The Network Extension framework is how an iOS app reaches into the network stack: building a VPN, a content filter, or a DNS proxy that can see and route the device's traffic. Like the equivalent capability on Android, it is powerful and high-trust, an app holding a packet tunnel can observe and direct what the device sends, so Apple gates it behind a special entitlement, user-approved configuration, and a visible indicator. There are two sides worth understanding: the responsibility you take on if your app uses it, and the reason that, regardless, your sensitive traffic should never trust the network. Here is what Network Extension can do and how to handle it securely.
Short answer
The iOS Network Extension framework lets apps create VPNs, content filters, DNS proxies, and similar network components that can route or inspect device traffic. Per Apple, using it requires the Network Extension entitlement, which Apple gates, plus user-approved configuration and a visible system indicator for VPNs. The risks are two-sided: an app with this capability holds users' traffic, so it is a serious responsibility under App Store review, and a misused or malicious one could inspect or redirect traffic. To protect your own sensitive traffic from any such component on the device, rely on TLS and, for high-value connections, certificate pinning, so traffic passing through a VPN, filter, or proxy cannot be read or altered. Treat the network as untrusted regardless of what runs on the device.
What you should know
- Network Extension builds VPNs, filters, and DNS proxies: components that handle traffic.
- It requires a gated entitlement: plus user-approved config and an indicator.
- A traffic-handling component holds high trust: it can inspect or route traffic.
- Using it is a serious responsibility: scrutinized in App Store review.
- Protect your traffic with TLS and pinning: do not trust the network path.
What can Network Extension do?
It provides several types of network component, each touching traffic. The table summarizes.
| Component | What it does |
|---|---|
| Packet tunnel (VPN) | Routes device traffic through the app, like a VPN |
| Content filter | Inspects and can filter network traffic |
| DNS proxy | Handles the device's DNS queries |
| Personal VPN configuration | Manages a VPN profile the user approves |
| Entitlement gating | Apple-granted capability, with review |
The Network Extension framework exposes provider types that sit at different points in the network path. A packet tunnel provider routes the device's traffic through the app, the iOS way to build a VPN, so the app can see and direct that traffic. A content filter provider can inspect and filter traffic, and a DNS proxy provider handles the device's DNS queries, each a privileged position over what the device communicates. Managing a VPN configuration requires the user to approve it, and iOS shows a VPN indicator while one is active. All of these require the Network Extension entitlement, which Apple grants as a capability, with some provider types subject to additional approval, so the framework is gated rather than freely available. The common thread is that each component occupies a trusted spot in the traffic path, which is exactly why access is controlled.
What are the risks and the responsibility?
The capability is high-trust, so using it responsibly matters, and so does not trusting the network yourself. If your app uses Network Extension, you take on real responsibility: a VPN, content filter, or DNS proxy can observe and direct users' traffic or DNS, among the most sensitive positions an app can hold, so you must handle that traffic with care, use the capability only for its disclosed purpose, never log or exfiltrate users' traffic beyond what the feature requires, and expect App Store review scrutiny appropriate to the capability. Apple's gating of the entitlement and the user-facing VPN indicator are part of keeping this visible and accountable, but the duty is yours. The separate, universal concern is that your app's sensitive traffic may pass through a VPN, content filter, or DNS proxy you do not control, whether a legitimate tool the user installed or something malicious, so you cannot assume the network path is clean. Both sides point the same way: the position is powerful, so use it sparingly and honestly, and protect your own data with encryption rather than trust.
How do you handle it, on both sides?
Use the entitlement responsibly, and protect your traffic regardless of the network. If your app legitimately needs Network Extension, request the gated entitlement for the specific provider type you need, use it only for the disclosed purpose, and treat the traffic, packets or DNS queries, as a serious responsibility: do not log or transmit it beyond what the feature requires, apply least privilege to what you do with it, and be ready for the heightened review that comes with the capability. On the other side, which applies to every app, do not trust the network: use TLS for all communication so traffic is encrypted end to end, and for high-value connections use certificate pinning, so even a VPN, content filter, or DNS proxy on the device can only see encrypted bytes and cannot read or man-in-the-middle your sensitive traffic. Validate data server-side as always. The principle mirrors the Android side: a traffic-handling capability is high-trust and to be used sparingly and honestly, and since you cannot assume the network path is clean, the protection for your own sensitive data is strong transport encryption and pinning, not trust in what runs on the device.
What to watch out for
The first trap, if your app uses Network Extension, is mishandling users' traffic or DNS, or using the capability beyond its disclosed purpose, which is both a breach of trust and a review risk; use it narrowly and never misuse the traffic. The second is assuming your traffic is safe on the device when a VPN, filter, or DNS proxy could be handling it; rely on TLS and pinning for sensitive connections. The third is overlooking that the entitlement is gated and reviewed, so plan for that. A pre-submission scan such as PTKD.com (https://ptkd.com), which reads the compiled IPA against OWASP MASVS, surfaces your entitlements and whether your app uses secure transport, helping confirm sensitive traffic is encrypted regardless of the network path.
What to take away
- The iOS Network Extension framework builds VPNs, content filters, and DNS proxies that can route or inspect device traffic, gated by an Apple-granted entitlement, user-approved configuration, and a VPN indicator.
- A traffic-handling component holds high trust, so using Network Extension is a serious responsibility scrutinized in App Store review, and misuse is a real risk.
- If you use it, handle traffic narrowly and honestly; regardless, protect your own sensitive traffic with TLS and certificate pinning, since it may pass through a component you do not control.
- Use a pre-submission scan such as PTKD.com to surface your entitlements and confirm your app uses secure transport for sensitive traffic.
