BSSID: Right way to retrieve it taking into account new security concerns

Hi everybody!

With latest updates on Ventura around 13.9.X, Sonoma 14.5 and upper, and most probably Sequoia, we notice a change on how to retrieve BSSID. We know Airport is discontinue, but also other commands are impacted by new security policies.

Now, to make any command work in the proper way we need to ask for Location Permission. But here is where we are finding some issues to make it compatible with the new requirements.

We have a web desktop app (Built with Electronjs) that use an mach-o executable (built on C++). This executable runs IOREG to retrieve the BSSID. One of the tries we did is to request the Location Permission on the parent/GUI app, but by doing this, IOREG was not able to retrieve the BSSID.

Then, we try to look for a way to make a little test only with our executable. But in the attempt to, we do not found a way to trigger the location permission request, either manually or by a command.

Is there a way to prompt the user from a terminal executable or the right way is to prompt from the GUI?

Do we need to stop using Mach-o executable in c++ and move to a native mach-o executable in swift to be able to prompt from it (This executable runs in the machine frequently, several times per minute)?

We are open to change the command if need it.

Answered by DTS Engineer in 805646022

There are two parts to this:

  • If your app has the Location privilege, will a helper tool that you spawn inherit that privilege?

  • If you spawn a helper tool that requests the Location privilege, what’ll happen?

My answers are:

  • It should, but I’m not surprised that you had problems with this [1].

  • Nothing good.

Life will be a lot easier if you do this work from your app, rather than spinning up a tool.

This executable runs IOREG to retrieve the BSSID.

That’s an odd way to approach this. It’d be better to get this information from Core WLAN. Here’s some code to get the SSID:

private static let client: CWWiFiClient = CWWiFiClient()

static func fetchWiFiInfo(_ completionHandler: @escaping (_ ssid: String?) -> Void) {
    let ssid = client.interface()?.ssid()
    completionHandler(ssid)
}

To get the BSSID, change it to call bssid() instead of ssid().

Of course, this only works if you have the Location privilege.

This executable runs in the machine frequently, several times per minute

Are you polling for changes? If so, it’s likely that you’ll be able to avoid that by switching to Core WLAN’s notifications. Even if that’s not the case, polling the Core WLAN API is going to be a lot cheaper than spinning up a new process each time.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] I talk about the concept of responsible code in On File System Permissions. However, the location privilege doesn’t actually go through the TCC subsystem, so it’s not uncommon to see it behave differently than other privacy privileges.

There are two parts to this:

  • If your app has the Location privilege, will a helper tool that you spawn inherit that privilege?

  • If you spawn a helper tool that requests the Location privilege, what’ll happen?

My answers are:

  • It should, but I’m not surprised that you had problems with this [1].

  • Nothing good.

Life will be a lot easier if you do this work from your app, rather than spinning up a tool.

This executable runs IOREG to retrieve the BSSID.

That’s an odd way to approach this. It’d be better to get this information from Core WLAN. Here’s some code to get the SSID:

private static let client: CWWiFiClient = CWWiFiClient()

static func fetchWiFiInfo(_ completionHandler: @escaping (_ ssid: String?) -> Void) {
    let ssid = client.interface()?.ssid()
    completionHandler(ssid)
}

To get the BSSID, change it to call bssid() instead of ssid().

Of course, this only works if you have the Location privilege.

This executable runs in the machine frequently, several times per minute

Are you polling for changes? If so, it’s likely that you’ll be able to avoid that by switching to Core WLAN’s notifications. Even if that’s not the case, polling the Core WLAN API is going to be a lot cheaper than spinning up a new process each time.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] I talk about the concept of responsible code in On File System Permissions. However, the location privilege doesn’t actually go through the TCC subsystem, so it’s not uncommon to see it behave differently than other privacy privileges.

BSSID: Right way to retrieve it taking into account new security concerns
 
 
Q