Restrict iOS network access for app

I don't think (and hope not) it is possible. And what about your user receiving notifications in background whilst being on your app ?

What reason for data leakage do you fear ? Your app is sandboxed and will not external app get data from it.

I would like to restrict all network access for my app, not all apps! I can not necessarily trust all of the JavaScript modules I am using (sadly), so want to ensure, at the permission/sandbox level, no data can be sent out.

is it possible or restrict or prohibit all network access for the app at the permission level?

No. If you'd like to see something like this added in the future, I encourage you to file an enhancement request describing your requirements. Please post your bug number, just for the record.

I can not necessarily trust all of the JavaScript modules I am using

Yikes! Honestly, that’s super scary to me but I’m sure you have your reasons.

How are you running this JavasScript. In a web view? If so, which specific web view? In a JavasScriptCore context? In both cases you have some control over the context in which the JavaScript runs, and you could potentially use that to isolate it from the network.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

The JavaScript is being used by React Native, not a web view. So the entire application relies on JavaScript as its logic engine. React Native, as well as most JavaScript these days, relies on NPM modules, which can run into the hundreds/thousands. Written by different developers, all updated at varying intervals. While the source is "open", it is virtually impossible/impractical to verify all the code at any point in time. Yes, it is cool, and I would like to use RN to simplify my app development (for IOS, as well as Android). But it strikes me, security is a big issue!

And yes, I would like to see a "network access" permission added to the list of permissions an app needs to run. If an app truly does not need network access (in or out), why not explicitly sandbox it for that? One could envison this permission being a bit granular, to allow/disallow specifics: all input, all output, certain sites/IP-address, etc. But even a simple yes or no would be preferable to having no way to prohibit network access the way it is now.

Thanks for your answer - and I'll fill out an enhancement request.

and I'll fill out an enhancement request.

Thanks. There’s nothing to preventing the sandbox working this way — in fact, this is exactly how it works on macOS, where sandboxed app have to opt in to networking via the

com.apple.security.network.client

and

com.apple.security.network.server

entitlements — it’s just that it doesn’t right now.

Don’t forget to post your bug number.

The JavaScript is being used by React Native, not a web view.

Presumably that means the JavaScript is being run by JavaScriptCore. JavaScriptCore doesn’t provide access to the network by default. Some native code must be enabling this via a JavaScript-to-native bridge. If you track down that code you should be able to patch it to mediate access to the network.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

and I'll fill out an enhancement request.

Thanks. There’s nothing to preventing the sandbox working this way — in fact, this is exactly how it works on macOS, where sandboxed app have to opt in to networking via the

com.apple.security.network.client

and

com.apple.security.network.server

entitlements — it’s just that it doesn’t right now.

Don’t forget to post your bug number.

The JavaScript is being used by React Native, not a web view.

Presumably that means the JavaScript is being run by JavaScriptCore. JavaScriptCore doesn’t provide access to the network by default. Some native code must be enabling this via a JavaScript-to-native bridge. If you track down that code you should be able to patch it to mediate access to the network.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Did anything happen here?

It would be great for app developers and users alike, if the apps could limit network access to only that which the app developers intended, if any.

For example, by adding an "Allowed Domains"-array in the the App Transport Security settings in the apps .plist would be wonderful

Tracking down the code of all the third party libraries being used these days, either when using React Native, Flutter or Cocoa-pods and "patching it" does not sound like a path that should be taken if Apple is serious about their users privacy and security.

Andreas Øverland

It would be great for app developers and users alike, if the apps could limit network access to only that which the app developers intended

Agreed (1). There is currently no way to apply restrictions like this to the entire process (2). If you’d like to see such support added in the future, I encourage you to file an enhancement request describing your requirements.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

(1) Although that’s not quite what Expaand was asking about, because their focus was on JavaScript.

(2) And other processes doing networking requests on behalf of this process, like NSURLSession background sessions, the back end of WKWebView, and the media subsystem.

I am interested in the same, but for another reason:

@Apple: I have written an app that allows recording bike rides. It seems like CLLocationManager thinks I was driving a car if I am faster than 25 km/h and it keeps announcing locations that match the road besides me. This is not true and very annoying, since it is a fitness/bike/hiking/fun app and Apple seems to not be interested in giving CLLocationManager an option to suppress this annoying behavior (position fixing). I've tested all of its modes (even in Fitness it performs position fixing).

So recently I did several tests with and without networks available and I figured out that CLLocationManager performs this unwanted position fixing only if there is internet access. Am I right?

My app is designed to not (necessarily) show a map while recording. So if "prohibit-network-access" could programmatically be registered/unregistered by any app (and only for the app itself), this would for sure improve the tracking quality of several fitness/bike/fun apps. (Also, you forgot to document that behavior for CLLocationManager.)

Another option is to tell my users to try the airplane mode while tracking, if they think the tracker often is of poor quality. Is that really what you want?

Oh: And since we're in the forums of Apple, I have another question: Why can't we simply complain about stuff over here? Instead of sending "bug reports" to Apple and receiving answers like "unfortunately this is no bug"? I have already given up when I read Don’t forget to post your bug number.

Essence: You already are petty good but you can improve these things and make those simpler! ;-)

So recently I did several tests with and without networks available and I figured out that CLLocationManager performs this unwanted position fixing only if there is internet access. Am I right?

That question is very specific to the location subsystem, something that I’m not familiar with. I recommend that you start a new thread for it, tagging it Core Location so that the relevant folks see it.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"