XPC Messaging-- secure channel?

I'm adding an embedded XPC service to a Safari Extension to handle some user sensitive data. I've been reading anything I can get my hands on, and I know that since the service is private, no other process besides my extension should be able to connect to it. That's great.

However, I want to be sure that the channel is safe from man in the middle attacks. Digging in, the output of sudo launchctl procinfo <pid> has among other things, an address to a Unix socket under SSH_AUTH_SOCK. I'm wondering if Unix file sockets are the underlying technology used to deliver these XPC messages, are the payloads encrypted, and if those messages can be intercepted.

I'm using the NSXPXConnection API, rather than the lower-level XPC API, if that makes a difference.

Up vote post of tylerfromdavis Down vote post of tylerfromdavis
1.3k views
Posted by
tylerfromdavis
Reply
Add a Comment

Replies

I'm wondering if Unix file sockets are the underlying technology used to deliver these XPC messages

They are not. XPC is based on top of Mach messaging.

I'm using the NSXPCConnection API, rather than the lower-level XPC API, if that makes a difference.

It does, alas. Securing the identity of the remote peer has been an ongoing challenge in XPC (see this thread) but we recently added some new APIs that make it a lot nicer. Unfortunately those are only available to the XPC C API )-: See this thread for details.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo

  • Ok, Mach messaging, not Unix sockets. That is helpful, thank you.

    With regards to identifying the remote peer-- in my case this shouldn't be an issue, correct? Since the XPC service in my case here is an embedded service, so my extension should be the only process that can use it.

    My main concern still then can the data be intercepted in transit, no so much that another process could hijack the service itself. I know next to nothing about Mach messaging, so I have a little more digging to do then. But the fact the this looks like something that happens at the kernel level is encouraging from a security standpoint.

    tylerfromdavis
Add a Comment

Since the XPC service in my case here is an embedded service, so my extension should be the only process that can use it.

So, you have an app with a nested appex, and that appex has an XPC Service nested within it? Is that right?

If so, the XPC Service is registered in such a way that it’s only visible to the appex. Oh, and each instance of the appex will get its own instance of the XPC Service.

My main concern still then can the data be intercepted in transit, no so much that another process could hijack the service itself.

Who are you trying to protect this data from? If you’re trying to protect it from malicious software installed on the user’s Mac, the above should be sufficient. While there are ways to ‘sniff’ XPC connections, they all require elevated privileges, to the point that an attacker with those privileges has easier ways to get at your data.

If you’re trying to protect this data from the user, that’s a different story. At that point you’re essentially creating a DRM system and creating 100% reliable DRM is impossible on an open platform like the Mac.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo

  • This perfectly addresses my concern. You are correct this is a nested appex, and in that appex there is an XPC service. I wanted to make sure that malicious software could not intercept data between the appex and the XPC service. The data in this case is not something I'm trying to protect from the user, only from malware.

    Thanks again for all your help.

    tylerfromdavis

  • This perfectly addresses my concern. You are correct this is a nested appex, and in that appex there is an XPC service. I wanted to make sure that malicious software could not intercept data between the appex and the XPC service. The data in this case is not something I'm trying to protect from the user, only from malware.

    Thanks again for all your help.

    tylerfromdavis
Add a Comment

This perfectly addresses my concern. You are correct this is a nested appex, and that appex has its own embedded XPC service. I wanted to make sure that malicious software could not intercept data between the appex and the service. The data in this case is not something I'm trying to protect from the user, only from malware.

Thanks again for all your help.

Posted by
tylerfromdavis
Up vote reply of tylerfromdavis Down vote reply of tylerfromdavis
Add a Comment