Is there a way to turn off Network Extension Logs?

Hello, I'm developing a Transparent Proxy and I noticed that the Network Extension Framework logs in the Unified Logging System when my profile receives a flow, its source application, its destination endpoint, and my profile's decision regarding that flow.

I worry that this may compromise the user's privacy. So is there a way that I can turn off these logs at least in Distribution Configurations?

Answered by DTS Engineer in 824618022

There are two parts to this:

  • What you log

  • What the system logs

With regards the first, you do need to be careful about the potentially private data that you log. Apple’s system log APIs let you tag each logged item with a privacy level. For more information about that, see the docs linked to by Your Friend the System Log.

With regards the logging done by the system, you can generally assume that the system is careful about what it logs. And while you can change the system’s log configuration using various facilities — on macOS that is, and see Your Friend the System Log for the details — I don’t think it’s wise to do that in a widely distributed software product. The log configuration should be under the user’s control (or the site manager’s control, in a managed environment).

With regards the specific info you’re seeing, I recommend that you retest in a production environment. The info you see logged during development is very different from the info you see logged in production, because various tools have mechanisms to force the recording of private data during development.

If this retest reveals private data that you don’t think should be recorded by default, I encourage you to file a bug about that.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

There are two parts to this:

  • What you log

  • What the system logs

With regards the first, you do need to be careful about the potentially private data that you log. Apple’s system log APIs let you tag each logged item with a privacy level. For more information about that, see the docs linked to by Your Friend the System Log.

With regards the logging done by the system, you can generally assume that the system is careful about what it logs. And while you can change the system’s log configuration using various facilities — on macOS that is, and see Your Friend the System Log for the details — I don’t think it’s wise to do that in a widely distributed software product. The log configuration should be under the user’s control (or the site manager’s control, in a managed environment).

With regards the specific info you’re seeing, I recommend that you retest in a production environment. The info you see logged during development is very different from the info you see logged in production, because various tools have mechanisms to force the recording of private data during development.

If this retest reveals private data that you don’t think should be recorded by default, I encourage you to file a bug about that.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi Quinn, I do not log anything; there are no prints, no NSLogs, and no OSLogs in my code at all. These logs are coming from my process but they are coming from the com.apple.networkextension subsystem.

I tried adding the OSLogPreferences key in the info.plist of my ProxyProvider target as follows:

but it is still logging in the Unified Logging System the hostnames and ports of the websites the user is visiting. Have I specified the key correctly?

I have also tried with a production configuration build signed using a Developer ID certificate, and I am still seeing the logs from the com.apple.networkextension subsystem.

Have you tried this on a ‘clean’ system? It’s possible that you previously enabled this logging [1].

Also, test this at the user level. That is, don’t run your product from Xcode. Rather, install a production build of your product in the same way that a user would and then monitor the system log with Console or the log tool.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] For example, via the instructions on our Bug Reporting > Profiles and Logs page.

Is there a way to turn off Network Extension Logs?
 
 
Q