Network extension framework versus kernel extension - network-programming

I am looking to implement firewall/network filtering functionalities for macOS.
I am looking at the most secure way to do this, i.e. trying to make sure no network traffic is missed, and that my filtering cannot easily be by-passed.
After searching around, I can see that Apple has deprecated Network Kernel Extension. They recommend now to use the Network Extension framework.
However, I can see that firewalls for mac, for example Lulu and Little Snitch have moved to using Kernel Extension, and not the Network Extension framework.
Is there a good reason to do so? Do Kernel Extension allow a deeper, more secure filtering?

for example Lulu and Little Snitch have moved to using Kernel Extension
I can't speak for Lulu, but Little Snitch at least was developed long before the "Network Extension" API was introduced, it certainly didn't "move to" the NKE API. According to an article on their own blog it looks like they're actively investigating moving to Network Extensions. I suspect that as long as NKEs work without restrictions on all macOS versions they support, they'll keep using those, in order not to have to ship different back-ends simultaneously. But they probably have some kind of internal prototype using the newer APIs already to make sure they're prepared for when NKE APIs are finally removed from the OS.
If Network Extensions support your use case, you should probably go with them. If they don't, you should file Enhancement Requests with Apple, or you will be out of options when NKEs stop working.
Edit: To deploy NKEs, you will essentially need a kext signing certificate (Developer ID Application + Kext) if you don't already have one. The alternative is forcing your users to disable SIP's kext signing requirement, which is neither sensible nor reasonable in most cases. I hear Apple has made it much harder to obtain such a certificate in recent years.

Related

Blocking all connections to a specific domain only

I've been struggling to find how I could potentially implement a simple (iOS) app that would be able to block all connections to a specific domain (to prevent the user from accessing a specific social media platform for example, even from another app).
The information that I have found so far is that I should probably create a Packet Tunnel Provider within a Network Extension and ask the user to add VPN configurations, but I haven't found any example code that would show exactly how to implement this.
Do you have any idea how I could do that in a simple way (block all connections to a specific domain)? Is there a framework/library that I could use to do it easily?
Thank you!
Well, it would not be easy, but you can do it.
Sample code from Apple could be found here and here. This project is for iOS, but it may be on deprecated Swift version, so you will need to do some work to launch it now.
The part you are interested in the SimpleTunnel sample is FilterDataProvider and FilterControlProvider, other things you can omit, because the purpose of this sample is to demonstrate a lot of abilities.
There is also a sample for macOS that is more focused on your needs, and macOS SDK is alike to iOS, but less powerful.
You may want to see this video to sort things up in mind.
There are a lot of firewalls solutions for ios and mac, and some of them are opensource
The part you are interested in the SimpleTunnel sample is FilterDataProvider and FilterControlProvider, other things you can omit, because the purpose of this sample is to demonstrate a lot of abilities.
You will need a developer account, a network extension capability assigned to an application identity, and proper network extension entitlement file a to run things up.
There is a way to sign it manually for development without account&capability, but to distribute you will need it anyway.
For some restrictions you may be needed to install MDM profile on the device.

Since Library is deprecated, how should I go about embedding my Assistant with hotword capabilities?

Until recently, I used Google Assistant Library’s hotword Assistant to embed it into a raspberry Pi, mostly due to it’s hotword capabilities. I've done quite a few tweaks to make it work in a bigger project and add some functionalities to it.
Since now deprecated, I checked through the Service part of the actions SDK to make something similar, but ended up not finding what I wanted : the hotword part. I tried with the pushtotalk.py code but it seems way more complicated than the hotword.py, and of course does not have hotword capabilities on its own.
I tried snowboy, but for other reasons not related this is not a possibility.
Also, I tried to contact the support concerning the deprecation (how long will they support it/is there an alternative), but they sent me here.
So here is my question : is there a way to trigger the pushtotalk.py with a hotword/programmatically with an event ? (Ideally I would like to trigger it via a WebSocket event)
Also, is there any information concerning the deprecation of the Google Assistant Library part that I did not find on the Internet ?

Rest Server on iOS device using Swift

I need a way to have an iOS application that can accept a message on a device connected via USB, query a bunch of data about the device and return a response with this data.
I am brand new to iOS and swift development so I need something that is;
Simple
Uses CocoaPods (due to lack of ios support in Swift Package Manager)
NOT require distribution via the App Store (which I believe rules out using APN)
I have tried the following:
BlueSocket: https://github.com/IBM-Swift/BlueSocket
This can probably do the job but is very low level and require lots of work around handling buffer sizes, etc. So a REST solution might be a better
Kitura: https://www.kitura.io/
This seems ideal. However, it only appears to support Swift Package Manager which makes it a big PITA to implement currently (reminder; swift/ios newb here)
CoacoaHttpServer: https://github.com/robbiehanson/CocoaHTTPServer
This looks ok, however I can only find Objective-C examples. Would prefer to have something that includes solid Swift examples (also, the repo doesn't look like it's been updated since 2015)
Are there any other approaches I should consider that I haven't listed here?
You may want to check https://github.com/IBM-Swift/Kitura-HelloWorld-iOS.
I wrote a couple of blog posts about it https://developer.ibm.com/swift/2017/03/13/kitura-ios/, https://developer.ibm.com/swift/2017/12/08/kitura-ios-part2/.
Note that it is a demo repository, I do not know if IBM will support Kitura on iOS (it is supported on Linux).

Can I distribute my BlackBerry 10 WebWorks app via web server (OTA)?

I have a multi-platform mobile app that I am releasing on iOS, Android, Windows Phone 8, and Blackberry 10 (WebWorks). For the other three non-BB platforms, I have a way to distribute the enterprise app via a web server (user installs by clicking a link on a web page inside of a mobile browser). However, for BB10 Webworks, I can't seem to find a documented way to distribute a .bar file in this same manner.
Options:
1) I have seen docs that discuss placing Java-based apps (.jad and .cod files) on a web server for OTA distro, but can't find any documentation on being able to do the same with BB10 .bar files.
2) Blackberry App World - but this is public, which is not what I want for this enterprise app
3) Blackberry App World for Work and BlackBerry Enterprise Service 10 - both of these seem to be overkill for my modest purpose. I only have a single app and simply need a download link, not full app/device management, app catalogs, etc.
Is it possible to do #1 with .bars? Or is there another option I have not considered?
Thanks
I was not aware that sandboxed users could see apps other users couldn't, as mentioned in the one of the answer - something for me to try!
The only other option I am aware of is to "side load" the bar file, you can side load with various tools which you can find if you search, such as:
http://forums.crackberry.com/blackberry-10-os-f269/how-get-bb10-hardware-id-sideload-app-bar-file-into-blackberry-10-a-780773/
http://forums.crackberry.com/android-app-sideloading-f279/how-sideload-apps-bb10-device-easy-way-windows-825656/
I haven't tried out these tools, sorry.
I actually do it using the tools you get with the Android Command line toolset - available from BB web site here:
http://developer.blackberry.com/android/tools/
but this approach are not 'user friendly'. I use it because I have converted a few Android apps to run on BB10 and so got to know the tools.
I can't say that these tools are safe, since I don't actually know them, but what I can say is that I am not aware of any way that a PC based tool sending something over the internet (or USB) to your BB10 could break it, nor am I aware of any way that a side loaded app could break your BB10. The days of bricking your BB devise with a dubious bit of software do seem (thankfully) to be over.
Edit: Just thought I would update this given the options that Nate has found, which I also didn't know about!
Both the sites Nate has found seem to work in the same way as the tools I mentioned above. My understanding of all these tools is that they run a deploy utility, that connects to the BB10 device via a TCP/IP connection (which could be routed over WiFi or USB), and sends the bar file over this connection. The connection is initiated by the deploy utility, which is why it has to be in the same network.
There is likely some BBRY proprietary protocol involved, which includes an exchange of the password, as the password supplied to the deploy utility must match the development password on the device.
Now I strongly suspect that BBRY have not published the specification for this communication. I also strongly suspect that the password is never seen in the clear, so you could not use some tool like Wireshark to reverse engineer this. My suspicions therefore is that the tools, including the two I have pointed you at, all run something like the Android Command line tool under the covers - and they got this from BBRY. So perhaps you can build something like the web sites yourself - assuming you have the time and inclination of course.
Just a thought and just my opinion.
There is probably a better way, but I don't know about it. Anyway: you can deploy an app to the BB World, but not put it up for sale, then add users accounts to your sandbox. They, and only them, will be able to download your application, which will not be shown on the BB World to anyone else.
This isn't natively supported on BlackBerry 10, but it looks like there are a few hacks that people have already figured out to make this work.
Depending on your needs, these may or may not work for you (see especially the security caveats on the FAQ pages).
https://sideswype.me/
https://barinstall.com
These appear to take advantage of a VPN security hole. BlackBerry has previously patched this hole, but according to the BarInstall site, the owner just added support for 10.2, to work around the patch.
Both of these services do charge a modest fee, but it may be easier for you than maintaining a BES server.
Peter Strange's answer is quite comprehensive for the time it was written. I will just add that with the release of BB 10.2 you have the option to distribute your application OTA as an APK. Since you are using HTML5 for development I suspect there will be little performance difference between running the APK and running the BAR. But that is something you can check out if you have, or know someone with a BB10 device. Performance should improve with the release of 10.3.

Anyone ever tried to develop in C or C++ for Blackberry platforms?

Every indication I have, based on my experience in embedded computing is that doing something like this would require expensive equipment to get access to the platform (ICE debuggers, JTAG probes, I2C programmers, etc, etc), but I've always wondered if some ambitious hacker out there has found a way to load native code on a Blackberry device. Anyone?
Edit: I'm aware of the published SDK and it's attendant restrictions. I'm curious if anyone has attempted to get around them, and if so, how far they got.
I've seen this question pop up in a number of different forums over time. The original Blackberries were programmable in C++ but I think that RIM ran up against the problems of trying to implement a secure platform in the C/C++ compile to native paradigm.
The devices do have JTAG ports, but unless one could get hands on the RIM code as a place to start the problem is enormous.
I also have to wonder how useful a Blackberry with a replacement FOSS operating system would be, since it would not likely have the protocols to connect to BES or BIS, send PIN's etc. If one was simply looking for a the power of the hand held computing platform I suspect there are many more likely candidates available.
No, C++ is no longer a supported RIM development tool, as they phased it out a number of years ago. Client applications can be developed in Java (or one of a few 5GL frameworks), and web + sever-side apps can be developed using standard tools.
For those looking for updated information, the new Playbook os, also known as QNX, also known as Blackberry 10 (or it will be when the phones running it come out) is in fact c/c++ based, also using QML and a C++ add on called Cascades.
Unfortunately the official SDK website only seems to mention Java. According to wikipedia, different versions of the BlackBerry use different processors. Combined with the fact that RIM uses a proprietary operating system for the devices, it becomes pretty difficult to develop native code without official tools. There is also a partial API-level security restriction which would further prohibit advanced tinkering.
Just randomly searching for an answer to this and came across http://supportforums.blackberry.com/t5/Tablet-OS-SDK-for-Adobe-AIR/Native-C-C-SDK/td-p/778009 which mentions that BB intend to release a C/C++ SDK soon, more details will be provided at the 2011 Game Developer Conference.

Resources