How to get BundleID from sourceAppAuditToken ?

In NEFilterDataProvider, the system helpfully provides NEFIlterFlow.sourceAppAuditToken. How should I interpret it though?

This is of Data type, how can I map it to an app, for example via its BundleID?


In another question, it was suggested to look at <bsm/libbsm.h>. However this seems to be objective-c and deprecated ? How can I do this in swift ?

Thanks!

Up vote post of devfunshark Down vote post of devfunshark
2.0k views
Posted by
devfunshark
Reply
Add a Comment

Replies

I have gathered that I should use SecCodeCopyGuestWithAttributes with the flag 

kSecGuestAttributeAudit.


However, I am unclear as to exactly how to do it:

- how can I convert a 

kSecGuestAttributeAudit to a SecCSFlags ?

- how can I convert flow.sourceAppAuditToken to UnsafeMutablePointer<SecCode?> ?

- should I use nil for host ?

Posted by
devfunshark
Up vote reply of devfunshark Down vote reply of devfunshark
Add a Comment

it was suggested to look at 

<bsm/libbsm.h>
. However this seems to be Objective-C and deprecated ?

The libbsm API is neither in Objective-C nor deprecated. You can access it from Swift like you’d access any other C API:

  • If the API is modularised, import that.

  • If not, use a bridging header.

It turns out that libbsm is modularised, so you can just go 

import Darwin.bsm
.

I have gathered that I should use 

SecCodeCopyGuestWithAttributes
with the flag 
kSecGuestAttributeAudit
.

Correct. However, you seem to be off in the weeds with regards calling that. Pasted in below is some code looks up the bundle ID based on the audit token.

IMPORTANT If you’re building a security product, basing security decisions on the bundle ID is unwise. While the bundle ID is sealed by the code signature, there’s nothing stopping folks from spoofing it. For example, anyone can build an app with a bundle ID of 

com.apple.finder
. A better approach is to use the code’s designated identifierdesignated requirement. This typically embeds both the code signing identifier (more or less equivalent to the bundle ID) and information about who signed the code (for third-party code, this is the Team ID).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
func bundleIDForAuditToken(_ tokenData: Data) -> String? {

    // Get a code reference.

    var codeQ: SecCode? = nil
    var err = SecCodeCopyGuestWithAttributes(nil, [
        kSecGuestAttributeAudit: tokenData
    ] as NSDictionary, [], &codeQ)
    guard err == errSecSuccess else {
        return nil
    }
    let code = codeQ!

    // Convert that to a static code.

    var staticCodeQ: SecStaticCode? = nil
    err = SecCodeCopyStaticCode(code, [], &staticCodeQ)
    guard err == errSecSuccess else {
        return nil
    }
    let staticCode = staticCodeQ!

    // Get code signing information about that.

    var infoQ: CFDictionary? = nil
    err = SecCodeCopySigningInformation(staticCode, [], &infoQ)
    guard err == errSecSuccess else {
        return nil
    }
    let info = infoQ! as! [String:Any]

    // Extract the bundle ID from that.

    guard
        let plist = info[kSecCodeInfoPList as String] as? [String:Any],
        let bundleID = plist[kCFBundleIdentifierKey as String] as? String
    else {
        return nil
    }
    return bundleID
}
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi Eskimo, that is right, it is modularized and not deprecated. I was misled by the fact that when I type "import Darwin" it appears with a red strikethrough, which I mistakenly interpreted as deprecated.


Thanks a lot for the code, I was indeed missing this. I was looking around for this info, but couldn't find the procedure you sent on "https://developer.apple.com/documentation/security/code_signing_services"


Is there another source of documentation or code examples that you would recommend ?


Thanks for the tip on using the code's designated identifier. I assume you mean 

kSecCodeInfoIdentifier
. I will use this.


Thanks a lot for your help!

Posted by
devfunshark
Up vote reply of devfunshark Down vote reply of devfunshark
Add a Comment

Hey Eskimo,


the code works great except for one thing, it will add these errors to the log:


MacOS error: -25337
CSSM Exception: 3 unknown error 3=3
CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR

Also, when I try to run SecCodeCheckValidity, it will error out. Maybe it's related (though I get the errors above even when I do not call this function).


Any idea what the issue could be? Maybe I am missing some entitlements in my app, to validate code?

Posted by
devfunshark
Up vote reply of devfunshark Down vote reply of devfunshark
Add a Comment

Thanks for the tip on using the code's designated identifier.

Whoah! I wrote completely the wrong thing there. I meant to say designated requirement.

I assume you mean 

kSecCodeInfoIdentifier
.

No, sorry, my typo has mislead you )-: You should be looking to 

kSecCodeInfoDesignatedRequirement
and the 
SecRequirement
type.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment