XPC Messaging-- secure channel?

Question

Created Sep ’21

Replies 3

Boosts 0

Views 1.7k

Participants 2

I'm adding an embedded XPC service to a Safari Extension to handle some user sensitive data. I've been reading anything I can get my hands on, and I know that since the service is private, no other process besides my extension should be able to connect to it. That's great.

However, I want to be sure that the channel is safe from man in the middle attacks. Digging in, the output of sudo launchctl procinfo <pid> has among other things, an address to a Unix socket under SSH_AUTH_SOCK. I'm wondering if Unix file sockets are the underlying technology used to deliver these XPC messages, are the payloads encrypted, and if those messages can be intercepted.

I'm using the NSXPXConnection API, rather than the lower-level XPC API, if that makes a difference.

Boost

Answer 1

DTS Engineer OP

Apple

Sep ’21

I'm wondering if Unix file sockets are the underlying technology used to deliver these XPC messages

They are not. XPC is based on top of Mach messaging.

I'm using the NSXPCConnection API, rather than the lower-level XPC API, if that makes a difference.

It does, alas. Securing the identity of the remote peer has been an ongoing challenge in XPC (see this thread) but we recently added some new APIs that make it a lot nicer. Unfortunately those are only available to the XPC C API )-: See this thread for details.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 2

DTS Engineer OP

Apple

Sep ’21

Since the XPC service in my case here is an embedded service, so my extension should be the only process that can use it.

So, you have an app with a nested appex, and that appex has an XPC Service nested within it? Is that right?

If so, the XPC Service is registered in such a way that it’s only visible to the appex. Oh, and each instance of the appex will get its own instance of the XPC Service.

My main concern still then can the data be intercepted in transit, no so much that another process could hijack the service itself.

Who are you trying to protect this data from? If you’re trying to protect it from malicious software installed on the user’s Mac, the above should be sufficient. While there are ways to ‘sniff’ XPC connections, they all require elevated privileges, to the point that an attacker with those privileges has easier ways to get at your data.

If you’re trying to protect this data from the user, that’s a different story. At that point you’re essentially creating a DRM system and creating 100% reliable DRM is impossible on an open platform like the Mac.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 3

tylerfromdavis OP

Sep ’21

This perfectly addresses my concern. You are correct this is a nested appex, and that appex has its own embedded XPC service. I wanted to make sure that malicious software could not intercept data between the appex and the service. The data in this case is not something I'm trying to protect from the user, only from malware.

Thanks again for all your help.

0