Transparent Proxy overrides flow.metaData.sourceApplicationSigningIdentifier property

Question

Fady_Ackad OP

Created Sep ’24

Replies 3

Boosts 0

Participants 2

Hello,

I'm developing a transparent proxy which only intercepts traffic coming from certain apps.

I'm having a problem when there are other transparent proxies active where the flow.metaData.sourceApplicationSigningIdentifier property is whichever provider intercepted the traffic before my provider did.

To verify this, I have implemented a small application that installs two transparent proxy profiles which handle the flows only coming from Safari.

Here's the is the bit of the code where the provider determines that:

    open override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool {
        guard let flow = flow as? NEAppProxyTCPFlow else { return false }

        let sourceApp = flow.metaData.sourceAppSigningIdentifier
        NSLog("[TransparentProxyProvider] Received flow from: \(sourceApp)")

        guard sourceApp == "com.apple.Safari" else { return false }

        // Create NWConnection and handle flow copying as needed

        return true
    }

As you can see from the following screenshots, when both profiles are active are the same time, the logs show that the second profile sees that the source application is the first profile:

Screenshot 2024-09-17 at 07.04.37.png

Screenshot 2024-09-18 at 19.25.57.png

From what I understand, that happens because the Transparent Proxy Provider creates a TCP connection and therefore, from the Operating System's perspective, is initiating a new separate flow which is what is then intercepted by the second provider.

My questions are:

Is this expected behavior?
Is there a way to find what the actual source application was?
How does the Operating System determine which profile receives the traffic first?

Answered by DTS Engineer in 804308022

From what I understand, that happens because the Transparent Proxy Provider creates a TCP connection and therefore, from the Operating System's perspective, is initiating a new separate flow which is what is then intercepted by the second provider.

That sounds about right. However, there is a way for a transparent proxy to correctly reflect the source of the flow. The way you do this depends on the API you’re using in your proxy:

If you’re using the Network framework Swift API, call the setMetadata(on:) method to apply the appropriate metadata to the NWParameters you use for your connection. This is new in macOS 15.
If you’re using the Network framework C API, call the setMetadata(_:) method to apply the appropriate metadata to the nw_parameters_t you use for your connection. This has been around since macOS 10.15.4.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Sep ’24

Recommended

From what I understand, that happens because the Transparent Proxy Provider creates a TCP connection and therefore, from the Operating System's perspective, is initiating a new separate flow which is what is then intercepted by the second provider.

That sounds about right. However, there is a way for a transparent proxy to correctly reflect the source of the flow. The way you do this depends on the API you’re using in your proxy:

If you’re using the Network framework Swift API, call the setMetadata(on:) method to apply the appropriate metadata to the NWParameters you use for your connection. This is new in macOS 15.
If you’re using the Network framework C API, call the setMetadata(_:) method to apply the appropriate metadata to the nw_parameters_t you use for your connection. This has been around since macOS 10.15.4.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

Fady_Ackad OP

Sep ’24

Hi Quinn, thank you for the answer!

My problem now is that other apps, that I haven't developed, that don't properly set the metaData on the parameters are the ones interfering with my proxy.

They receive the flow before my proxy does, and I see that the source application as them.

Is there a way for me to find out what the source of flow they are proxying is or can I configure my proxy to somehow receive the traffic before them?

0

Answer 3

DTS Engineer OP

Apple

Oct ’24

Sorry I missed this earlier.

Is there a way for me to find out what the source of flow they are proxying is … ?

Not that I can see. From your perspective there’s no way for you to distinguish flows that the other proxy creates to proxy apps vs flows that they create for their own internal maintenance.

can I configure my proxy to somehow receive the traffic before them?

No. There is no way to force NE to load proxies in a particular order. This is a fairly common request…

Oh wait…

I just went to find the bug that’s tracking this and it seems that it’s been fix (r. 85504560). Yay!

As a proxy developer you’re not in control of the order, but the device manager can set a defined order by way of the Order property documented here.

And that actually speaks to a wider issue. If the only reason you need to set the order is because the other product isn’t setting the flow metadata correctly, you should explain that to your customers. Presumably the customers who notice this are the ones who install your product and the other developer’s product. Thus, they have a business relationship with the other developer. You should encourage them to raise this issue with that developer.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1