iOS 14 local network privacy question

Hi!

we're working on an app that provides a custom VPN protocol implementation. The main app uses the Network Extension with a PacketTunnelProvider. In certain cases the tunnel process needs to connect to the local DNS server, which appears to trigger the Local Network Privacy warning in iOS 14. What we're observing is that even if the user declines the "App would like to connect to devices on your local network" prompt, the Network Extension can still reach and query the local DNS resolver.

It seems that even if the user pick "Don't allow" in the OS prompt, all communication with the local network devices from the Network Extension is still possible. Is that an expected behaviour in iOS 14? Or is there a chance that this will change with on of the coming iOS 14 beta releases and we should account for that?

Up vote post of futuremind Down vote post of futuremind
2.2k views
Posted by
futuremind
Reply
Add a Comment

Replies

Or is there a chance that this will change with on of the coming iOS 14 beta releases and we should account for that?

There is always an expectation that things may change in the Beta cycle.

You mentioned:

all communication with the local network devices from the Network Extension is still possible

This sounds like it's only the case for the Network Extension reaching out to the local resolver? Is this the same for the container app as well or if the user picks "Don't Allow," can the container app reach the local network?


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment
@Matt: thanks for looking into this.

We did some further testing and tried making a local DNS query from the main app process after declining the privacy permission prompt on iOS 14. When we did that, the lib we've used to test it was unable to query the local DNS resolver.

It appears that the container app itself is affected by the decision made by the user in the local network privacy prompt, but it does not affect the appex binary.

My question is at this point is - is that an expected behaviour or should we assume that this will change in one of the iOS 14 betas?
Posted by
futuremind
Up vote reply of futuremind Down vote reply of futuremind
Add a Comment

It appears that the container app itself is affected by the decision made by the user in the local network privacy prompt, but it does not affect the appex binary.

Thanks for reporting this. I think that this is worth a bug report just to make sure that Network Engineering has a chance to review this. Please follow up with the Feedback ID.

My question is at this point is - is that an expected behaviour or should we assume that this will change in one of the iOS 14 betas?

There is no way to determine expected behavior as we are still in a beta cycle.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment
Thank you. I've filed a bug report under:
FB8382522 (iOS 14 network privacy prompt doesn't affect Network Extenstion). Will update the thread when anything new comes in.
Posted by
futuremind
Up vote reply of futuremind Down vote reply of futuremind
Add a Comment