Decrypting TLS Traffic to Debug SwiftNIO with Wireshark

November 16, 2020

In case anyone is concerned, this is not a security vulnerability in SwiftNIO, TLS, or anything else. This is merely a debugging feature I wanted to make more obvious.

I’ve been somewhat fascinated with SwiftNIO lately. There’s something magical about getting code to work at the wire protocol level, and SwiftNIO makes it easy to do it safely and efficiently. I’ll save talking about it in much depth here, as I’m still very much figuring that out as I go, but I wanted to share a tip I had to figure out that I couldn’t easily find an answer for without some creative searching. Note: This post will be generally useless to you unless you’re already using NIOSSLContext and TLSConfiguration.

I came across Project Gemini recently, a simple hypertext protocol without all the tons and tons of baggage that the web has built up over the last few decades, and decided to give it a spin with SwiftNIO. Within a day, I was able to get a basic client implementation up and running, but doing so required some debugging.

Much like HTTP, Gemini runs with a request/response model, and I ran into a problem where I wasn’t sure if the server was receiving my requests, sending a response, or if something in my SwiftNIO code was not working properly. Normally when doing something at the wire protocol level, you would use a tool like Wireshark, but the trick is that Gemini requires ALL traffic to be TLS-encrypted. This means that, on its own, Wireshark can’t break the encryption (which is a very good thing!).

Fortunately, I’m not the only one who has needed to break TLS encryption for debugging reasons. TLS encryption requires both the client and sender to agree on encryption secrets, and if you have those,, Wireshark can decrypt the data. Many tools like curl and some browsers support writing these secrets to a file using the environment variable SSLKEYLOGFILE, but I don’t think SwiftNIO’s TLS library supports this by default.

Instead, SwiftNIO exposes an API to access the important secrets as data. When setting up your TLSConfiguration.forClient(), you can pass a closure to keyLogCallback. This will get called periodically as part of TLS negotiations, and is equivalnet to the SSKEYLOGFILE output you’d get from curl and friends. Just write this to a file somewhere using whatever API you like, e.g. FileManager().createFile(...) if running on a Mac and make sure you’re appending and not overwriting. Make sure not to ship this!

Once this file is written somewhere, open Wireshark and go to Preferences. Open the Protocols section and scroll all the way down to TLS. At the bottom of that pane will be a textbox that says something like (Pre)-Master-Secret log filename, and here you put the path to the file you wrote out earlier. Wireshark will automatically monitor that file for updates, and with any luck, you should see decrypted traffic start to show up in Wireshark’s logs.

In the end, my bug was that when I was writing the request to the SwiftNIO Channel, it wasn’t flushing it. So ultimately I just had to change channel.write(...) to channel.writeAndFlush(...) and everything started working. Once Wireshark was decrypting the data, I was able to see that the request was simply never making it to the server I was connecting to, and that it started working just fine with that code change.

Update: Johannes Weiss of the SwiftNIO core team has pointed out another approach for capturing packets: NIOWritePCAPHandler. If you add this to your channel pipeline after the SSL handler, you can have it write out .pcap files which can be read by Wireshark or tcpdump. An example of this can be found in the swift-nio-extras repository. I completely missed this when hunting for answers, and this looks like it can be similarly helpful for debugging TLS-encrypted network traffic.

iOS Shortcuts Workflow for Docspell

October 24, 2020

I self-host a lot of the tools and services I use on a daily basis, meaning that rather than relying on iCloud or Dropbox or GitHub, I run a comparable (usually open-source) service on a server I control, either in the cloud or out of a server in my house. One thing that has been missing from that setup has been a tool to manage documents (receipts, tax forms, bank statements, etc). I recently stumbled onto Docspell and have been trying it out in that role for the last few days. The only problem is that it didn’t have an iOS app to use to upload receipts and documents to it. Rather than try to make an app myself, I saw that there was a simple HTTP POST API for uploading documents, which was compatible with the iOS Shortcuts app.

So I built a shortcut to do that. When you add it to your Shortcuts app on an iPhone or iPad, it’ll ask you a few questions, like what your upload API URL is and what kind of document it’ll prompt you for (e.g. if you wanted a shortcut specific to receipts). It’ll default to having the name “save to Docspell”, but you can change that to something else like “save a receipt”.

There are four main ways to use this:

You can tap it as a button from the Shortcuts app or widgets. It’ll ask you the name of the thing you want, and then prompt you to either select a file or capture some photos with the camera.
You can ask Siri to “save to Docspell” (or whatever you named it), and it’ll prompt you for those same things.
You can use the share button to save stuff from across your device. Attachments in mail, downloaded PDFs, screenshots, or really anything that could be treated as a file. In theory you can even share webpages to it and it should make an archive of the page (though my server times out when I try this).
You can use it as an export target for other workflows, meaning if you wanted to use a Shortcut to generate a PDF, you could then feed it into the Save to Docspell shortcut and upload it there.

When you run it without input (#1 and #2 above) it’ll ask whether you want to upload a file or take some photos with the camera. If you take multiple photos, it’ll stitch them into a PDF for upload. All photos will be converted to JPEG, even if your phone is set to save as HEIC by default, and the orientation will be fixed to make sure OCR works. If you select a file, you can use the phone’s file browser to pick one from your device, iCloud, or any storage providers (e.g. Nextcloud) that you might want to export from. And it’ll notify you when the upload is successful, using a message directly from the API, so it can’t fail silently unless there’s a problem on the server. You can also setup multiple copies of the workflow with different public API upload URLs and names, so if you wanted one for receipts and a different one bank statements.

Link

WWDC Should Stay Online-Only

June 29, 2020

Apple took WWDC online-only this year as a result of COVID-19. After 30-some years of the conference taking place between Santa Clara, San Jose, and San Francisco, there wasn’t precedent for this. While parts of WWDC (namely the sessions) had been easy to access online for several years, others like labs and live events were limited to on-site attendees only.

Last week we found out that, really, not much was missing. The keynote/state of the union still happened at the same times, but were pre-recorded around Apple’s campus. Sessions were released daily during the conference as videos of people talking over slide decks, rather than as presenters on stage in a conference hall. Labs were still held, but were done via teleconference and appointment. Even the Apple Design Awards and the lunch-time special guest events still happened. What was really missing was just the in-person face time from thousands of developers in one place, and the occasional event like the WWDC Bash.

But what was remarkable to me was how much better the week was as a whole. I attended WWDC in person from 2006 to 2015, and remotely since then, and this year’s conference was dramatically improved over both the onsite and online experience. So much so, that I don’t think WWDC should return as an in-person conference. Here’s why.

Graphaello: Declarative GraphQL Queries for SwiftUI

February 29, 2020

This project uses Swift 5’s new property wrappers to dynamically define and run GraphQL queries based on a SwiftUI view, similar to Relay on the web. The result: Instead of writing API connectors and view models and all that, you just say that you want a property to map to a GraphQL field, and the library builds a query for you.

Link

The Paywalled Garden: iOS is Adware

February 17, 2020

Over the years, Apple has built up a portfolio of services and add-ons that you pay for. Starting with AppleCare extended warranties and iCloud data subscriptions, they expanded to Apple Music a few years ago, only to dramatically ramp up their offerings last year with TV+, News+, Arcade, and Card. Their services business, taken as a whole, is quickly becoming massive; Apple reported $12.7 billion in Q1 2020 alone, nearly a sixth of its already gigantic quarterly revenue.

All that money comes from the wallets of 480 million subscribers, and their goal is to grow that number to 600 million this year. But to do that, Apple has resorted to insidious tactics to get those people: ads. Lots and lots of ads, on devices that you pay for. iOS 13 has an abundance of ads from Apple marketing Apple services, from the moment you set it up and all throughout the experience. These ads cannot be hidden through the iOS content blocker extension system. Some can be dismissed or hidden, but most cannot, and are purposefully designed into core apps like Music and the App Store. There’s a term to describe software that has lots of unremovable ads: adware, which what iOS has sadly become.

If you don’t subscribe to these services, you’ll be forced to look at these ads constantly, either in the apps you use or the push notifications they have turned on by default. The pervasiveness of ads in iOS is a topic largely unexplored, perhaps due to these services having a lot of adoption among the early adopter crowd that tends to discuss Apple and their design. This isn’t a value call on the services themselves, but a look at how aggressively Apple pushes you to pay for them, and how that growth-hack-style design comes at the expense of the user experience. In this post, I’ll break down all of the places in iOS that I’ve found that have Apple-manufactured ads. You can replicate these results yourself by doing a factory reset of an iPhone (backup first!), installing iOS 13, and signing up for a new iCloud account.

Apple Music

When you open the Music app for the first time, it shows you an empty library and a bit saying that you can get music from the iTunes Store. So you head over to the search tab (ignoring the “Search By Lyrics” ad for Apple Music), and search for an artist, and find that your library is empty, but that Apple Music search tab sure is full of lots of exciting stuff. You navigate down to the song you want to listen to, and you get greeted with a fullscreen popup ad for Apple Music, one which went out of its way to disable support for iOS 13’s new swipe-to-dismiss gesture.

Leaving search, there are three other tabs at the bottom: For You, Browse, and Radio. The “For You” tab is a sneaky ad, offering to help you find new music based on your tastes. Tapping the big red button takes you to a signup screen for Apple Music. Nowhere on this screen was it stated to be a subscription feature.

Under Browse, you find a whole selection of songs, artists, playlists, and other general curated music selections. Tapping into basically anything will take you to a fullscreen Apple Music ad.

In Radio, we finally have something we can tap that doesn’t trigger an Apple Music ad! Beats 1 can be played seemingly without subscribing to Apple Music, and some of the older interviews are playable. I say “some”, because while tapping on that interview of A Boogie Wit Da Hoodie will play, tapping on the entry for A Boogie Wit Da Hoodie under the “In Case You Missed It” section will bring up another fullscreen ad.

As a bonus, it stops whatever you’re playing, as the audio player switches to the track you selected before the server tells it that it can’t be played without a subscription. I think this is a bug more than malice, but it highlights how the app is designed for the subscriber, not the person who doesn’t want Apple Music.

So Browse and For Now are entirely Apple Music ads. Radio has some free content but that largely exists to pull people into Apple Music, and Search will happily pull you in to Apple Music if you tap the button. Almost this entire app serves to be an ad for Apple Music. There is a setting in the Settings app to hide Apple Music (next to an ad for Apple Music, of course), but that only does so much.

The Browse and For Now tabs are hidden, and some of the Apple Music-exclusive stuff in Radio is hidden. But every radio station except for Beats 1 is still present, all which trigger an Apple Music ad. After you quit and restart the Music app, the search bar changes the “Apple Music” search results to “Radio”, but the autocomplete largely populates from Apple Music, and some of the search results can return playlists that take you to Apple Music. It helps, but ads are still there to be stumbled into.

If you subscribe and then cancel, Apple sends invasive push notifications asking you to re-susbscribe. These are on by default without a permission request. This is, of course, against the rules they lay out for other developers.

Push Notifications must not be required for the app to function, and should not be used for advertising, promotions, or direct marketing purposes or to send sensitive personal or confidential information.

Apple TV+

The TV app opens with Apple’s standard summary screen, leading with an ad talking about Apple TV+. The home screen is chock full of TV+ ads and ads for shows on TV+. If you have existing iTunes Store shows, or streaming apps like Netflix or Crunchyroll setup, you might see shows you’re watching under the “Up Next” section. But no matter what you have, the Apple TV+ ads are huge and inescapable. Again, the TV app’s notifications is enabled by default with no permission request.

Apple News+

Another app that has its notifications turned on by default, this is how many people will interact with this service. Tapping notifications doesn’t take you to a web browser, but directly into the News app. If you open a story on one of Apple’s partners like the Wall Street Journal, the screen it takes you often has a large banner ad at the top of the screen for the Apple News+ service. This seems to be intermittent, but it cannot be dismissed, hidden, or disabled.

If you look through the News app itself, you will see a plethora of stories in the Today feed. Some of these will trigger the same ad shown above; there is no indication on the feed itself. Some will actually have a full paywall in front of them preventing access without signing up; these do have a tiny Apple News+ logo beneath them, but it’s far enough below that it almost looks like it belongs to the next section.

And of course, in the dead center of the tab bar, is the News+ tab. Leading off with a large ad at the top of the feed, it lists stories and publications similar to the Today feed. Most of these stories are paywalled, but not all, so people may end up going there and hunting for stories they can read. This tab cannot be hidden, ever.

Apple Card

After you set up your iPhone, you get a home screen with at least one badged icon, on Wallet. Opening this takes you to a giant ad that’s nearly half the screen for Apple Card. Fortunately it is dismissable. But every time you try to add a credit/debit card to Apple Pay, you are asked if you want to sign up for Apple Card instead.

Apple Arcade

The first three tabs of the App Store app are Apps, Games, and Today. These tabs don’t have much in the way of ads, aside from some Apple Arcade games that might appear in Games and Today. However, Apple Arcade gets an entire tab all to itself, which has a huge in-feed ad for the service, and of course a whole pile of games advertising it. Compared to other games and apps, Apple Arcade games get more prominent visual treatment, larger videos, and bigger download buttons. This tab, like News+, cannot be turned off.

App Store Search

And of course, almost anything you search for in the App Store has a large ad at the top of your search results. This isn’t an ad for an Apple-run service, but it is a way they make money by extorting developers and showing you the wrong thing. If you search for a specific app, you will often not see that app in the first slot, unless the developer has paid for the privilege.

Conclusion

Apple wants to grow their services business with drastic increases year-over-year. This means they are going to aggressively push more services into more places (including deeper into macOS and tvOS, which are also slowly having adware trickled into them). Apple TV+, News+, Arcade, and Card are all new this year, and are already strongly advertised in iOS. Apple Music has existed for a few years, and its level of advertising in the app is pervasive. As time goes on, these ads are going to get worse, not better.

Of course, Apple has a right to tell users about their services, and try to convince you to subscribe to them. And you might disagree with my assessment that some of these are ads at all. Individually, most of these instances aren’t insidious by themselves. But when you look at them together, they paint a picture of how Apple is making the user experience provably worse to boost growth at all costs.

This issue is not going to get better. Apple is going to expand its services, both breadth and depth, and the adware problem is only going to get worse, unless people call out Apple for what they’re doing. And yet, this issue is rarely talked about, likely because many of the people who cover Apple inevitably subscribe to some or all of these services. Gadgets like smart TVs and ebook readers are frequently criticized for their annoying, invasive advertisements despite their (often large) upfront price. It’s time for the tech community to recognize that Apple is no longer designing their products for a great experience, but as upsells to get you into the paywalled garden.

Microsoft Flight Simulator 2020 In-Depth Preview

October 09, 2019

I’ve never been able to get into a flight simulator before, but I really want to check this one out. This is a fantastic in-depth look at it. Make sure to crank the resolution all the way up.

The Icon Garden Episode 19 SwiftUI and Native Apps

August 21, 2019

I was a guest on The Icon Garden podcast today, talking about the newly announced SwiftUI, how it co-exists with other tools like React Native, and what it means for the future of native apps and cross-platform hybrid apps.

Link

Remote Camera Access Exploit in Zoom for Mac

July 09, 2019

So Zoom runs a web server on your Mac (even after you uninstall the app), and that web server can launch Zoom calls via URLs, and those Zoom calls can default to having your camera open. Which apparently makes it very easy to embed something into a web page (or an ad) in an attempt to trick people into unwittingly opening a video chat.

Remote video exploits are one of the worst case scenarios of security vulnerability, and this is it. It looks like Zoom took over two months to start responding to it from the timeline, and if that’s true, it’s irresponsible security practice.

If you have Zoom installed on your Mac, check the “Patch Yourself” section of the article to block the functionality that allows this.

Link

The Verge's PC Build Copyright Strike Fiasco

February 15, 2019

In September 2018, the Verge posted a video that was designed to show people how to build a PC, which was full of errors and mistakes. Some were inconsequential or considered bad practice, like having bad cable management which might impede airflow but wouldn’t necessarily impact performance. Some would cause performance problems but not damage, like putting the GPU in the wrong PCI-e slot. And some issues could cause irreversible damage, like using the wrong screws on the radiator, which could potentially penetrate the radiator tubing and cause coolant leaks. The internet quickly began criticizing this video for its flaws, making parodies and reaction videos, and the Verge disabled the comments on the video before ultimately taking it down, amending the accompanying article noting that the video wasn’t up to their standards. Paul’s Hardware did a very good summary of the video and the reaction to it. The internet made fun of it for awhile, and everyone largely moved on. Until this week.

On Tuesday evening, Kyle from the YouTube channel Bitwit tweeted that the Verge had used YouTube’s copyright strike system to take down his reaction video. The Verge did not issue a statement or public comment to this, but about a day later, the claim was reversed after being disputed. According to Bitwit, YouTube disputed that the video fell under fair use for transformative purposes (which will go on to be disputed by the Verge later). They also took down a video from channel ReviewTechUSA which broke the original video down and added a lot of commentary to it. Before the videos were reversed, several large tech YouTube channels posted videos about the Verge’s actions, which appeared to outsiders like the Verge was trying to censor criticism, as the videos were both transformative, critical, and highly viewed.

This morning, editor-in-chief Nilay Patel finally issued a statement on behalf of the Verge. In it he says that the legal team at Vox Media (the parent company of the Verge) found these videos and decided that they were not fair use, and issued copyright strikes to YouTube under their own purview. Later, when he was notified of these strikes, he had them rescinded despite believing that the legal team was correct in thinking that they did not fall under fair use. He then spent the morning responding to tweets about the issue, including my own, which were almost entirely negative.

Now, I’ve generally liked the Verge and Nilay Patel’s work, and have defended him and his position strongly when I agree with him. And after thinking about it, in some ways I can understand where they’re coming from. If we assume they’re being truthful in their public statement, they saw some videos, they felt they were not fair use, they tried to take them down. But their process failed in a few fundamental ways.

New York Times on Data Mining in Mobile Apps

December 10, 2018

The New York Times has written a great dive into mobile apps that harvest data off your device, such as location data. Many of these companies feel entitled to harvest and store your data for things like location when you give consent for location access, and are in the business of selling that data to advertisers.

The book ‘1984,’ we’re kind of living it in a lot of ways.

Bill Kakis, a managing partner at Tell All

I’ve been removing a lot of the native apps I’ve relied on recently in favor of mobile web apps. I won’t let Facebook run code natively on any device I own, precisely because I know they go out of their way to capture every scrap of data they can. Running Instagram in a mobile web browser provides a much stronger sandbox, limiting the amount of data they can steal dramatically.

Apple and Google have largely destroyed any real marketplace for paid apps that don’t need to rely on selling data, and app review mechanisms have been unwilling or unable to protect customers from it. They deserve a huge share of blame for the status quo being what it is.

Link