IOS app no network permission on device sold in Mainland China

Ivan Lundwall ivanlundwall at gmail.com
Wed Apr 17 06:39:44 CEST 2019


Hi,
First thanks on the excellent work on Wireguard.
Before explaining the issue, I want to make a clear introductioon on
the network permission thingy. It's a reinforced permission control issued
by Chinese gov, where an app will have no network access unless a
connection is requested then system will popup a notification to ask for
user to accept or decline the network permission. If it's not triggered,
network access is by default blocked. (the tricky thing is that udp socket
seems unable to trigger this)
So in my case where one endpoint is a domain, it says DNS resolution
failure when I activate the profile. It will connect and then I can access
nothing after I change the domain into an ip address.
There's a similar issue
https://github.com/pwn20wndstuff/Undecimus/issues/136
Here's a solution applying to an app also only transmitting udp
https://github.com/EspressifApp/EsptouchForIOS/issues/8
It's in Chinese, here's the translation for part of the last part

Previously, after receiving your feedback, our engineers used IOS10.0.2
(directly upgraded from ios 9.3 to ios 10.0.2) for testing, which is
configurable. I thought it was a bug in ios10.0.1.
Recently, we used an iPhone that was upgraded to ios10.0.2 by ios10.0.1
(you can't use Esptouch at the time), still not.
After research, iOS9 directly upgrades to all applications of ios10.0.1 to
disable all network permissions by default. All applications that ios9
directly upgrade to ios10.0.2 open all network permissions by default.
However, our Esptouch uses the underlying Socket function and does not use
the Cocoa Touch framework. Therefore, the network permission has not been
applied to the user. At this time, the UDP broadcast report cannot be sent
or received, and Esptouch cannot be successful.
Now the problem has been solved. The solution is to send a GET request of "
https://8.8.8.8 " when the application is opened, and it will apply for the
Network permission to the user. If you are not allowed to do so, you can
change it as follows:
Settings --> Wireless LAN --> Use wireless LAN and cellular mobile
applications (after all Wi-Fi lists) --> Select the appropriate application
--> Open permissions


Best regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190417/87fe0ace/attachment.html>


More information about the WireGuard mailing list