Post

Replies

Boosts

Views

Activity

Sparsebundle on USB Key is very slow
I have an 120 GB encrypted sparsebundle on a USB Key. I access it via a recent mac book pro with latest os. The USB Key is a good brand, USB 3, 128 GB. When mounting the sparsebundle from the USB Key, access to it is extremely slow. Is it expected ? Can I do something about it (change file system ? Not use sparsebundle, but encrypt key instead - if that's possible) ? Thanks !
0
0
587
Nov ’20
File persistence between tests
I need to have data persistence between runs of my UI tests (for an iOS app). I know this might seem an anti-pattern, but I have to work with that for reasons beyond my control. I use XCTest / XCUITest in Xcode, to run the test on an iOS app on a real device (not a simulator). Several devices will be used, but not simultaneously, and should start with the state the previous one finished on. I have explored a few options, but none work. The simplest thing for me to have would be to save the state in a file on my mac and for this file to be modified directly by the test. However, as far as I can tell, this is not possible. The test cannot access files on the mac itself during the test, but only the files on the device. I can have a file in the test directory on my mac, copy it (via a build copy phase) to the real device. Access it from the device, modify it. And lastly, copy it back at the end of the test to the computer. I’ve managed to do all this l, except the last phase. I have looked into XCTAttachements. The problem is that some tests can be stopped manually (via the square DONE button in xcode, and in that case "tearDown" will not be called). Unless someone has a better idea, what is the safest, most resilient way to copy back a file from the device to the mac, at the end of each test run (regardless of success or failure)? Is there a way to intercept the calls to the square Done button? Thanks!
0
0
704
Aug ’20
Entitlement issues with network extension
When loading a network extension, I see the following error, raised by the trustd process, in the console :Entitlement com.apple.application-identifier=RUXT127L01.com.team.AppName.NetworkExtension is ignored because of invalid application signature or incorrect provisioning profile Entitlement com.apple.security.application-groups=( "RUXT127L01.com.team.AppName" ) is ignored because of invalid application signature or incorrect provisioning profileHowever, I believe my appGroups and bundle identifiers are correctly set in the Entitlements :com.apple.application-identifier RUXT127L01.com.team.AppName.NetworkExtension com.apple.developer.team-identifier RUXT127L01 com.apple.security.application-groups RUXT127L01.com.team.AppName com.apple.security.get-task-allowAlso, when I run "codesign -d -vvvv" or "codesign -d --entitlements" on the systemextension, everything looks fine.Does anyone have any idea what could be off? Or any suggesting of where to look?Note that the system extension seems to work fine anyway, and allows XPC communications.
14
0
7.5k
Feb ’20
latency of NEFilterPacketProvider
I have ran some latency tests (measuring download and upload from the internet).When filtering via a NEFilterData, the speed stays almost the same (about a 5% decrease).However, when filtering via a NEFilterPacket, even when doing only this:override func startFilter(completionHandler: @escaping (Error?) -> Void) { packetHandler = { (context:NEFilterPacketContext, interface:nw_interface_t, direction:NETrafficDirection, packetBytes:UnsafeRawPointer, packetLength:Int) in return .allow } completionHandler(nil) }Then the speed is about 40% of the speed without filtering.Is that expected? Is there anything I can do to prevent this?I tried to setfilterManager.grade = .inspectorbut that did not help either.
0
0
516
Feb ’20
Filter large list of IP addresses
For an NEDataFilter, I am trying to filter a large list of IP addresses (computed from the domain names). I can see 2 ways of doing this:1) I create many rules NEFilterRule, and apply them via NEFilterSettings, and select .drop2) I apple the NEFilterSettings with no rule, change a default action to .fitlerData, and then do the lookup of the IP addresses inside the handleNewFlow function.What would be the best solution, latency wise ? The 2nd seems faster to me, as I can implement O(log(n)) lookup, but are there useful tricks that 1 is doing, that means I should consider it ?
6
0
979
Feb ’20
Checking legitimacy of process
I want to evaluate whether processes installed and running on a macOS system are legitimate.I understand (thanks Eskimo) that checking their identifier is not a good way to identify processes, as any developer can use any identifier. I also understand that I should use DesignatedRequirements.I have the following code at the moment:// Get code signing information. var infoOpt: CFDictionary? = nil err = SecCodeCopySigningInformation(staticCode, SecCSFlags(rawValue:kSecCSRequirementInformation), &infoOpt) guard err == errSecSuccess, let info = infoOpt as? [String:Any] else { return nil } let processId = info[kSecCodeInfoIdentifier as String] as? String // nil iif code is not signed let designatedRequirement = info[kSecCodeInfoDesignatedRequirement as String] as! SecRequirement var designatedRequirementCFStr : CFString? SecRequirementCopyString(designatedRequirement, [], &designatedRequirementCFStr) let designatedRequirementStr = designatedRequirementCFStr as String?But how can I use the designated requirement to ensure that the app is legitimate ?More specifically :- If I want the anchor (root certificate) to be Apple's, how can I programatically check it ? There must be something better than parsing the string above.- I am not very familair with the certificate process. What is the anchor "apple generic" ?- What is a reasonable rule to accept the process as legitimate? Is it all about the anchor and I can disregard the certificate leaf?Thanks!
5
0
1.8k
Feb ’20
Display alert or UserNotification from system extension
I am looking to convey some information to the user and request his input from a system extension (a Network extension).I couldn't get an Alert to work on systemExtensions. Am I missing something or is it indeed not possible/not advisable ?What about UserNotifications, is it advisable to do that from the system extension itself, or should I just use xpc to foward the information to a normal app, which will take care of display the info ?
0
0
459
Jan ’20
Caching sourceAppAuditToken
Inside my NEFilterDataProvider, I am retrieving the code signature informations from socketFlow.sourceAppAuditToken (thanks to the good advice of Eskimo).This takes a little bit of time though. Is it reasonable to cache the sourceAppAuditToken ?I am thinking of keeping a dictionary that would map the sourceAppAuditToken to their String identifier. Is it reasonable, or is it insecure to do so?Separately, I have seen that socketFlow.description contains a lot of really useful information, including bundleId, etc.How is that bundleId computed? (there is an insecure way : just retrieving it from the Info.plist, and a secure way: retrieving it from the code signature). Also, is there a better way to access this information that parsing the socketFlow.description string itself?
2
0
620
Jan ’20
entitlement for checking on code signature
The following piece of code works all fine if I disable the sandbox, but it fails if I enable the sandbox: // Get a code reference. var codeOpt: SecCode? = nil var err = SecCodeCopyGuestWithAttributes(nil, [kSecGuestAttributeAudit : sourceAppAuditToken] as NSDictionary, [], &codeOpt) guard err == errSecSuccess, let code = codeOpt else { return nil } // Check the validity of the signature var errorDescription : Unmanaged? = nil err = SecCodeCheckValidityWithErrors(code, [], nil, &errorDescription) guard err == errSecSuccess else { return nil }What entitlement do I need on the sandbox to allow this ?
9
0
1.7k
Jan ’20
How to get BundleID from sourceAppAuditToken ?
In NEFilterDataProvider, the system helpfully provides NEFIlterFlow.sourceAppAuditToken. How should I interpret it though?This is of Data type, how can I map it to an app, for example via its BundleID?In another question, it was suggested to look at <bsm/libbsm.h>. However this seems to be objective-c and deprecated ? How can I do this in swift ?Thanks!
5
0
2.3k
Jan ’20
NEFilterDataProvider vs NEFilterPacketProvider
I am writing a firewall, and trying to choose between NEFilterDataProvider and NEFilterPacketProvider.NEFilterDataProvider seems to contain a lot more information. For example, via NEFilterFlow's I can know very easily from which app the flow was originated.However, I think NEFilterDataProvider only parses UDP and TCP connections ?If that is correct, then it does not work for a firewall, because a malware could send data with any custom protocol.Is there a good way to filter absolutely all network content, but still have access to NEFilterFlow's useful information in the subset of cases where it can be populated?I am assuming that I should set NEFilterProviderConfiguration.filterPacket=true and NEFilterProviderConfiguration.filterSocket=true, but can I somehow use an NEFilterDataProvider that will look at strictly all the flow?
10
0
2.3k
Jan ’20
SimpleFirewall with objective-c
If I take the SimpleFirewall example provided by Apple, remove the SimpleFirewallExtension, add a new target that is also a NetworkExtension for content filtering, except where the language is objective-c, I have a weird problem. startFilter and stopFilter will be called correctly, but the packetHandler is never called.I made sure the plist and entitlements are populated similarly as the swift example.Why is that? What is different in objective-c for Network Extension?
14
0
2.2k
Jan ’20
NEFilterPacketContext is Empty
I am implementing a NetworkExtension, based on NEFilterPacketProvider. My issue is that the NEFilterPacketContext is always empty. I assume that's not expected, but my code is as simple as it gets. What's the issue?Maybe loking at attributeKeys is the wrong thing to do, but in that case, how to access context info? Specifically, I'd like to know things like which applications generated the packet, on which port, what external IP, etc.class FilterPacketProvider: NEFilterPacketProvider { override init() { super.init() os_log("FilterPacketProvider init") } override func startFilter(completionHandler: @escaping (Error?) -> Void) { os_log("FilterPacketProvider startFilter") packetHandler = { (context:NEFilterPacketContext, interface:nw_interface_t, direction:NETrafficDirection, packetBytes:UnsafeRawPointer, packetLength:Int) in os_log("FilterPacketProvider packet context=%{public}s %{public}s interface=%{public}s dir=%d length=%d", context.attributeKeys.description, context.debugDescription, interface.description, direction.rawValue, packetLength ) return .allow //.allow, .drop or .delay } completionHandler(nil) } override func stopFilter(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) { os_log("FilterPacketProvider stopFilter") completionHandler() } }
18
0
3.9k
Jan ’20
Very Simple XPC
I want to use the XPC technology simply to launch an app on macOS. I do not need any interprocess communication, or any of the other feature of XPC. The only documents that I can find on the internet show a complex structure, with code for the XPC service, separate code to launch the XPCservice via a script, and app code to communicate with the service.In other words, I only want something that does the equivalent of this:NSWorkspace.shared.openApplication(at: path, configuration: configuration, completionHandler: nil)but with XPC. So I would need something along the lines of:let listener = NSXPCListener.service("/path/to/my_app.app")listener.resume()RunLoop.main.run()Obviously, the service method does not take an argument that would be an executable path, so this does not work.How can I do that ?PS: to explain the motivation, launching an XPC service will preserve sandbox restriction form the launching app, whereas launching the app directly via NSWorkspace.shared.openApplication will not preserve sandbox restrictions (because the spawned app does not have "com.apple.security.inherit" as entitlement).
1
0
794
Dec ’19
App launched from Sandboxed app is not sandboxed. Security flaw ?
I have a very simple macOS app, built with latest swift, latest xcode. Is it sandboxed, and only launches another app (from the app store - with its own code signing).I have placed this other app in my launcher's app bundle, and launch it with NSWorkspace.shared.openApplication.My issue is that while the launcher app itself is sandboxed, its restrictions are not applied to the launched app. The launched app is sandboxed (it was sandboxed by the original developer), but has wider permissions.It seems either a security flaw or I am misunderstanding something. Can anyone shed lights on this? Thanks!
1
0
727
Dec ’19