How to differentiate flows from a wkwebview app and from Safari Browser using sourceAppAuditToken of the flow?

Question

Created Oct ’21

Replies 4

Boosts 0

Participants 2

Since there is no 'NEFilterFlow.sourceAppIdentifier' for the flow in handleNewFlow(MacOS NEFilterDataProvider), the one alternative is to find the owner of the flow by the conversion of sourceAppAuditToken to designated identifier.

For a simple WkWebView App, The designated identifier (derived from SecCodeCopyDesignatedRequirement) is returning as :-

key : "requirements"
value : designated => identifier "com.apple.WebKit.Networking" and anchor apple

The above same value is returned even if we use a flow from Safari Browser. The expected output is to get “com.apple.Safari" , but not sure why “com.apple.WebKit.Networking” is returned.

Even, bundle Identifier is also showing “com.apple.WebKit.Networking” instead of “com.apple.Safari”.

(I used eskimo shared code https://developer.apple.com/forums/thread/128423?answerId=403770022#403770022 for BundleId and slightly modified code for designated identifier using kSecCodeInfoDesignatedRequirement)

How can we differentiate flows from a wkwebkit-webview app and flows from Safari Browser flows?

Any alternative approaches there?, lack of flow.sourceAppIdentifier field on Mac cause all these additional derivations per each flow is expensive at network extension level?

Answered by Systems Engineer in 693439022

How can we differentiate flows from a wkwebkit-webview app and flows from Safari Browser flows?

You can attempt to extract this from the flow.description, otherwise, you can try to extract the bundle identifier of the actual app sending the Network traffic from the signature as you previously mentioned from Quinn's post. This is assuming that the app contains a code signature.

/* If the info identifier is available, return this. */
if let identifier = info[kSecCodeInfoIdentifier as String] as? String {
	return identifier
}
/* Othewise look for the identifier in the plist */
guard
	let plist = info[kSecCodeInfoPList as String] as? [String:Any],
	let bundleID = plist[kCFBundleIdentifierKey as String] as? String
else {
	return nil
}

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Boost

Answer 1

Systems Engineer OP

Apple

Nov ’21

Accepted Answer

How can we differentiate flows from a wkwebkit-webview app and flows from Safari Browser flows?

You can attempt to extract this from the flow.description, otherwise, you can try to extract the bundle identifier of the actual app sending the Network traffic from the signature as you previously mentioned from Quinn's post. This is assuming that the app contains a code signature.

/* If the info identifier is available, return this. */
if let identifier = info[kSecCodeInfoIdentifier as String] as? String {
	return identifier
}
/* Othewise look for the identifier in the plist */
guard
	let plist = info[kSecCodeInfoPList as String] as? [String:Any],
	let bundleID = plist[kCFBundleIdentifierKey as String] as? String
else {
	return nil
}

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

AThomas OP

Nov ’21

Thanks Matt, Agree with you on using flow.description for differentiate.Thank you.This works and I will mark as Answered.

I have taken a long route than direct one, Reason being to get more details and exact designated identifier from the SecCode.

Once we have the SecStaticCode :- I tried to extract it like following.

let flags = SecCSFlags(rawValue: 0)
var requirement: SecRequirement?
var text: CFString?

err = SecCodeCopyDesignatedRequirement(staticCode, flags, &requirement)
guard err == errSecSuccess else {
   return nil
}
err = SecRequirementCopyString(requirement!, flags, &text)
guard err == errSecSuccess else {
   return nil
}

'text' always returned as designated => identifier "com.apple.WebKit.Networking" , not as “com.apple.Safari”.

Is this expected for all webView app and Safari?

0

Answer 3

Systems Engineer OP

Apple

Nov ’21

Is this expected for all webView app and Safari?

Well, for WkWebView apps, there networking can run out-of-process, so this could be what you are seeing. I would have expected that the traffic from Safari come from com.apple.safari thought, as this is what I am used to seeing in the logs.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 4

AThomas OP

Nov ’21

Thank you for the reply.

From the console logs, it will show com.apple.safari for flow description(Handling new flow - log), but the designated identifier derived from code for safari and webview apps are returning com.apple.WebKit.Networking.

Thats the observation I had, hence I raised this thread.

0