Network privacy permission check
If you have a case where you'd like to know if your app doesn't have permission, can you describe it? Is this for using Bonjour, or a direct connection use case?
Now, we run into the issue where if our SDK (which builds upon WebRTC) decides that a local network Peer to Peer connection is most suitable, it will cause the Local Network permission alert to appear. Its all dependent on the environment at the given time, and being that we test in a device farm on fresh devices, this is something that could be tricky to manage. I was under the assumption that the permission would be similar to AVCaptureDevice authorizationStatusForMediaType: where it would return things like AVAuthorizationStatusNotDetermined, AVAuthorizationStatusAuthorized and AVAuthorizationStatusDenied.
If the user chooses to not allow permissions, we have no way in code to do something different, as we... don't know... that they said no previously. If we were able to detect that they denied the permission, we could, for instance, force WebRTC to use TURN instead and still achieve functionality.
I am looking at this from two angles, now that I type this. One is about allowing us the ability to manage permissions in automated tests. The second is for allowing a better experience to our customers' customers who decline local network permissions. If we are unable to know that they declined the permission, we can't talk alternative approaches to providing a useable experience.
Since POSIX networking APIs are being used by WebRTC, it would be nice for software developers to have a way to determine the authorization status before hand, and if the status changes. We can take actions like not gathering host candidates if permission is not granted for the local network. Alternatively we could filter any candidates that are gathered so that use of the local network is avoided.
For active use not during testing, we generally recommend against pre-flight checks wherever possible, however the error codes returned from attempts to use local network resources should provide enough information to display/do the right thing if such access is critical, or appropriately handle using only the remaining options if that particular resource isn’t the only option for achieving the user’s intent. If you can find places where this isn’t the case, we’d love to know about it!
As ceagleston and I explained during our lab session as well as in the ticket above, there are some issues with the approach of fire and check later for errors when combined with WebRTC and Interactive Connectivity Establishment (ICE) which will cause issues which could be circumvented if we know beforehand that a user has denied local network access. Please review Feedback FB7801261. If you have further questions regarding the use case, please don't hesitate to reach out. Thank you!
I hope it’s added otherwise this could affect users’ in app experiences really negatively if we can’t check before creating these experiences, especially if it’s being created within an AR scene for example.
Without having any direct method to inquire if the local network permission is available, it is not possible for us to change the point of triggering local network calls. Let say an App does not want to send local network calls on App launch if local network permission is not available. Rather, initiate the local network calls only when user performs a specific user action such as tap on a button. This will help to provide the context to the user why local network permission is required. If local permission is available, we would prefer to send the local network messages on App launch itself.
Checking if the local permission is possible by sending local network message on App launch (lets say mdns request message) but as soon as the mdns message will be sent, the permission dialog will be prompted to the user. That is the reason, We do not want to send the local network message until permission is available or user performs specific action.
Please let us know if such an API may be exposed in iOS 14 to check the local network permission status.
Responding to the comments from Apple Frameworks Engineer:
A direct connection. As we have tried to explain there are thousands of apps that use WebRTC, which under the hood uses ICE. The most common configuration of ICE attempts to establish a direct connection with POSIX TCP and UDP sockets. When a PeerConnection is negotiated, the Peers are ignorant of their network topology and exchange candidates, testing pairs in an attempt to establish a low latency connection on the cheapest network route possible. Traffic may go through a relay server, but this is often the last check performed due to the time needed to perform TURN allocations and grant permissions for the peers.If you have a case where you'd like to know if your app doesn't have permission, can you describe it? Is this for using Bonjour, or a direct connection use case?
The first check being performed is often on the pairing of host candidates from each device. If permissions are declined then this check kills the socket and WebRTC does not recover it effectively. I will stop here, as it appears that I am not allowed to attach my sequence diagram. I believe we included it in the FB, but I will add it again to be sure.
We can skip the host candidate checks (and optional mDNS discovery phase) if permissions are declined, but not without an API to check the state of the user's permissions and reconfigure our Ice agent accordingly.
If the Ice transport protocol is UDP then the host, server reflexive and relay candidates share the same base transport address (protocol:ip:port). This means that terminal socket errors received due to host candidate checks can cause the stun and relay candidates to never be gathered. Using a pre-flight permissions check would allow us to configure the agent so that host checks are avoided and the UDP socket is not closed. I will investigate handling the socket level error, but this is a not insignificant change to a complex and cross-platform code base.For active use not during testing, we generally recommend against pre-flight checks wherever possible, however the error codes returned from attempts to use local network resources should provide enough information to display/do the right thing if such access is critical, or appropriately handle using only the remaining options if that particular resource isn’t the only option for achieving the user’s intent. If you can find places where this isn’t the case, we’d love to know about it!
The relationship between the candidates is demonstrated in rfc8445-2.1. For the sake of discussion imagine that candidates are tested in the order of X:x, X1':x1', Y:y. The process only reaches X:x if the first check uses the local network.
To Internet
Code Block | | | /------------ Relayed Y:y | / Address +--------+ | | | TURN | | Server | | | +--------+ | | | /------------ Server X1':x1'|/ Reflexive +------------+ Address | NAT | +------------+ | | /------------ Local X:x |/ Address +--------+ | | | Agent | | | +--------+
Code Block Figure 2: Candidate Relationships
Here are some issues we run into without such API
1) If we have a trigger point for the "<App> would like to find and connect to devices on your local network" and the user denies the permission, forget they did it, and then come back to the trigger point, we would like to be able to remind them and offer to bring them to our app Settings which is impossible without knowing the state of the permission.
2) If the user has previously granted permission at the trigger point and we were able to test the state of the permission at app launch, we could kick off the device discovery for them without waiting for them to come back to the trigger point. This is critical for reconnect scenarios, i.e., the app attempts to automatically reconnect to a Casting session that existed last time it was shut down. Without the API to check the permission our feature will be broken.
3) Some frameworks create singletons and will throw exceptions if we attempt to initialize them more than once. We would like to know we have the necessary permission to safely initialize those singletons.
4) Some frameworks may fail internally on the Local Network permission and throw obfuscated errors. In that case we wouldn't be able to tell if the failure is caused by the lack of permission and we can't provide useful feedback for our user. Unless we assume that any error may be caused by the lack of permission and tell the user something like "Please, make sure the Local Network permission is enabled in your iPhone's Settings", which is less than ideal.
I hope It's possible to have this API so we don't have to resort to complex guessing. Please, help.
I have an app that controls a hardware device that we manufacture and sell. In order to find the hardware on the network, we send a UDP broadcast with a message for our hardware, and the hardware responds with a message back so that we can get an endpoint to send calls directly to the hardware. The UDP broadcast triggers the request for Local Network permissions, and if the user chooses not to accept it, we will never find their hardware device, and we do not have any tools for diagnosing the issue for them. We're going to have to have a generic error message anytime the hardware is not found telling users to make sure the hardware is connected AND go into Settings on their iOS device and ensure that Local Permissions is turned on for the app. We will warn the user ahead of seeing the request that they need to accept it, but there's always ones that don't, and once that gets off the rails there's no good way to help the user back on the rails. It ends up in a terrible experience for the user.If you have a case where you'd like to know if your app doesn't have permission, can you describe it? Is this for using Bonjour, or a direct connection use case?