Apple Push Notification Service

Introduced in iPhoneOS 3, Apple Push Notification Service ("APNs", also known as "Apple Push Service Protocol") allows devices to receive and display push notifications from an app, even when the app is not running. APNs allows the device to subscribe to "topics", and only notifications matching the subscribed topics will be delivered. In addition to receiving, the protocol can also be used to send messages to other devices. This mechanism is not only used by push notifications, but also by other real-time interactions such as iMessage and HomeKit.

APNs communicates over TLS on TCP port 5223 (although it can fall back to port 443). It connects to a subdomain of, either dynamically determined or static, depending on the platform.

A device identifies itself to APNs by proving that it controls a certificate obtained from Albert. Initially, this was done using TCP client certificates, but this allowed fingerprinting. In response, Apple introduced an upgraded protocol called, which must be negotiated over ALPN.

The binary protocol used in APNs has evolved over time. The initial versions used a proprietary binary protocol in a simple type-length-value encoding. Each message was preceded by a "command". The initial version used until iOS 4 used commands  to. In iOS 5, the protocol was upgraded to use the new commands  and above. Some commands have been added in iOS versions since then.

In iOS 10, Apple introduced, which is a packed version of the existing protocol designed to be byte-efficient. However, it is not necessary to use this encoding, as several offical platforms still use the old protocol. The new protocol is also negotiated over ALPN, and it is possible to manipulate the response such that modern versions of iOS will fall back to the old protocol.

Nicolas has created a Wireshark dissector for APNs, if you are able to extract the TLS keys from the daemon.