WKWebView, Network Extension and Tor - add SOCKS or HTTP proxy features to NE

Number:rdar://FB7524212 Date Originated:2020-01-07
Status:open Resolved:
Product:Network Extension Framework Product Version:
Classification:Suggestion Reproducible:
We’re working on Onion Browser, a FOSS browser containing Tor.
Currently, Tor runs as a thread inside the app process and uses UIWebView’s SOCKS proxy to route traffic through Tor.

Now we are forced to move to WKWebView, which will need a Network Extension to actually be able to proxy the traffic.

Seems fine for us, if we get the benefit of fixing real IP leakage with this, too, which we currently have with WebRTC and video.

However, Tor uses a SOCKS or HTTP interface, Network Extension uses a tun device. This burdens us with writing a stable piece of software which translates between these.
We have a PoC implementation, but it is unstable and will require a lot of work to get it stable.

Unfortunately, memory constraints on NEs are harsh for this use case and a major problem is the fail-open behaviour. As per our experience, if the running Network Extension crashes, requests are immediately retransmitted through the normal network interface. This could lead do dangerous leakages: Consider a dissident in a civil-rights-suppressing country triggers a country’s firewall alert. Police coming after them because of looking at wrong website.

We would be very happy if we could just use the HTTP or SOCKS interface as we could do with UIWebView.

Would this be possible for the next iOS release?

Onion Browser in app store: https://apps.apple.com/us/app/onion-browser/id519296448
Onion Browser project: http://github.com/OnionBrowser/OnionBrowser/
iCepa project: https://github.com/icepa
unstable tun2tor wrapper: https://github.com/iCepa/tun2tor


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!