Local Network Alert

Question

Created Nov ’24

Replies 2

Boosts 0

Participants 2

I’ve encountered an issue with an app that includes a Local Push Connectivity extension. After a fresh install of the app, the Local Network Alert appears when calling NEAppPushManager.save(). The alert message is:

“This app would like to find and connect to devices on your local network. This app will be able to discover and connect to devices on the networks you use.”

Here is the relevant code:

` pushManager.providerConfiguration = NEAppPushManager.providerConfiguration(with: settings, system: system)

    if settings.ssids.isEmpty {
        fatalError("☠️ The PushManagerSettings.ssids should NEVER be empty!")
    }
    pushManager.matchSSIDs = !settings.ssids.isEmpty
        ? Array(settings.ssids)
        : []

    return pushManager.save()`

Questions:

1.	Why does the Local Network Alert appear?

I suspect it is related to pushManager.matchSSIDs, which interacts with the local network to match specific SSIDs. 2. What happens if the user clicks “Don’t Allow”? Based on my testing, everything seems to work fine even if the user denies the permission.

Would you happen to know why this is happening and if denying the alert could cause any issues down the line?

Answered by DTS Engineer in 816887022

What happens if the user clicks “Don’t Allow”? Based on my testing, everything seems to work fine even if the user denies the permission.

Expanding on my earlier answer, "TN3179: Understanding local network privacy" has a much more complete overview of the alert and exactly what a denial would block. On the testing side, I would be careful about exactly what/how you're testing, as identical test cases ("Call another person") will succeed or fail because the network relationship between the two devices happened to involve an intermediate router. Note this recommendation in particular:

If your app allows people to enter an arbitrary network address, consider what happens if they enter a local network address.

Many voips handle calls by using a central server to exchange IP addresses, then having the two devices directly connect to each other. Functionally, that's the same as allowing users to enter arbitrary network addresses.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

Boost

Answer 1

DTS Engineer OP

Apple

Dec ’24

Why does the Local Network Alert appear?

It's being triggered by the save. It's primarily being presented for a few different reason:

Local push connectivity extensions run in the background for extended periods of time, which inherently has some privacy impact.
It's expected that many/most of them will rely on bonjour (or other local network discovery protocols), which require local privacy permission.
By design, the life time of local network extension means that presenting the dialog at the point it's actually needed could make the dialog very confusing.

Note that 2 & 3 are the big issue here. It might be days or weeks before the user joins the target network and the dialog would need to be presented at the point the user first joined the network, which would be completely disconnected from normal device usage.

What happens if the user clicks “Don’t Allow”? Based on my testing, everything seems to work fine even if the user denies the permission.

How does your extension find it's server? I'm double checking with the engineering team, but I'd expect the direct consequence of a denial would be that your app and extension wouldn't be able to use bonjour (and other local network APIs). However, if your extension didn't use those API and, for example, relied on infrastructure DNS for server discovery then, in theory at least, I think it could work fine.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

0

Answer 2

DTS Engineer OP

Apple

Dec ’24

Recommended

What happens if the user clicks “Don’t Allow”? Based on my testing, everything seems to work fine even if the user denies the permission.

Expanding on my earlier answer, "TN3179: Understanding local network privacy" has a much more complete overview of the alert and exactly what a denial would block. On the testing side, I would be careful about exactly what/how you're testing, as identical test cases ("Call another person") will succeed or fail because the network relationship between the two devices happened to involve an intermediate router. Note this recommendation in particular:

If your app allows people to enter an arbitrary network address, consider what happens if they enter a local network address.

Many voips handle calls by using a central server to exchange IP addresses, then having the two devices directly connect to each other. Functionally, that's the same as allowing users to enter arbitrary network addresses.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

0