Not using "Required Reason API", but actually receiving same output through invoking system call

Question

Created Oct ’23

Replies 3

Boosts 0

Participants 3

stat() is in the "Required Reason API" list. https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api

I do not use stat() in my app, but I use assembler instruction to invoke stat system call. And for a security purpose, I use its return value to check existence of some files and directories outside the app container. I use system call instead of API for a security reason.

Q. Do I have to declare that my app uses "Required Reason API"?

Boost

Answer 1

DTS Engineer OP

Apple

Oct ’23

I use assembler instruction to invoke stat system call.

Do not do this. Regardless of the privacy question you asked here, Apple platforms do not guarantee binary compatibility at the system call level. You must make system calls via the System framework.

[I keep telling the kernel folks they should randomise the system call numbers with every major OS release to prevent folks making this mistake. So far no one has picked up that suggestion. One day… one day… (-:]

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

endecotp OP

Oct ’23

I posted a thread specifically about stat() here:

https://developer.apple.com/forums/thread/734750

I don't know whether your asm hack will avoid whatever checker they plan to use. Once they put that into effect, please let us know what happens. But of course if it does slip past the checker, they will probably consider that as you trying to subvert the app review process. Be careful!

As I'm sure you know, checking the existence of files for security reasons is not one of the permitted reasons for calling stat(). So you actually can't declare that your app uses stat(), unless you lie about the reason. Did you submit a request for a new approved reason?

1

Answer 3

DTS Engineer OP

Apple

Oct ’23

it is difficult for me to decide to allow attackers to hook APIs I use for security purpose.

If an attacker has the ability to subvert your call to stat in the System framework, it’s likely they have the ability to either:

Modify your binary to replace your system call
Modify the kernel to replace the stat implementation

Building your own DRM scheme like this has a lot of negatives:

It consumes time you could be spending on useful features.
It’s never 100% effective.
It opens you up to weird binary compatibility problems [1].
And now it’s entangled you in this Required Reason exercise.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Imagine, for example, if the kernel team took up the idea from my previous post.

1