NSXPCConnection Data Communication Security

Question

Created Dec ’22

Replies 6

Boosts 0

Views 1.7k

Participants 2

I have two processes that talk to each other using an NSXPCConnection. If I want to pass sensitive data over the connection, should I be worried about it being intercepted or read by other processes? Should I encrypt any sensitive data before sending it over the connection and have the other process have to decrypt it?

Answered by DTS Engineer in 739254022

One process is a LaunchDaemon and the other is a LaunchAgent.

XPC connections from your agent to your daemon are reasonably secure. Specifically, when your agent starts the connection it should set the privileged flag (or XPC_CONNECTION_MACH_SERVICE_PRIVILEGED in the C API). That ensures that the agent only connects to the service in the global namespace, and adding a service to the global namespace is a privileged operation.

IMPORTANT The docs I linked to above don’t really capture the meaning of that flag (r. 100412590). Rather, read the description in the xpc_connection_create man page.

If you want the daemon to be able to check the identity of the client, see this post.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Dec ’22

If I want to pass sensitive data over the connection, should I be worried about it being intercepted or read by other processes?

That depends on the nature of these two processes and your threat model. Let’s start with the first point: What context are these processes running in?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

tagnal OP

Dec ’22

One process is a LaunchDaemon and the other is a LaunchAgent.

0

Answer 3

tagnal OP

Dec ’22

Some possible examples: The LaunchDaemon enforces security on a device. When setting up something like 2FA using an authenticator app, the user would interact with the LaunchAgent which handles the UI. The LaunchAgent would then need to pass the TOTP secret back to the LaunchAgent upon successful setup.

In macOS 12, under System Preferences -> Security & Privacy -> FileVault, the "Enable Users..." button and functionality is no longer available. Our LaunchDaemon helps enforce/manage FileVault on the device. So we would like to add a UI component which simulated that functionality of adding additional users to be able to unlock FileVault so they won't need to do it via the command line. In this case, user credentials would be passed from the LaunchAgent to the LaunchDaemon.

0

Answer 4

tagnal OP

Dec ’22

Sorry, mistake in there: The LaunchAgent would then need to pass the TOTP secret back to the LaunchDaemon upon successful setup.

0

Answer 5

DTS Engineer OP

Apple

Dec ’22

Accepted Answer

One process is a LaunchDaemon and the other is a LaunchAgent.

XPC connections from your agent to your daemon are reasonably secure. Specifically, when your agent starts the connection it should set the privileged flag (or XPC_CONNECTION_MACH_SERVICE_PRIVILEGED in the C API). That ensures that the agent only connects to the service in the global namespace, and adding a service to the global namespace is a privileged operation.

IMPORTANT The docs I linked to above don’t really capture the meaning of that flag (r. 100412590). Rather, read the description in the xpc_connection_create man page.

If you want the daemon to be able to check the identity of the client, see this post.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 6

tagnal OP

Dec ’22

Thank you for your insight.

0