How to differentiate flows from a wkwebview app and from Safari Browser using sourceAppAuditToken of the flow?

Since there is no 'NEFilterFlow.sourceAppIdentifier' for the flow in handleNewFlow(MacOS NEFilterDataProvider), the one alternative is to find  the owner of the flow by the conversion of sourceAppAuditToken to designated identifier.

For a simple WkWebView App, The designated identifier (derived from SecCodeCopyDesignatedRequirement) is returning as :-

  • key : "requirements"
  • value : designated => identifier "com.apple.WebKit.Networking" and anchor apple

The above same value is returned even if we use a flow from Safari Browser. The expected output is to get “com.apple.Safari" , but not sure why “com.apple.WebKit.Networking” is returned.

Even, bundle Identifier is also showing “com.apple.WebKit.Networking” instead of “com.apple.Safari”.

(I used eskimo shared code https://developer.apple.com/forums/thread/128423?answerId=403770022#403770022 for BundleId and slightly modified code for designated identifier using kSecCodeInfoDesignatedRequirement)

How can we differentiate flows from a wkwebkit-webview app and flows from Safari Browser flows?

Any alternative approaches there?, lack of flow.sourceAppIdentifier field on Mac cause all these additional derivations per each flow is expensive at network extension level?

 

Up vote post of AThomas Down vote post of AThomas
247 views
Posted by
AThomas
Reply
Add a Comment

Accepted Reply

How can we differentiate flows from a wkwebkit-webview app and flows from Safari Browser flows?

You can attempt to extract this from the flow.description, otherwise, you can try to extract the bundle identifier of the actual app sending the Network traffic from the signature as you previously mentioned from Quinn's post. This is assuming that the app contains a code signature.

/* If the info identifier is available, return this. */
if let identifier = info[kSecCodeInfoIdentifier as String] as? String {
	return identifier
}
/* Othewise look for the identifier in the plist */
guard
	let plist = info[kSecCodeInfoPList as String] as? [String:Any],
	let bundleID = plist[kCFBundleIdentifierKey as String] as? String
else {
	return nil
}


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Post marked as solved
Add a Comment

Replies

How can we differentiate flows from a wkwebkit-webview app and flows from Safari Browser flows?

You can attempt to extract this from the flow.description, otherwise, you can try to extract the bundle identifier of the actual app sending the Network traffic from the signature as you previously mentioned from Quinn's post. This is assuming that the app contains a code signature.

/* If the info identifier is available, return this. */
if let identifier = info[kSecCodeInfoIdentifier as String] as? String {
	return identifier
}
/* Othewise look for the identifier in the plist */
guard
	let plist = info[kSecCodeInfoPList as String] as? [String:Any],
	let bundleID = plist[kCFBundleIdentifierKey as String] as? String
else {
	return nil
}


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Post marked as solved
Add a Comment

Thanks Matt, Agree with you on using flow.description for differentiate.Thank you.This works and I will mark as Answered.

I have taken a long route than direct one, Reason being to get more details and exact designated identifier from the SecCode.

Once we have the SecStaticCode :- I tried to extract it like following.

let flags = SecCSFlags(rawValue: 0)
var requirement: SecRequirement?
var text: CFString?

err = SecCodeCopyDesignatedRequirement(staticCode, flags, &requirement)
guard err == errSecSuccess else {
   return nil
}
err = SecRequirementCopyString(requirement!, flags, &text)
guard err == errSecSuccess else {
   return nil
}

'text' always returned as designated => identifier "com.apple.WebKit.Networking" , not as “com.apple.Safari”.

Is this expected for all webView app and Safari?

Posted by
AThomas
Up vote reply of AThomas Down vote reply of AThomas
Add a Comment

Is this expected for all webView app and Safari?

Well, for WkWebView apps, there networking can run out-of-process, so this could be what you are seeing. I would have expected that the traffic from Safari come from com.apple.safari thought, as this is what I am used to seeing in the logs.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

Thank you for the reply.

From the console logs, it will show com.apple.safari for flow description(Handling new flow - log), but the designated identifier derived from code for safari and webview apps are returning com.apple.WebKit.Networking.

Thats the observation I had, hence I raised this thread.

Posted by
AThomas
Up vote reply of AThomas Down vote reply of AThomas
Add a Comment