Since there is no 'NEFilterFlow.sourceAppIdentifier' for the flow in handleNewFlow(MacOS NEFilterDataProvider), the one alternative is to find the owner of the flow by the conversion of sourceAppAuditToken to designated identifier.
For a simple WkWebView App, The designated identifier (derived from SecCodeCopyDesignatedRequirement) is returning as :-
- key : "requirements"
- value : designated => identifier "com.apple.WebKit.Networking" and anchor apple
The above same value is returned even if we use a flow from Safari Browser. The expected output is to get “com.apple.Safari" , but not sure why “com.apple.WebKit.Networking” is returned.
Even, bundle Identifier is also showing “com.apple.WebKit.Networking” instead of “com.apple.Safari”.
(I used eskimo shared code https://developer.apple.com/forums/thread/128423?answerId=403770022#403770022 for BundleId and slightly modified code for designated identifier using kSecCodeInfoDesignatedRequirement)
How can we differentiate flows from a wkwebkit-webview app and flows from Safari Browser flows?
Any alternative approaches there?, lack of flow.sourceAppIdentifier field on Mac cause all these additional derivations per each flow is expensive at network extension level?
How can we differentiate flows from a wkwebkit-webview app and flows from Safari Browser flows?
You can attempt to extract this from the flow.description
, otherwise, you can try to extract the bundle identifier of the actual app sending the Network traffic from the signature as you previously mentioned from Quinn's post. This is assuming that the app contains a code signature.
/* If the info identifier is available, return this. */
if let identifier = info[kSecCodeInfoIdentifier as String] as? String {
return identifier
}
/* Othewise look for the identifier in the plist */
guard
let plist = info[kSecCodeInfoPList as String] as? [String:Any],
let bundleID = plist[kCFBundleIdentifierKey as String] as? String
else {
return nil
}
Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com