NEFilterDataProvider method handleInboundData parameter readBytes, is this data encrypted?

I've been trying to create an NEFilter based on the SimpleFirewall example code and can't find any examples or descriptions on how to get at the data returned in the readBytes parameter of handleInboundData. I really only want to get the title of the page.

If I open a page via an HTTP request I can easily see the html for the page including the title if it exists. It seems HTTPS requests provide the data still encrypted but I can't find any information about that in the documentation or anywhere on the web.

The next question will be (of course) Is there an easy way to get that data decrypted?

readBytes is just Data, so you need to decode the Data into whatever you are expecting it to be.

e.g. if you are expecting a string, try something like:

/// I don't have your readBytes, so I'll make a dummy one...
let readBytes = Data()
/// Convert to the target class you are expecting (e.g. String)
guard let string = String(data: readBytes, encoding: .utf8) else {
    print("Error: couldn't get String from readBytes")
    return
}
/// Success...
print("string: \(string)")

Does that answer your question?

I really only want to get the title of the page.

The URL will at least be available via NEFilterFlow if the network request was created via WebKit.

Regarding:

If I open a page via an HTTP request I can easily see the html for the page including the title if it exists.

Right.

Regarding:

It seems HTTPS requests provide the data still encrypted but I can't find any information about that in the documentation or anywhere on the web.

Yes it does, this is a safety mechanism so that all traffic on a device cannot just be consumed by someone that should not be doing so. The idea is that if your filter has a cache of known IPs, URLs, or even SNIs that are known to be malicious then these items can be filtered upon and blocked.

Regarding:

The next question will be (of course) Is there an easy way to get that data decrypted?

As you mentioned this data will be encrypted for cases where a NEFilterDataProvider is just running standalone on a machine/device. The exception as you also mentioned is things like standard HTTP, FTP, or other TCP port 80 traffic. If you are looking for a way to make filtering decisions in this environment, take a look at building a URL, IP, or SNI cache to make filtering decisions based upon your business rules.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

If I can't get at the data to help make a decision on filtering then what is the point of this method? But in many cases you can't see the data because it's encrypted. My expectation was that the data could be seen. This implies that we can only filter KNOWN bad web pages and we can't filter based on what is in a page. Not very useful.

I understand the confusion here. However, consider the alternative that any NEFilterDataProvider running on your system could see all your data, including sensitive data like password and financial info if this data were delivered unencrypted.

Now, there are still parts of the TLS handshake and DNS traffic traffic that is available here to make top level filtering decisions upon, which is really what is needed instead of looking at all user data. For example, the URLs, IPs, and in most cases the TLS SNI is available to make decisions upon.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
NEFilterDataProvider method handleInboundData parameter readBytes, is this data encrypted?
 
 
Q