Post

Replies

Boosts

Views

Activity

Developing system extensions offline
Working at a security company, we develop our tools in an offline environment.Can you develop an app with a system extension ( network extension and Endpoint security extension ) on a device that has no internet ? The device I need to develop my product is offline, it has MacOS Catalina 15.2 with XCode 11.3. It has never been connected to the internet and as such, there are no accounts registered with Xcode.Best Regards,Rob
3
0
1.2k
Jan ’20
EndpointSecurity Code Signiture invalid
I'm developing a EndpointSecurity application for 10.15 and trying to use the EndpointSecurity system extension framework.I've discovered that when I add the boolean entitlement 'com.apple.developer.endpoint-security.client', the application crashes with a "Code Signiture Invalid" error on launch (whether or not the boolean is YES or NO). My dev machine has SIP disabled , on OSX 10.15, Xcode 11.3I used automatic signing from xcode, with system extension capability added.I've seen other people having this issue with no solution posted https://forums.developer.apple.com/thread/124034example error below:Time Awake Since Boot: 62 secondsSystem Integrity Protection: disabledCrashed Thread: UnknownException Type: EXC_CRASH (Code Signature Invalid)Exception Codes: 0x0000000000000000, 0x0000000000000000Exception Note: EXC_CORPSE_NOTIFYTermination Reason: Namespace CODESIGNING, Code 0x1kernel messages:Backtrace not availableUnknown thread crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000 rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ffeee42abb0 r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000 r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000 rip: 0x0000000103714000 rfl: 0x0000000000000200 cr2: 0x0000000000000000Logical CPU: 0Error Code: 0x00000000Trap Number: 0Binary images description not availableExternal Modification Summary: Calls made by other processes targeting this process: task_for_pid: 0 thread_create: 0 thread_set_state: 0 Calls made by this process: task_for_pid: 0 thread_create: 0 thread_set_state: 0 Calls made by all processes on this machine: task_for_pid: 272 thread_create: 0 thread_set_state
3
0
1.9k
Jan ’20
Network Extension always reports localport of 0
As the new system extension framework is new and quite complicated I'm not sure if this is a BUG or an issue with its use.Both in my custom system extension AND in the example network extension created by apple, the SimpleFirewall example. The local port of a new flow is always 0. In the SimpleFirewall example this would be 'socketFlow.localEndpoint.port'if you log this out, I always get 0. Note the remote address and remote port seems correct.Whats going on here ?
5
0
958
Feb ’20
ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED despite a valid entitlement
I have a built launchDaemon and want to apply the endpoint security extension entitlements I downloaded from my apple dev account.So far I've tried:1) download the provisioning profile from dev console.2) extract the entitlements into a '.entitlements' file, via 'security cms -D -i securitytool.provisionprofile > securitytool.entitlements3) applying that entitlements with 'codesign --entitlements securitytool.entitlements -f -s "[APPLICATION_ID]" [BINARY]Result:es_new_client() is getting back 'ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED'This is dispite displaying valid entitlements when using `codesign -d --entitlements - [BINARY]' - everything seems finePlease could you tell me step by step how to add valid entitlements to a built launch daemon ? (I build offline on a different machine)
6
0
1.2k
Feb ’20
Network system extension : invalid signature or entitlements
This forum has been very helpful so far. Lets do this again.Okay, I have a Network system extension that successfully builds and runs on my offline dev machine with SIP disabled and a test provisioning profile that for whitelisted devices. NOTE this is a network system extension with a companion app (not an endpoint security extension that I've posted about previously)So the next step is to get a distribution provisioning profile for the system extension so I can deploy over my beta testers that have SIP enabled. I generate these "Distribution Developer ID" provisoning profiles (provisioned for any device) for both the companion app and its embedded system extension. I transfer these over to my development machine, apply the provisioning profiles, build the app and test it to find that it works on this dev machine.I then transfer the built components over to a machine with SIP enabled and run the app. I get the error Code Signature Invalid !I've read through https://developer.apple.com/library/archive/technotes/tn2318/_index.htmlHowever when I check the signature of the app and the embedded extension with `codesign -d --entitlements - [PATH]` (to app and extension) everything looks fine. Furthermore, checking the provisiong profile of both with `security cms -D -i [PROFILE_PATH]` everything seems fine.What is going on ? why is this so ridiculously opaque and complicated ?
19
0
6.4k
Feb ’20
codesign failure in xcodebuild
I have a project that includes an Endpoint security system extension as a launch daemon and a network extension in another linked app. Previously I have built the project in release mode via xcodebuild. This worked fine during testing where my provisioning profile was a testing one not provisioned for all devices.Now I have switched the provisioning profile for a distribution ID profile that is provisioned on all devices. Building through xcode itself successfully builds in debug and release. However building through `xcodebuild` fails at the `codesign` task.what could be going on ? note my dev machine is offline.Best Regards
5
0
3.2k
Mar ’20
Network system extension reporting 0.0.0.0 for failed connections
I have a network system extension that is a `FilterDataProvider`. It works well for successful connections to and from the host machine.Example from printing the local and remote NWHostEndpoint objects from the `handleNewFlow` function:```New flow observed : 192.168.56.1:64911->192.168.56.105:9000 (Outbound)[TCP]```However when I make a failed TCP connection from my host, a new flow is not created because the connection failed. In this case I see that the functions `handleInboundDataComplete` get called. The local address is always `0.0.0.0:0` for an outbound connection example:```0.0.0.0:0 -> 192.168.56.105:9000``Now a `tcpdump` on the remote machine shows that the connection was attempted:```12:09:16.929211 IP 192.168.56.105.9000 > 192.168.56.1.64910: Flags [R.], seq 0, ack 885948719, win 0, length 012:09:17.931356 IP 192.168.56.1.64910 > 192.168.56.105.9000: Flags [S], seq 885948718, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 783305121 ecr 0,sackOK,eol], length 012:09:17.931682 IP 192.168.56.105.9000 > 192.168.56.1.64910: Flags [R.], seq 0, ack 1, win 0, length 012:09:21.937581 ARP, Request who-has 192.168.56.1 tell 192.168.56.105, length 2812:09:21.937760 ARP, Reply 192.168.56.1 is-at 0a:00:27:00:00:00 (oui Unknown), length 46```Question 1 ) Is there any way of getting local address and port information from an Outbound failed connection?I also can't find how to get any notification in this framework in the case of a failed INBOUND connection.Question 2) Is there any way of getting information for failed Inbound connections?NOTE : I understand that I could use the PacketFilterProvider, but this would require complex matching between the two providers and is potentially needless processing, plus I need the pid of the process responsible for the flow (or failed flow).Thank you.
7
0
1.4k
Apr ’20
How to make NEFilterPacketProvider listen to all interfaces?
I'm using FilterPacketProvider, and I'm simply printing out packet information and comparing this to the NEFilterDataProvider Flow output.When in an non-vpn environment I see expected results:```From DataProvider:New flow observed : [INTERNAL_IP]:50897->17.253.37.207:80 (Outbound)[TCP]From PacketProvider:2020-04-21 10:50:26 : [INTERNAL_IP]~50897 -> 17.253.37.207~80 [6]2020-04-21 10:50:26 : 17.253.37.207~80 -> [INTERNAL_IP]~50897 [6]2020-04-21 10:50:26 : 17.253.37.207~80 -> [INTERNAL_IP]~50897 [6]2020-04-21 10:50:26 : 17.253.37.207~80 -> [INTERNAL_IP]~50897 [6]...```However when using a VPN I get the following issue:```From DataProvider:2020-04-21 11:10:48 : [DarkIPC] [DEBUG] New flow observed : [VPN_IP]:51422->[EXTERNAL]:3128 (Outbound)[TCP]From PacketProvider:2020-04-21 11:10:48 : [INTERNAL_IP]~57770 -> 194.72.254.220~443 [17]2020-04-21 11:10:48 : [EXTERNAL_VPN]~443 -> [INTERNAL_IP]~57770 [17]2020-04-21 11:10:48 : [EXTERNAL_VPN]~443 -> [INTERNAL_IP]~57770 [17]2020-04-21 11:10:48 : [EXTERNAL_VPN]~443 -> [INTERNAL_IP]~57770 [17]2020-04-21 11:10:48 : [EXTERNAL_VPN]~443 -> [INTERNAL_IP]~57770 [17]```This looks like the flow is being created from the TCP VPN connection, while the packets provided seem to be UDP communication between the internal interface and the external VPN endpoint.I NEVER see flows from EXTERNAL_VPN to INTERNAL_IP and NEVER see packets from External addresses (172.253.37.207).Is there any way of getting All packets created from the packet provider (including the vpn flows) ?Or is there a way of solving this problem https://forums.developer.apple.com/thread/131545Thank you.BR
0
0
573
Apr ’20
How to I remove malicious software error ? Notarization does not work
This question seems like it may have been asked before but I can't find the right answer. I've bundled my app into a package which is signed and notarized, but when I trying to install it a see the error : can’t be opened because Apple cannot check it for malicious software. The package has been signed: sudo pkgutil --check-signature [PKG_PATH] yields Status: signed by a developer certificate issued by Apple for distribution ... After forcing it to install I see that the installed app is also signed: sudo codesign -d --verbose=4 [APP_PATH] yields ... CDHash=4ab0ad946f99b5bc54fe5203e91be9cb596e5b82 Signature size=8970 Authority=Developer ID Application: ______ (XXXXXX) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Jun 22, 2020 at 5:50:07 PM ... The bundle is also notarized: sudo spctl -a -vv [APP_PATH] yields source=Notarized Developer ID origin=Developer ID Application: ___ (XXXXX) What else could I have possibly missed ? How do I remove this error so I can install the product ?
3
0
925
Jun ’20
Play my apps sound through loud speakers without affecting other apps playing through headphones ?
I'm working on an ios app and I would like to play a sound in the background, through the loud speaker without this affecting other apps playing through another channel eg. bluetooth speaker. I've tried alot of combinations of AVAudioSession settings. However it seems that even when I use multiRoute category and set the required input channel, my apps audio will be interrupted if any other app plays. Settings the duckothers option allows my audio to play but this will play through whatever output channel the other apps playing through. Furthermore, if I force using the loud speakers, This forces all sound from other apps to be routed through the loud speaker. Is it possible to force your apps audio through the loud speaker while other apps use headphones ?
1
0
1k
Aug ’20
how to multiple content filter system extension verdicts interact with each other ?
I'm developing a product with a Content Filter System Extension with both NEFilterPacketProvider and NEFilterSocketProvider. What's the behavior where mutiple system extension verdicts disagree ? Specifically what happens if our extension .allows a connection and another applications system extension .denys the same connection, or visa versa.
3
0
826
Apr ’21
How do I monitor tunnel traffic with a Packet Filter Provider ?
My application contains a Content Filter Network System extension. My VPN creates a null/loopback encapsulated tunnel in order to route the traffic to the vpn. I've noticed that I get FilterSocketFlows through the FilterDataProvider but I never see any tunnel traffic appearing in the FilterPacketProvider. How can the Packet provider be configured to filter tunnel traffic ? Note : I have tried only registering a PacketProvider and still dont see any traffic. Is there any documentation of proper configuration ?
9
0
2k
Apr ’21
CFNetworkCopyProxiesForAutoConfigurationScript memory leak
The function CFNetworkCopyProxiesForAutoConfigurationScript causes a consistent memory leak. Simplifying the code provides: var err: UnmanagedCFError? = Unmanaged.passRetained(CFErrorCreate(nil, "" as CFErrorDomain, 0, nil))     let proxiesCFArrayRef = CFNetworkCopyProxiesForAutoConfigurationScript(       script as CFString,       self.wsAsHTTPURL as CFURL,       &err     )     err?.release()     proxiesCFArrayRef?.release() Which leaks. Is this a bug in CFNetwork or is there another way of clearing the memory allocated ?
1
0
774
Apr ’21