Post

Replies

Boosts

Views

Activity

NEFilterControlProvider network extensions not working from iOS 16.1
Hi, We use the NEFilterControlProvider and NEFilterDataProvider network extension in our product to do content filtering and blocking certain websites loaded on browsers. From iOS 16.1 we are observing that the extensions are not getting any browser flow objects. We tested on iOS 15.5, 15.7, 16.0 as well and it is working on these versions. Is this a known regression wrt Control Filter network extension in iOS 16.1 onwards. If yes, do we have an ETA on when this will be patched?
6
0
1.5k
Dec ’22
iOS 16 prefering to use DoH/DoT even if VPN has specified it does not support DoH/DoT in DNS Settings
Hi, We have a VPN solution based on NEPacketTunnelProvider. Our requirement is to be able to get UDP based dns traffic and perform dns resolutions for all dns queries, while the VPN is in split tunnel mode. Earlier, till iOS 15.x, we used to use the approach mentioned by @Quinn in this link https://developer.apple.com/forums/thread/35027?answerId=122209022#122209022, where our VPN was in split tunnel and we used to use the wildcard match domain option to get all the dns queries in the VPN. We used to use the public dns servers like google dns servers (8.8.8.8, 8.8.4.4) in our vpn. In our NEDNSSettings of the NEPacketTunnelNetworkSettings, we have dnsProtocol set to "clear text" and the servers set to the above public dns servers. From iOS 16 onwards, we are observing that despite specifying the clearText dns protocol, we are receiving encrypted dns packets probably because of system automatically using DoT or DoH, as the public dns servers does support this. This is breaking multiple flows in our app. This seems to be a regression in iOS 16, because the DNSSettings of the VPN should be respected by the platform. Is this a known issue on apple side? If yes, are there any tentative dates for fixing this?
3
2
2.3k
Nov ’22
Not getting Browser flow traffic in per app Content Filter (NEFilterControlProvider))
Hi, We are trying the new per app Content filter feature released with iOS 16 on managed devices. We push a configuration file via the MDM onto the device which contains the ContentFilterUUID field as mentioned in the WWDC tutorial After this, the NEFilterControlProvider network extension starts on the device and we expect to do the content filtering using that. In the content filter profile, we have set "FilterBrowsers" key to true and "FilterSockets" key to false. Also, we have assigned the profile to chrome application. Our expectation is that when we load a URL in chrome, if it is present in our filter, it should be blocked. But we are observing that this is not happening. On further investigation we found that no NEBrowserFlow traffic was received by our NEFilterControlProvider extension. We changed the "FilterSockets" key to true, and were able to see NESocketFlow traffic coming, but not the NEBrowserFlow traffic. We tried with the same profile on a supervised device without the contentFilterUUID field to make the profile device wide, and it was able to filter properly. Please let us know if this is a known issue and any tentative ETA for the fix. We have created a FB assistant bug as well (11637934) Other than this, we wanted to understand if we can assign the per app CF to Safari app as well. Safari being the default browser for majority of users, not able to put Content filtering on it, will hamper our content filtering use case
2
0
929
Oct ’22
dns_parse_packet API not working
Hi, I was working on a feature based on dns packet parsing in the VPN solution of my app on iOS. I was using the dns_parse_packet api from dnsutils.h class, which was able to parse dns requests and reply packets from raw bytes quite efficiently. I had tested this flow on iOS 15.2 but after updating to iOS 15.5 this api does not seem to work anymore. Has this API been deprecated or is this a bug in iOS 15.5?
9
1
3.0k
May ’22
KeyChain Sharing with App Extensions
Hi, We are trying to use Apple Security API for KeyChain Services. The motive is to store some sensitive data in the KeyChain. Our app has Network extensions enabled which share a common app group and we want to access the data stored in the KeyChain from the extensions as well. Specifically we were exploring the SecItemAdd, SecItemCopyMatching etc family of APIs. We tried a few methods: Using the common App Group : Specifying the common app group in the "kSecAttrAccessGroup" field of the KeyChain query, allowed us to have a shared keychains for different apps (targets) in the app group, but this did not work for extensionsEnabling the KeyChain Sharing capability : We enabled the KeyChain Sharing Ability in the extensions and the app target as well, giving a common KeyChain Access group. Specifying this in the kSecAttrAccessGroup field also did not work.We tried specifying "$AppIdentifier.KeyChainSharingGroup" in the kSecAttrAccessGroup field , but this did not work as wellThe error code which we get in all these 3 cases when trying to access the Keychain from the extension is error code 25291 (errSecNotAvailable). The Documentation says this error comes when "No Trust Results are available" and printing the error in xcode using the status says "No keychain is available. You may need to restart your computer". The online Documentation says that it is possible to share keychain with extensions, but by far we are unable to do it with the methods suggested.Do we need any special entitlement for this or is there something we are missing while using these APIs?If this is possible Is there any internal/open source wrapper for Keychain APIs, that we can use?We will really appreciate help in solving this issue!Thanks!
1
0
1.1k
Dec ’19