopDoSources0 + 232 8 CoreFoundation 0x1a03953b8 __CFRunLoopRun + 840 9 CoreFoundation 0x1a03949e8 CFRunLoopRunSpecific + 572 10 AE 0x1a7dbc108 0x1a7d80000 + 246024 11 AE 0x1a7d988fc AESendMessage + 4724 12 ScriptingBridge 0x1ecb652ac -[SBAppContext sendEvent:error:] + 80 13 ScriptingBridge 0x1ecb5eb4c -[SBObject sendEvent:id:keys:values:count:] + 216 14 ScriptingBridge 0x1ecb6890c -[SBCommandThunk invoke:] + 376 15 CoreFoundation 0x1a037594c ___forwarding___ + 956 16 CoreFoundation 0x1a03754d0 _CF_forwarding_prep_0 + 96 17 RRD 0x1027fca18 -[AppleScriptHelper runAppleScript:withSubstitutionValues:usingSBApp:] + 1036

Hello, In my iOS app, I have a customer center where the user can see some details about its current subscription. I display things like the billing period, the price, the introductory offer state, the renewal date if it's not cancelled or the expiration date if it's cancelled, etc. From this screen, the user can open the subscription management sheet. I want to detect if the user cancels the subscription from this sheet or from the App Store (when the app is running) so I can refresh the information displayed on my customer center. I checked the asynchronous sequences provided by StoreKit 2 like Transaction.updates or Product.SubscriptionInfo.Status.updates and tested with a Sandbox account on my physical device with the app debugged using Xcode. But I noticed these sequences don't emit when I cancel the subscription in Sandbox. Is this the expected behavior? Is there a way to observe in real time if a user cancels the subscription? I can still manually check when the sheet is dismissed but it's not ideal because I want to know even if the user cancel from outside of the app with the app running. Thank you, Axel

My MacBook Pro M5 running MacOS Tahoe 26.3 beta fails to detect two identical ASUS ROG Swift OLED PG32UCDM monitors simultaneously. Only one display is recognized at a time. One potential root cause might be that both monitors report identical binary EDID serial numbers (0x01010101), and the MacBook Pro M5 appears to use this value exclusively for display identity rather than combining it with other more detailed information (e.g., port, or alphanumeric serial number). I've verified that the monitor EDID binary serial numbers are in fact identical -- however the alphanumerical serial numbers are not identical. NOTE: This behavior is specific to the MacBook Pro M5 — when connecting both monitors via usb-c to a Mac Mini M4 Pro running the same MacOS Tahoe 26.3 beta, the monitors work fine. The OS detects both and assigns different names to them (PG32UCDM (1) and PG32UCDM (2)). NOTE: I could be wrong about this root cause, I don't have a way to disprove it, though the fact the monitors work fine on a Mac Mini is suspicious. What I have tried: Connecting the two monitors using different monitor ports (one on DisplayPort, another on HDMI, etc.), and different MacBook ports (one on HDMI, another on USB-C, etc.) Bumping down the resolution on the monitors to "1920x1080 (low resolution)" and 30Hz to rule out bandwidth issues. Connecting one, or both, monitors to CalDigit TS5 Plus dock. Neither alternate configuration yields the device recognizing both screens. Using BetterDisplay to import a manually-edited EDID for the screen, with a different binary EDID value, manufacturer name, etc. I've also verified that if I plug in my Apple Studio Display as one of the monitors, then the MacBook recognizes both one of the PG32UCDM monitors and the Studio Display at the same time. The issue seems to occur only when both monitors plugged into it are the same PG32UCDM model. When I have both monitors plugged into my MacBook, each time I disconnect the cable to whichever monitor is currently recognized, it immediately recognizes the other monitor. Plugging the cable for the disconnected monitor back in has no effect. I'm at a loss. Has anyone run into this issue and found a successful workaround that is not one of the approaches I've described above?

I'm using a Mac Studio in a homelab context and use Homebrew to manage the installed services. The services include things that access the local network, for example Prometheus which monitors some other servers, a reverse proxy which fronts other web services on the network, and a DNS server which can use another as upstream. Local Network Access permissions make it impossible to reliably perform unattended updates of services because an updated binary requires a GUI login to grant local network permissions (again). I use brew services to manage the services as launchd agents, i.e. they run in a non-root GUI context. I know that I can also use sudo brew services which instead installs the services as launchd daemons, but running services as root has negative security implication and generally doesn't look like a good idea to me. If only there was a way to disable local network access checks altogether…

Hello, Recently we got a question about the event_timestamps for the phone usage report in our research project: Does the event_timestamp correspond to the start point or end point of a period of interest? For example, say the event_timestamp is 2024-07-01 23:59:59 with a duration of 86400. The user is noted to have made 2 phone calls during that event_timestamp. Did those phone calls occur in the 86400 seconds prior to that timestamp (i.e., on 2024-07-01) or in the 86400 seconds after that timestamp (i.e., on 2024-07-02)? Thanks!

Environment: iPhone 17 / iPhone 17 Pro (Apple N1 chip) iOS 26.x Xcode 26 Framework: Flutter app with native iOS BLE library (CoreBluetooth) We have a production IoT app that communicates with BLE nodes (Nordic, PIC, EnOcean peripherals) using an advertising/scanning-based protocol — not GATT connections. The app broadcasts commands via CBPeripheralManager (advertising service UUIDs) and receives responses by scanning with CBCentralManager (reading manufacturer data and service UUIDs from advertisement packets). This workflow has been reliable across all iPhone models from iPhone 8 through iPhone 16 Pro Max. On iPhone 17 devices, we are experiencing multiple failures in this workflow. Architecture: Sending commands: We use CBPeripheralManager.startAdvertising() with CBAdvertisementDataServiceUUIDsKey to broadcast a UUID-encoded command to nearby nodes. Receiving responses: We use CBCentralManager.scanForPeripherals(withServices: nil, options: [CBCentralManagerScanOptionAllowDuplicatesKey: true]) and filter responses in centralManager(_:didDiscover:advertisementData:rssi:) by matching CBAdvertisementDataServiceUUIDsKey or CBAdvertisementDataManufacturerDataKey against expected UUID masks. Communication pattern: Advertise a command → stop advertiser → start scanner → wait for matching response → process result. Typical timeout is 1.5 seconds per exchange. Issues observed on iPhone 17: peripheralManagerDidStartAdvertising behaviour change After calling CBPeripheralManager.startAdvertising(:), the delegate callback peripheralManagerDidStartAdvertising(:error:) either fires with errors that did not occur on previous hardware, or advertising does not appear to reach the peripheral nodes at all. The same advertising payload works immediately when tested on iPhone 15/16. Is the N1 chip's Bluetooth 6 stack handling CBAdvertisementDataServiceUUIDsKey advertising differently? Are there new constraints on advertising payload size or format? Scanner returning fewer/no results with withServices: nil Our scanner uses scanForPeripherals(withServices: nil) because we need to read manufacturer data from advertisement packets and filter using a custom UUID mask. On iPhone 17, we observe significantly fewer didDiscover callbacks compared to iPhone 15/16 in the same physical environment, with the same nodes advertising. We understand that passing service UUIDs in withServices: is recommended, but our protocol requires reading raw manufacturer data bytes that aren't associated with a single service UUID — we use mask-based matching (e.g., filter mask 11110000-0000-0000-0000-000000000000 against scan results). Has the N1 chip changed the rate or filtering behaviour of unfiltered BLE scans? Is there a new throttling mechanism? Background scanning stops immediately When the app moves to background, scanning appears to stop entirely on iPhone 17 — even with bluetooth-central in UIBackgroundModes. On iPhone 16, background scanning continued (at reduced intervals) and delivered results for peripherals advertising filtered service UUIDs. Aggressive session termination on app backgrounding Our advertise-then-scan sequences (typically 1.5s round-trip) are being interrupted when the user briefly switches apps. The CBPeripheralManager stops advertising and the CBCentralManager stops scanning, causing timeout errors. This was not observed on previous iPhone models with the same iOS background mode configuration. Questions for Apple: Are there documented changes to CoreBluetooth behaviour on the N1 Bluetooth 6 chip that affect advertising-based (non-GATT) communication patterns? Has the scan response rate for scanForPeripherals(withServices: nil) been intentionally reduced on iPhone 17? Is CBCentralManagerOptionRestoreIdentifierKey now required for reliable background scanning on iPhone 17, or is this a known regression? Are there new advertising payload constraints (size, format, interval) that we should be aware of for the N1 chip? What we've tried: Added NSBluetoothAlwaysUsageDescription and NSBluetoothWhileInUseUsageDescription to Info.plist Confirmed Bluetooth permissions are granted Tested with identical BLE nodes that work on iPhone 15/16 Verified CBManagerState.poweredOn before all operations Any guidance or known workarounds would be greatly appreciated. Happy to provide sysdiagnose logs or a minimal reproducible sample project.

I have a Live Activity on iOS. Love it. However, that Live Activity via remote hosting (I'm not building for other targets) shows the Live Activity on watchOS, macOS and CarPlay. disfavoredLocations are for widgets, but I don't appear to have a method to limit or provide exclusive locations the live activity should appear.

macOS 26 "Tahoe" is allocating much more memory for apps than former macOS versions: A customer contacted me with my app's Thumbnail extension allocating so much memory that her 48 GB RAM Mac Mini ran into "out of application memory" state. I couldn't identify any memory leak in my extension's code nor reproduce the issue, but found the main app allocating as much as 5 times the memory compared to running on macOS 15 or lower. This productive app is explicitly using "Liquid Glass" views as well as implicitly e.g. for an inspector pane. So I created a sample app, just based on Xcode's template of a document-based app, and the issue is still showing (although less dramatically): This sample app allocates 22 MB according to Tahoe's Activity Monitor, while Sequoia only requires 16 MB: macOS 15.6.1 macOS 26.2 Is anyone experiencing similar issues? I suspect some massive leak in Tahoe's memory management, and just filed a corresponding feedback (FB21967167).

Hi, I’m working on a proof of concept for a CarPlay application where I need to display multiple Points of Interest, such as EV charging stations and fuel stations. The app will also allow users to book a selected Point of Interest (for example, an EV charging slot). I understand that the app can be registered under the Navigation (turn‑by‑turn) category, but I wanted to check whether it is also possible to register it under the Driving Task category. I also want to know if i can Register for multiple Categories for my car play application.

I am developing a mobile application using Flutter and plan to implement in-app subscriptions for both iOS platforms. I would like to request guidance on the following: Technical Implementation: Recommended best practices for implementing auto-renewable subscriptions in Flutter apps StoreKit 2 integration requirements and compatibility considerations Server-to-server notification setup and endpoint requirements Testing Procedures: Sandbox environment configuration and testing workflow TestFlight testing requirements for subscription features Recommended testing scenarios before production release Required Documentation and Accounts: Complete list of required agreements (Paid Applications Agreement, etc.) Banking and tax information requirements Privacy policy and terms of service specifications for subscription apps App Review guidelines specific to subscription-based apps Subscription Management: Grace period implementation requirements Handling subscription cancellations and refunds Promotional offers and introductory pricing setup Could you please provide documentation or direct me to the appropriate resources? Additionally, if there are any specific requirements for Flutter-based applications, I would appreciate that information. Application Details: Platform: iOS (Flutter framework) Subscription Type: Auto-renewable subscriptions

iOS mTLS Client Certificate Authentication Fails in TestFlight with Error -25303 Problem I'm building an iOS app that uses mTLS (client certificates received from server at runtime). Storing SecCertificate to keychain fails with error -25303 in both development and TestFlight builds, preventing SecIdentity creation needed for URLSession authentication. Environment: iOS 18.2, iPad Pro, TestFlight internal testing, keychain-access-groups properly configured Diagnostic Results Testing keychain operations shows an interesting pattern: ✅ Generic Password - Works: let addQuery: [CFString: Any] = [ kSecClass: kSecClassGenericPassword, kSecAttrAccount: "test", kSecValueData: "password".data(using: .utf8)! ] SecItemAdd(addQuery as CFDictionary, nil) // Returns: 0 (success) ✅ SecKey - Works: let addKeyQuery: [CFString: Any] = [ kSecClass: kSecClassKey, kSecValueRef: privateKey, kSecAttrApplicationTag: tag ] SecItemAdd(addKeyQuery as CFDictionary, nil) // Returns: 0 (success) ❌ SecCertificate - Fails: let addCertQuery: [CFString: Any] = [ kSecClass: kSecClassCertificate, kSecValueRef: certificate, // Created from server-provided PEM kSecAttrApplicationTag: tag ] SecItemAdd(addCertQuery as CFDictionary, nil) // Returns: -25303 Code Context Attempting to create SecIdentity for mTLS: private func createIdentity(fromCert certPEM: String, key keyPEM: String) throws -> SecIdentity { // 1. Parse PEM to DER and create SecCertificate - succeeds guard let certData = extractPEMData(from: certPEM, type: "CERTIFICATE"), let certificate = SecCertificateCreateWithData(nil, certData as CFData) else { throw CertificateError.invalidCertificate } // 2. Parse PEM key and create SecKey - succeeds guard let keyData = extractPEMData(from: keyPEM, type: "PRIVATE KEY"), let privateKey = SecKeyCreateWithData(keyData as CFData, attrs as CFDictionary, &error) else { throw CertificateError.invalidKey } // 3. Add key to keychain - SUCCEEDS (errSecSuccess) let tempTag = UUID().uuidString.data(using: .utf8)! SecItemAdd([ kSecClass: kSecClassKey, kSecValueRef: privateKey, kSecAttrApplicationTag: tempTag ] as CFDictionary, nil) // ✅ Works // 4. Add certificate to keychain - FAILS (-25303) let status = SecItemAdd([ kSecClass: kSecClassCertificate, kSecValueRef: certificate, kSecAttrApplicationTag: tempTag ] as CFDictionary, nil) // ❌ Fails with -25303 guard status == errSecSuccess else { throw CertificateError.keychainError(status) } // 5. Would query for SecIdentity (never reached) // ... } Network Behavior When mTLS fails, console shows: Connection: asked for TLS Client Certificates Connection: received response for client certificates (-1 elements) Connection: providing TLS Client Identity (-1 elements) Task received response, status 403 The -1 elements indicates no certificates were provided. Entitlements <key>keychain-access-groups</key> <array> <string>$(AppIdentifierPrefix)com.ellin.tshios</string> </array> Keychain Sharing capability is enabled. What I've Tried Both kSecValueRef and kSecValueData approaches - same error Various kSecAttrAccessible values - same error Different keychain access groups - same error TestFlight build (vs dev build) - same error PKCS#12 creation - requires complex ASN.1/DER encoding, no iOS API Questions Is error -25303 expected when adding SecCertificate in development/TestFlight builds? Will App Store distribution resolve this? Or is there a fundamental limitation? Why does SecKey succeed but SecCertificate fails with identical entitlements? Is there an alternative to create SecIdentity without keychain access? Constraints Certificates come from server at runtime (cannot bundle) Need SecIdentity for URLSession client certificate authentication Server provides PEM format certificates Tested on: Simulator (dev), iPad Pro (dev), iPad Pro (TestFlight) - all fail Any insights appreciated - specifically whether this is a provisioning profile limitation that App Store distribution would resolve.

We are experiencing a failure in CLMonitor event delivery when the application is launched into the background via an APNS (Remote Push Notification). Even when a CLBackgroundActivitySession is instantiated immediately upon background launch, CLCircularGeographicCondition "Enter" events are suppressed. The system fails to deliver these events until the user manually brings the application to the Foreground. This indicates that CLBackgroundActivitySession does not correctly maintain background persistence when the session begins in a background state rather than transitioning from the foreground. Comparison of API Behavior (Background State) Launch via APNS: CLMonitor: Fails to trigger "Enter" events until the app is manually brought to the foreground. Legacy API: Successfully triggers and delivers "Enter" events immediately upon background launch. Exit Event Reliability: CLMonitor: Reliably triggers exit events even in the background. Legacy API: Reliably triggers exit events. Foreground Dependency: CLMonitor: Requires a foreground transition to "flush" or activate the delivery of pending entry events. Legacy API: No foreground transition required; events are delivered directly to the background process. Event Recovery: CLMonitor: Relies on the developer re-instantiating the CLMonitor and awaiting the events stream, which appears to "stall" during warm-starts. Legacy API: Relies on the CLLocationManagerDelegate which remains active as long as the manager instance exists. Steps to Reproduce Preconditions: Location Permissions: Set to "Always Allow". Background Modes: "Location updates" and "Remote notifications" enabled. App State: Terminated or Killed (by the user or the OS). Reproduction Path: Trigger Background Launch: Send a silent push notification (APNS) to wake the app in the background. Initialize Session: Within the background launch sequence (e.g., didFinishLaunchingWithOptions), immediately create and hold a strong reference to a CLBackgroundActivitySession. Register Monitor: * Initialize CLMonitor using requestMonitorWithConfiguration. Add a geofence using addConditionForMonitoring with a CLCircularGeographicCondition. Simulate Entry: Move the physical device (or simulate location) into the geofence boundary while the app remains in the background state. Observe: No "Enter" event is received in the CLMonitor event stream. Foreground Transition: Bring the app to the foreground. Actual Result: The "Enter" event is only delivered the moment the app enters the Foreground. Expected Result: The CLBackgroundActivitySession should enable CLMonitor to deliver "Enter" events immediately in the background, parity with the deprecated startMonitoringForRegion API.

Hi, I tried to follow this guide: https://developer.apple.com/documentation/networkextension/filtering-traffic-by-url And this: https://github.com/apple/pir-service-example I already deploy the pir service on my server. And set the configuration on the app like this: { name = SimpleURLFilter identifier = xxxxx applicationName = SimpleURLFilter application = com.xxxx.SimpleURLFilter grade = 2 urlFilter = { Enabled = YES FailClosed = NO AppBundleIdentifier = com.mastersystem.SimpleURLFilter ControlProviderBundleIdentifier = com.xxxx.SimpleURLFilter.SimpleURLFilterExtension PrefilterFetchFrequency = 2700 pirServerURL = https://xxxxx/pir pirPrivacyPassIssuerURL = https://xxxxx/pir AuthenticationToken = AAAA pirPrivacyProxyFailOpen = NO pirSkipRegistration = NO } } But I got this error when I tried to enable the service on the app: Received filter status change: <FilterStatus: 'stopped' errorMessage: 'The operation couldn’t be completed. (NetworkExtension.NEURLFilterManager.Error error 9.)'> What does that error mean? And how to fix it?

I have noticed that there are no new kdk builds since mid December Is everything ok at apple I am aware of NXUs but the kernel version has changed much since then

I'm building a HomeKit app that discovers Thread devices and visualizes the mesh topology. I can detect device roles (Router vs End Device via characteristic 0x0703) and identify Border Routers (via _meshcop._udp), but I cannot determine which Router is the parent of a given End Device. Any Thread device can act as a Router (a Nanoleaf bulb, an Eve plug, not just HomePods), and End Devices attach to these Routers as children. That parent-child relationship is what I'm trying to map, but there's no RLOC16, neighbor table, or parent identifier exposed through any available API. I've tested every path I can find. Here's what I've tried on a network with 44 Thread devices and 6 Border Routers: What works (partially) HAP Thread Management Service (0x0701) gives me the device role from characteristic 0x0703, the OpenThread version from 0x0706, and node capabilities from 0x0702. That's the complete set of characteristics on that service. None of them contain RLOC16, parent Router, or neighbor data. This service also only exists on HAP-native Thread devices. My 20 Matter-over-Thread devices (Aqara, Eve Door, SmartWings, Onvis S4) don't have it at all. MeshCoP Bonjour (_meshcop._udp) identifies Border Routers and the network name/Extended PAN ID. No topology data about other mesh nodes. What doesn't work ThreadNetwork framework (THClient) - retrieveAllCredentials() returns error Code 3 because the app can't access credentials stored by Apple Home. Even if it worked, THCredentials only contains network config (name, PAN ID, channel), not topology. Direct CoAP queries - Border Routers don't route traffic from WiFi to Thread management ports. Mesh-local addresses aren't reachable. No Thread NWInterface in Network.framework. Network.framework - No visibility into the Thread mesh from the WiFi side. The only remaining path I can see (but it's not practical) Matter cluster 0x0035 (Thread Network Diagnostics) appears to have exactly what I need: RLOC16, NeighborTable with isChild boolean, RouteTable. I haven't implemented this because it requires commissioning each device individually onto my app's own Matter fabric via Multi-Admin. That's 21 separate user-initiated pairing actions on my network. I can't ask end users to do that. The core issue Every Thread Router (whether it's a HomePod acting as a Border Router or a Nanoleaf bulb acting as a mesh Router) knows its own children and neighbors. The Border Routers also maintain route tables covering the mesh backbone. This data exists on the user's own devices but none of it is exposed to third-party apps. Even something minimal would help. HMAccessory already exposes matterNodeID as a cross-protocol identifier. Exposing RLOC16 the same way would be enough, since parent-child relationships are encoded in the address itself (ParentRLOC = ChildRLOC & 0xFC00). Has anyone found another approach I'm missing? Thanks in advance for any pointers.

We are observing some unexpected behavior in our app when using ASK. Our app is able to successfully discover and set up an accessory via ASK. After the setup completes, the connection to the accessory is managed through CBCentralManager and works as expected. However, when we attempt to discover another accessory afterward, the picker is shown and indicates that accessory discovery is in progress. After approximately 10 seconds, the CBCentralManager delegate reports the Bluetooth state as poweredOff. Once this happens, the state never transitions back to poweredOn. At this point, the only way to reconnect to the device or continue discovery is to relaunch the app. We are wondering if anyone else has encountered similar behavior, or if this is a known or documented limitation/behavior when using ASK in combination with CBCentralManager.

Hi everyone, I have a question regarding the intended privacy limits of the DeviceActivityReportExtension. According to the documentation and the WWDC21 session "Meet the Screen Time API", this extension was created specifically to prevent the host application from accessing the user's underlying activity data (websites visited, app usage, screen time, etc). But I have found that my host app is actually able to reconstruct this raw activity data from the activity report. I am able to extract specific visited websites and app usage durations back into the main app. I reported this to Apple Security (Case ID: OE1100504480881 ), assuming it was a sandbox bypass. However, they closed the ticket stating that this is "expected behavior" and requires no fix. My question for Screen Time Engineers: Is the documentation incorrect? If my host app is expected to be able to read this data, is there a formal API we should be using instead of extracting it from the report extension? The current behavior contradicts the privacy limits described in the documentation, so I am confused if I should rely on this data access for my app features or if it will be patched later. Thanks.