Network traffic interception limitations

Context

When writing apps intended to be secured with Blue Cedar, you should avoid using certain networking APIs and protocols. These APIs typically involve an out-of-process component that is incompatible with the interception techniques used by the Blue Cedar injectable.

Solution

Avoid the use of the following APIs and frameworks:

  • SFSafariViewController. SFSafariViewController is a higher level API used to embed web content in an iOS app. It is implemented in terms of WKWebView and has the same limitations.
  • NSURLSession background transfers. As described in the Apple Developer Library (NSURL Background Transfer Considerations), this API is intended to schedule downloads to execute when the app is not running. Because Secure Microtunnels are only available to code executing in the app, these background downloads fail if the target URL is not publicly accessible.

  • NSURLSession push support, as introduced in the WWDC video https://developer.apple.com/videos/play/wwdc2016/711/.
  • When writing web-based apps, avoid the use of HTTP/2.0.
  • When writing web-based apps, avoid using HTML 5 local storage properties directory. For example:

    localStorage.setItem("key", "value") // Works
    
    localStorage.key = "value" // Does not work on iOS 9
    localStorage["key"] = "value" // Does not work on iOS 9 
  • Mixing property access and setItem() / getItem() can have unexpected results. For maximum compatibility, use setItem and getItem exclusively.

  • FTP. The Secure Web Stack policy supports HTTP and HTTPS traffic. Please avoid using FTP in apps to be secured with Secure Web Stack.

WKWebView support

WKWebView is a newer alternative to UIViewWeb. While WKWebView achieves performance improvements by executing out-of-process, it is only compatible with Blue Cedar 3.21+. See Secure Web Stack to manage which WKWebView traffic to secure.

Note these limitations:

  • Apps that use WKWebView with JavaScript APIs to read local files out of process cannot use the DAR policy to encrypt those local files. Disable DAR to allow the app to run with other security policies. 
  • Apps that use JavaScript code to override method prototypes can conflict with Blue Cedar interception.
  • Apps that use Apple's SFSafariViewController to render  web content are not subject to Blue Cedar interception. That is, web traffic is not intercepted and delivered via Blue Cedar security, but is handled normally.
  • Due to differences in JavaScript interception, the JavaScript Lighthouse API and DAR support for HTML 5 local storage are not supported.
  • WebSockets are not supported.
  • WKWebView interception may affect app performance.