Little Snitch For Development

  1. Little Snitch For Development 2
  2. Little Snitch For Development Online
  3. Little Snitch Alternative

This section is for app developers. If you are not a developer, you can safely skip it.

Create an Internet Access Policy for your app in just a few minutes

Sep 02, 2019 Little Snitch is an excellent tool which lets you analyze network connections on macOS and creates a firewall to protect your computer from unauthorized outbound connections. However, Little Snitch is quite expensive and not many users can afford it. Without a license key, Little Snitch runs in demo mode, which provides the same protection and functionality as the full version. The demo runs for three hours, and it can be restarted as often as you like. The Network Monitor expires after 30 days. Turn it into a full version by entering a license key.

The fastest way to create an Internet Access Policy (IAP) is to use our example as a template.

It covers normal connections as well as connections via system services. All you need to do is to edit and adjust these two files:

  • InternetAccessPolicy.plist to place in your Resources folder
  • InternetAccessPolicy.strings to place in your language project folder

These example files alone will probably be enough to create an IAP for your own app. Still, don't skip the short information below:

A few more things you should know

  • Code Signature: An IAP will only be displayed by Little Snitch and Internet Access Policy Viewer when it's part of a properly signed app bundle. Read more…
  • Required fields: Most fields are optional. Required fields are only ApplicationDescription and for every connection Host and Purpose, for every service Name and Purpose. Read more..
  • Be complete: You have to list all the connections your app initiates. Don't forget those of system services and embedded frameworks. Some of the frameworks have an IAP of their own. Read more…
  • Host: The Host field only accepts domains, subdomains, host names or IP addresses. You can't have an entry for a directory on your server. Read more…
  • Wildcards: You can use wildcards at any position of the domain or host name, so myserver*.com will work for, etc. Read more…
  • Keep it simple: Keep your explanations short and simple. Read more…

And here is an index of everything else you might find useful:

File format

Starting in Little Snitch 4.0.5, Little Snitch not only supports Internet Access Policies in Property List format (InternetAccessPolicy.plist), but also in JSON format (InternetAccessPolicy.json). They both have the same logical structure and you can use whichever one you prefer. All information on this page is valid for both formats, even if they only mention one.

You can convert from a Property List IAP to a JSON IAP using the following command:


… and back from a JSON IAP to a Property List IAP using this command:

Connections and Services

Your app establishes connections using various means like a low-level socket up to high-level APIs like NSURLSession. These kinds of connections can be documented in the Internet Access Policy using an entry in the Connections array, as shown above.

But what if you’re writing an app that shows a map using Apple’s MapKit framework? In that case, your app doesn’t establish any connection by itself, but instead a macOS daemon is responsible for loading the map data. In this situation, you can add an entry in the Services array that documents the fact that your app uses MapKit and Little Snitch can show this fact to the user.

The services in the IAP should include everything that establishes a network connection on your behalf of your app that you do not ship with the app. This does not include XPC Services or frameworks that ship as part of your app (see the section about nested IAPs for that). Examples of services used by your app are:

  • A service provided by macOS using a specific system framework like MapKit, CloudKit, GameKit, Core Location, …
  • A service provided by macOS using a specific API like background downloads via NSURLSession.
  • If your app syncs files using a service like iCloud Drive, Dropbox, Box, Microsoft OneDrive, Google Drive, …

See Service identifiers below for a discussion of how specify what services your app uses.


The Internet Access Policy contains texts shown to the user. If your application is available in multiple languages, you also want those texts to be available in these languages. There are two ways to localize an Internet Access Policy:

An Internet Access Policy localized with strings files

Instead of human readable texts for the keys ApplicationDescription, Purpose and DenyConsequences, enter unique keys. Translate these keys to human readable text in localized InternetAccessPolicy.strings files:

An Internet Access Policy for a single executable application

IAPs for executables without a bundle directory have to be integrated in the Info.plist file. Read more…

Specification of keys

DeveloperNameString, optionalThe human readable name of your company. Presented to the user as the source of the information.
ApplicationDescriptionString, requiredA general description of the app.
WebsiteString, optionalA URL pointing to the website of the app, including the URL scheme, e.g. “”.
ConnectionsArray, optionalAn array of connection description dictionaries with the keys defined below
IsIncomingBoolean, optionalWhether incoming (YES) or outgoing (NO) connections are matched. If omitted, matches outgoing connections.
HostString, requiredA comma-separated list of host or domain names, IP address ranges or a placeholder like local-net. See Which connection descriptions are shown for details.
NetworkProtocolString, optionalCan be one of TCP, UDP or ICMP. If omitted, matches any protocol.
PortString, optionalA comma-separated list of port ranges, e.g. 20-30, 80, 443. Defaults to 0-65535.
RelevanceString, optionalIndicates how important the connection is for the proper functioning of the application. Values can be Essential or Default. Defaults to Default. Use Essential only if your app is useless without this connection. You can still describe DenyConsequences if you choose default relevance.
PurposeString, requiredDescribes the purpose of the connection. This text is shown to the user as-is, so use easy to understand sentences. Markdown-style links are supported.
DenyConsequencesString, optionalDescribes the consequences of denying the connection. Markdown-style links are supported.
ServicesArray, optionalAn array of service description dictionaries with the keys defined below.
IdentifierString, optionalA unique identifier for the service. See Service identifiers below.
NameString, requiredA short, human-readable name for the service, e.g. “MapKit”.
PurposeString, requiredDescribes the purpose of the service in context of the application. This text is shown to the user as-is, so use easy to understand sentences. Markdown-style links are supported.
LocalizationsDictionary, optionalFor apps with embedded Info.plist, localization strings are placed here. See section Single executable applications above.

Service identifiers

By specifying an Identifier for a service as opposed to only the Name and Purpose, Little Snitch can understand what service you mean and give that entry special treatment. This is not implemented as of Little Snitch 4.4, but it is recommended that you add identifiers wherever possible so future versions of Little Snitch can – for example – add an appropriate icon for the service in the user interface when showing your app’s IAP.

In general, if a service is clearly implemented by a specific app or framework, use its bundle identifier (or code signing identifier). For example:

  • The MapKit framework provided by macOS is implemented by /System/Library/Frameworks/MapKit.framework. The bundle identifier in this framework’s Info.plist is
  • Core Location: (/System/Library/Frameworks/CoreLocation.framework)
  • GameKit: (/System/Library/Frameworks/GameKit.framework)
  • Push Notifications: (/System/Library/PrivateFrameworks/ApplePushService.framework)
  • StoreKit: (/System/Library/Frameworks/StoreKit.framework)
  • Dropbox is a service provided by the Dropbox app, which uses the bundle identifier com.getdropbox.dropbox.

If it is not as clear cut as in the examples above, please follow these guidelines:

  • Use reverse-DNS style, using the domain of the company that provides the service.
  • Use a commonly used name for the service.
  • Capitalization doesn’t matter.

Here are a few examples that follow these rules:

  • CloudKit:
  • iCloudDrive:
  • Background downloads via NSURLSession: (no separate framework, use common name)

Presentation in Little Snitch

Little Snitch parses the data you provide and presents it in an appropriate format.

In places where users actively look for information on connections, Little Snitch shows everything that is relevant. That is, the ApplicationDescription followed by the Purpose and DenyConsequences for all relevant connection descriptions (see below for an explanation of Which connection descriptions are shown).

When users are about to deny a connection only the short DenyConsequences are shown. This provides a means of last resort to inform your users that they are about to adversely affect your app’s functionality.

Note that if the Detail Level preference is set to “Omit port and protocol” in Little Snitch Configuration, port and protocol information may be omitted from the IAP text unless it causes ambiguities (e.g. because that would overlap with another connection your IAP describes).

The following sections explain how the information from the Internet Access Policy is used in different parts of Little Snitch’s user interface.

Connection alert

If Little Snitch is running in alert mode and no rule matches the connection your app tries to establish, users are presented with a connection alert. Expanding the Research Assistant shows all of the information relevant to this specific connection.

Clicking the “Deny…” button shows only the DenyConsequences. Note that what is shown here depends on the options the user has selected in the connection alert. For example, if they are about to deny “Any Connection”, more DenyConsequences may be shown than if they only deny connections to the specific domain.

Network Monitor

In the inspector of the Network Monitor, Little Snitch shows information about the connections selected in the connection list. Expanding the Research Assistant shows all of the relevant information.

Clicking the “X” button in a connection line to create a deny rule shows only the DenyConsequences. Note that what is shown here depends on what line the user clicked on. For example, if they clicked on the line next to an app’s name to deny any connection, more DenyConsequences may be shown than if they only deny connections of that app to a specific domain.


Little Snitch For Development 2

The Research Assistant in Little Snitch Configuration is located at the bottom of the right-hand info sidebar and shows information about the selected rules.

Little Snitch Configuration also shows the DenyConsequences in various places when the user is about to create a rule that denies connections, e.g. using the rule editor or when creating rules from suggestions.

Which connection descriptions are shown

This section describes the behavior in Little Snitch 4.0.6 and later. Earlier versions are less precise and may also show descriptions that are less relevant.

Hosts and domains

The Host field of a connection description is a comma-separated list of host names, domain names, or other values as described below. The basic format and meaning is as follows:

  • Specific host: Matches only that host, e.g.
  • Domain: Matches that domain and any host in the domain, e.g. Host:*

Starting in Little Snitch 4.4.3, the following values are also supported:

  • IP addresses: Matches specific IPv4 or IPv6 addresses. These can be specified as a single address (e.g., a comma-separated list of addresses, a range of addresses (e.g., or CIDR notation10.0.0.1/24).
  • Local network: Use the special value local-net to match any IPv4 or IPv6 address that is considered to be in the local network (like,,, or fd00::/8).
  • Berkeley Packet Filter: Use the special value bpf to match any access to Berkeley Packet Filter devices (/dev/bpf*).

It is possible to create connection descriptions with overlapping Host values. For example, you could have a description for (one specific host) and another, more general one for Host:* (the whole domain). Because the specific host is in the domain, both descriptions match when looking up information for

Also, multple descriptions can match because Little Snitch shows IAP information relevant to what the user has currently selected in the connection alert or other places. For example, you could have descriptions for and that do not overlap, but when the user creates a rule for the domain, both descriptions are relevant.

In these situations, Little Snitch uses a set of criteria to determine which descriptions to show. These are designed to keep the information shown to the user as concise as possible to avoid information overload, while giving you as the developer precise control over what should be shown for a particular connection. In short, if there’s an exact match with one of the descriptions, only that description is shown. Otherwise, all relevant descriptions are shown.

Example 1

As an example, assume there are two connection descriptions (the Purpose fields are overly terse for illustration purposes):

  • Connection Description 1:
    • Purpose: The app checks for software updates.
  • Connection Description 2:
    • Host:*
    • Purpose: The app checks for software updates and loads the latest news.

What Little Snitch shows depends on what the user selects:

  • If the user selects connections to the, only Connection Description 1 will be shown (because it’s an exact match).
  • If the user selects connections to the, both Connection Description 1 and Connection Description 2 will be shown (because is in that domain).
  • If the user selects any connection, both Connection Description 1 and Connection Description 2 will be shown.

While all these are technically correct, it may not be very useful to show both descriptions in the latter two cases because their Purpose texts overlap in what they say. There’s no value in telling the user twice that the app checks for software updates.

Exact matches for domains and “any connection”

To handle these cases better, there is a way to specify a Host description that is an exact match for domains and “any connection”:

  • Exact Domain: Matches that domain exactly, e.g. Host:=*
  • Exactly Any Connection: Matches when the user selects “Any Connection”: Host:=*

These descriptions match only when the user selects exactly the respective connection.

Example 2

To improve over Example 1 above, we can use the following three IAP connection descriptions:

  • Connection Description 1:
    • Purpose: The app checks for software updates.
  • Connection Description 2:
    • Host:=*
    • Purpose: The app checks for software updates and loads the latest news.
  • Connection Description 3:
    • Host:=*
    • Purpose: The app checks for software updates and loads the latest news. Also, it connects to the third-party servers you enter.

Again, what Little Snitch shows depends on what the user selects:

  • If the user selects connections to the only Connection Description 1 will be shown (because it’s an exact match).
  • If the user selects connections to the only Connection Description 2 will be shown (because it’s an exact match).
  • If the user selects any connection, only Connection Description 3 will be shown (because it’s an exact match).

To summarize: If a description’s Host is an exact match, only that single connection description’s Purpose and DenyConsequences will be shown. Otherwise, multiple matching descriptions may be shown.

It isn't perfect and it allows you 'holes' and 'bugs' in your program.Thats why its good for beginners. Code::BlocksGreat for compiling WinAPI, Qt, GTK+, WXWidgets, Ogre, D, C console, C console and other projects. Dev-CThis IDE, written in Delphi is the right place for beginners. Sample coding for dev c. I found some bugs, and sometimes there are problems to compile.It's one of the best FREE IDE's.Information and download3.

Matching everything else

There’s one more case that the examples above do not handle: What should be shown if your app connects to arbitrary servers that you don’t know about in advance? For example, if you develop a web browser or file transfer app, it will connect to whatever servers the user enters and you couldn’t possibly know them when writing your app’s IAP. To show a connection description for these connections anyway, you can provide a fallback connection description:

  • Fallback Wildcard: Matches everything, but only if no other descriptions match: Host:*

Example 3

If you add the following description to Example 2 above…

  • Connection Description 4:
    • Host:*
    • Purpose: The app connects to the third-party servers you enter.

… it will be shown whenever a connection is established to a server that is not covered by another connection description, e.g. Without this description, no information from your app’s IAP would be shown for that connection.


Information from only one single connection description is shown in the following cases:

  • If the user selects connections to a specific host and that host matches the connection description’s Specific Host. Example:
  • If the user selects connections to a domain and that domain matches the connection description’s Exact Domain. Example: Host:=*
  • If the user selects “any connection” and there is a connection description for Exactly Any Connection, i.e. Host:=*

Otherwise, if one or more Domain connection descriptions match, information from all of them are shown, ordered by their relevance. Example: Host:*

Otherwise, if a connection description with the Fallback Wildcard exists, its information is shown, i.e. Host:*

Otherwise, no connection descriptions match and no connection-specific IAP information is shown.

Nested IAPs in XPC services, embedded frameworks, and other bundles

This section describes the behavior of Little Snitch 4.4 and later. The behavior of earlier versions of Little Snitch is described below

If an app contains an Internet Access Policy, Little Snitch will also search any XPC Services for an IAP. That means that if your app uses an XPC service, you can add an IAP to the .xpc bundle’s Resources folder and it will be merged with the app’s IAP automatically. This allows you to bundle the documentation with the executable that it actually describes.

For example:


    Describes the connections established by the app itself.

    Book your next auto repair or oil change service in Vancouver and across BC with the friendly, professional team at Minit-Tune & Brake Auto Centres. Book your next auto repair or oil change service in Vancouver and across BC with the friendly, professional team at Minit-Tune & Brake Auto Centres. All makes and models are welcome at Minit-Tune & Brake Auto Centres. We offer affordable solutions to your most challenging repair problems. From repairs to steering, transmission, automobile batteries, shocks, electrical systems and more, trust Minit-Tune & Brake Auto Centres to. Get directions, reviews and information for Minit-Tune & Brake Auto Centres in North Vancouver, BC. Minit-Tune & Brake Auto Centres 1353 Main St North Vancouver BC V7J1C5. Reviews (604) 985-6550 Website. Menu & Reservations Make Reservations. Minit-Tune & Brake has 16 locations across BC and offers you discount coupons for oil changes, front and rear brakes as well as labour on Walker mufflers. Redeem our coupons for auto repair discounts in Vancouver, Kelowna, Coquitlam and surrounding areas in British Columbia. Minit-Tune Brake & Auto Centres’ professional mechanics are the experts to depend on for auto electrical repairs from Vancouver, BC to Monterey, Alberta.Our 18 locations across BC and Alberta make it easy for you to get the accurate and efficient electrical system repairs you need, ranging from battery testing, repairs and replacement, to repairs to your power windows and signal lights. Minit tune & brake auto centres vancouver bc.


    Describes the connections established by the XPC service on behalf of the app.

The same is true for embedded frameworks, plug-ins, app extensions, and other kinds of loadable bundles that are located in one of the following directories inside the app bundle:

  • Frameworks/
  • SharedFrameworks/
  • PlugIns/
  • XPCServices/

These directories are searched recursively. For example, if an XPC service has an IAP, the XPC service’s embedded bundles are searched, too, and so on.

You can use the placeholder %APPNAME% in localized strings of a nested IAP to refer to the enclosing app’s name. It will be substituted with the app name before being shown to the user.

Note that the value for the key ApplicationDescription is required for nested IAPs, too, but Little Snitch currently does not show it to the user.

Single executable applications

This feature is available starting in Little Snitch 4.3.3

Internet Access Policy as part of Info.plist

Single executable apps don’t have a bundle directory where an Internet Access Policy file can be deposited. However, they can have an Info.plist file embedded in the executable file. Since the Internet Access Policy is basically a property list, it can be be added to the embedded Info.plist. Just create an Internet Access Policy as as described above, but instead of storing it in a separate file, add it to Info.plist under the top level key InternetAccessPolicy.

Localization without .lproj bundles

Having no bundle directory also affects localization. We support only one localization method for embedded Info.plist files, and that is analogous to the strings-file method explained above. Localizations are added at the key path InternetAccessPolicy.Localizations.<language> where <language> is the language name used for.lproj directories (e.g. en for English).


RootDictionary(14 items)
InternetAccessPolicyDictionary(3 items)
ConnectionsArray(2 items)
ServicesArray(2 items)
LocalizationsDictionary(2 items)
enDictionary(2 items)
StringsKey1StringEditHelper is part of myCompany’s text editing suite. It provides dictionary and spell checking services to other components.
StringsKey2StringEditHelper updates its dictionary from this server.

How to embed an Info.plist in an executable

The Info.plist file is included in a mach object section in the __TEXT segment named __info_list. It can be added using the -sectcreate __TEXT __info_plist linker option. Fortunately, you don’t need to do this manually. Xcode can do it for you.

Open Xcode, select the target for your executable and go to the Build Settings. Search for Info.plist. There are two settings which are relevant for us:

  • Info.plist File: Enter the path to your Info.plist file here.
  • Create Info.plist Section in Binary: Set this to Yes.

(Legacy) Support for XPC services before Little Snitch 4.4

This section describes the legacy behavior of Little Snitch 4.0.5 up to, but excluding, Little Snitch 4.4

Using XPC services allows you to separate your app’s functionality into multiple processes for stability and privilege separation reasons.

Little Snitch treats connections established by an XPC service on behalf of an app as if the connection were established by the app itself. In fact, in most places Little Snitch doesn’t even prominently show to the user that an XPC service is in use. Also, rules are automatically created for just the app itself, instead of via-rules for “App via XPCService” (see Anatomy of a rule, paragraph process for more information about via rules).

Apps that bundle XPC services

If you are developing an app that bundles XPC services, there’s nothing special you have to do in regard to the Internet Access Policy.

Little Snitch For Development Online

Third-party XPC services

If you are developing an XPC service that other developers incorporate into their apps (e.g. as part of a third-party framework), you can provide an Internet Access Policy that describes only the connections of the XPC service. In this case, the files go into the XPC service bundle’s Resources directory.

If the developers who bundle your XPC service in their apps do not include an Internet Access Policy of their own, at least the connections established by your XPC service will be described.

But if the developers who bundle your XPC service in their apps do include their own Internet Access Policy in their app bundle, only that information will be used – the XPC service’s IAP will be ignored. This allows the developers who actually ship an app to have the last say over what information the Internet Access Policy shows to the user.

Because Little Snitch rules usually do not contain information about XPC services, Little Snitch Configuration cannot show an IAP that is contained inside an XPC service. This information will only be shown in the connection alert and Network Monitor where more information about the connecting processes is available.

Writing guidelines

  • Little Snitch can be used in demo mode without buying a license, so you can easily test how your text is presented.
  • When you write texts, keep the context in mind where the text is displayed. Keep the text short and concise.
  • Be honest in your description. At least some of your users have the technical skills to sniff encrypted connections and analyze the data. If you lied, your reputation would likely be affected.
  • Make specific descriptions for connections with different purposes. Do not list all purposes in a single catch-all description.
  • DenyConsequences should always begin with “If you deny these connections” (or the respective phrase in another language). Note: Earlier versions of this document recommended the use of singular wording (“this connection”), but it turned out that it works better in user interfaces in plural wording.
  • Avoid long and technical explanations of concepts that are not directly related to what you try to explain. For example, do not explain what a certificate authority is. Instead, add links to Wikipedia or another appropriate source of information in Markdown style, e.g. [digital certificates](


If you bundled an Internet Access Policy with your app, but it does not seem to be used by Little Snitch, here are a few hints that can help you track down the problem.

  • Your app must have a valid code signature, otherwise Little Snitch won't read the InternetAccessPolicy.plist file and instead logs a message to the system log (see and filter for Little Snitch). While you are writing and testing the Internet Access Policy for your app, it is easiest to run it from Xcode using a scheme that has proper code signing set up.

    Little Snitch verifies the code signature of the following files:

    • The app bundle’s executable.
    • The InternetAccessPolicy.plist file used.
    • The InternetAccessPolicy.strings localization file, if used.
  • If your app uses a helper process for which an IAP should be shown, the IAP files must reside in the app’s Resources as usual. Little Snitch will show these connections as via-connections (e.g. “App via helper”) and look in the parent app’s bundle for IAP information.

  • If Little Snitch shows a generic “Information from application developer” instead of your company’s name as the source of the information, make sure you add the DeveloperName key at the top level of the InternetAccessPolicy.plist. This is the preferred way to specify the source for the IAP. If you do not specify this value, Little Snitch reads your company’s name from the certificate that was used to sign the app. This works only for Developer ID and Development certificates, though. If your app is downloaded from the Mac App Store, you must specify the DeveloperName.

Was this help page useful? Send feedback.
© 2016-2020 by Objective Development Software GmbH

Little Snitch
Developer(s)Objective Development Software GmbH
Stable release4.5 (March 30, 2020; 19 days ago[1]) [±]
Written inObjective-C
Operating systemmacOS
Available inGerman, English, Chinese, Japanese, Russian

Little Snitch is a host-based application firewall for macOS. It can be used to monitor applications, preventing or permitting them to connect to attached networks through advanced rules. It is produced and maintained by the Austrian firm Objective Development Software GmbH.

Unlike a stateful firewall, which is designed primarily to protect a system from external attacks by restricting inbound traffic, Little Snitch is designed to protect privacy by limiting outbound traffic.[2] Little Snitch controls network traffic by registering kernel extensions through the standard application programming interface (API) provided by Apple.[3]

If an application or process attempts to establish a network connection, Little Snitch prevents the connection. A dialog is presented to the user which allows one to deny or permit the connection on a one-time or permanent basis. The dialog allows one to restrict the parameters of the connection, restricting it to a specific port, protocol or domain. Little Snitch's integral network monitor allows one to see ongoing traffic in real time with domain names and traffic direction displayed.

Little Snitch Alternative

The application (version 4) received a positive 4.5/5 review from Macworld.[4]


  1. ^'Release Notes – Little Snitch'. Retrieved March 31, 2020.
  2. ^'Little Snitch 4'. Retrieved July 20, 2019.
  3. ^Little Snitch 3 - Documentation. Objective Development Software GmbH. 2013.
  4. ^Fleishman, Glenn (September 8, 2017). 'Little Snitch 4 review: Mac app excels at monitoring and controlling network activity'. Macworld. Retrieved July 20, 2019.

External links[edit]

  • Official website

Retrieved from ''