NEFilterDataProvider not invoked for some network activity.

Question

Created Oct ’22

Replies 3

Boosts 0

Participants 2

In the context of a research project at my university, we want to anonymously collect and statistically analyse usage behavior of an iOS device in a managed device context (MDM, not FamilySharing).

Since we cannot access the ScreenTime API in our non-FamilySharing context, we've built a prototype that uses the tandem of NEFilterDataProvider and NEFilterControlProvider to log the anonymous network traffic (timestamps and originating app's bundle id). We plan to use machine learning and pattern matching algorithms to deduce app usage from network traffic.

The prototype is working very well with one exception: The network traffic of some applications (in particular WhatsApp) does not trigger NEFilterDataProvider's methods (which in turn does not trigger NEFilterControlProvider).

I recall WhatsApp using web sockets and the VoIP extension in order to be able to send incoming messages to user devices even when the app was terminated via the app switcher. Is this (questionable) pattern preventing NEFilterDataProvider from receiving flows for decision? Is web socket traffic not supported by NEFilterDataProvider?

I understand our 'network logging' use case might be not quite in line with the Firewall use case NEFilterDataProvider and friends are usually promoted for. However, I would expect the API to work regardless. Imagine trying to build a Firewall application that wants to block all chat applications from accessing the network, for example. That should certainly work.

Boost

Answer 1

Systems Engineer OP

Apple

Oct ’22

Is web socket traffic not supported by NEFilterDataProvider?

Web socket traffic is available to be filtered through NEFilterDataProvider. What are you setting. for your defaultAction as in NEFilterSettings? Are you setting it as NEFilterActionFilterData or something else? The reason why I ask is because setting it to default to allow with NEFilterActionAllow could result in all subsequent flows to pass through the filter with the default allow action and you would not see the flow in handleNewFlow.

If an app receives a push notification that wakes the app up to take further action by calling out to the network to request further information, then that request out to the network should be available in the filter also. Try using a proxy, or third party debugging tool, here to get more information about this network request to tell you how you need to filter the request. If the request is not showing up, and the defaultAction is NEFilterActionFilterData then this might be grounds for a bug but lets see where the first two investigation items take us first.

0

Answer 2

MaxK03 OP

Oct ’22

Thank you for your response and all the effort you put into the explanations.

As far as I can see, the applySettings: method as well as the NEFilterSettings class are marked API_UNAVAILABLE(ios, tvOS). So I can't use them, since we're operating on iOS devices only.

If it helps, this is the code we currently use to enable the filter:

let filterManager = NEFilterManager.shared()
try await filterManager.loadFromPreferences()

if filterManager.providerConfiguration == nil {
    let config = NEFilterProviderConfiguration()
    config.filterBrowsers = true
    config.filterSockets = true
    filterManager.providerConfiguration = config
}

filterManager.isEnabled = true

try await filterManager.saveToPreferences()

0

Answer 3

MaxK03 OP

Nov ’22

Any updates? We're noticing more and more network traffic that is not fed to an active NEFilterDataProvider. For example, if you ping the device with the filter running from another device in the same network, that network activity also doesn't show up.

0