Monthly Archives: September 2010

iOS 4.1: Undocumented VPN API, used by Cisco AnyConnect

A few days ago, Cisco AnyConnect was admitted to the App Store. This was mentioned by a few blogs, but they didn’t seem to notice the relevance of it. AnyConnect is an enterprise SSL VPN technology by Cisco, so this may not seem relevant to all that many people at first sight.
However, in order to implement a VPN client to provide VPN connectivity for other apps, you need to hook into the operating system’s network stack. On the iOS App Store, everybody knows that Apple is rather strict on what a developer can do — hooking into the OS kernel and providing network functionality to other apps isn’t something they provide APIs for (and therefore don’t allow).

Wondering how Cisco got around these App Store limitations, I took a closer look at the AnyConnect app. Upon first starting it, it asks whether you want to let it “extend… the Virtual Private Network (VPN) capabilities of your device”.

Cisco AnyConnect Secure Mobility Client extends the Virtual Private Network (VPN) capabilities of your device. Do you want to enable this software? Don’t Allow / OK

After entering a VPN server name etc., I switched over to the Settings app and noticed that the newly created AnyConnect VPN showed up as a system-wide VPN (though if you try to edit it from there, it’ll just say that you should use the AnyConnect app instead).

To configure the settings for ….., use the app provided by Cisco.

Odd, how would an app be able to do any of this if it’s not allowed to get involved with iOS deeper than the App Store guidelines would allow?

Moving on and digging deeper into the .ipa bundle:

The Payload contains AnyConnectDataAgent.vpnplugin, in addition to the AnyConnect.app:

AnyConnectDataAgent.vpnplugin

AnyConnect.app‘s Entitlements.plist contains an entitlement named com.apple.networking.vpn.configuration:

com.apple.networking.vpn.configuration

Neither vpnplugin bundles nor the com.apple.networking.vpn.configuration entitlement are documented anywhere (at least not in a way that can be found through Google). Since this appears to be a special iOS API created by Apple specifically for Cisco, the question is whether it’s also open to other developers. The only other app I’ve found that uses it is Juniper Junos Pulse, which was posted a few weeks before the AnyConnect app. Since both Junos Pulse and AnyConnect have in common that they require iOS 4.1, I think it’s safe to assume that 4.1 introduced the API they use.
Personally, I’d be interested to see an OpenVPN client for the iPhone. I’m not sure whether that will ever happen though if this VPN API only exits semi-officially, especially since OpenVPN is not backed by a big company like Cisco or Juniper.

Update 2011: The German computer magazine c’t wrote about the API, but couldn’t make much sense of it either.

Update 2012: The current list of apps using this API consists of: Juniper Junos Pulse (released September 2010, requires iOS 4.1), Cisco AnyConnect (released September 2010, requires iOS 4.1), F5 BIG-IP (released December 2010, requires iOS 4.2), SonicWall Mobile Connect (released December 2011, requires iOS 4.2), Aruba VIA (released December 2011, requires iOS 4.3) and CheckPoint Mobile VPN (released March 2012, requires iOS 5.0).

Update 2012: Googling for the VPN entitlement now not only finds my blog post, but also configd source code at Apple: first in OS X 10.7 sources and later in OS X 10.8 sources (but not in OS X 10.6, which iOS 4 was based on). In the older version, inside an ifdef checking for iPhone OS, a constant named kSCVPNFilterEntitlementName is declared containing that entitlement, but the constant never gets used. In OS X 10.8, it is no longer ifdeffed to the iPhone OS and actually gets used for allowing limited access to the global preferences.plist.

Update 2012: Playing around with AnyConnect again, I noticed that it now uses a generic utun network interface, which is similar to a Linux-style layer 3 tun interface. utun is used for example by Mac OS X’s Back to my Mac feature: the kernel implementation in Mac OS X 10.8.2 can be found in the XNU source at bsd/net/if_utun.c. Some details can be found in Levin, Jonathan. Mac OS X and iOS Internals: To the Apple’s Core. Chapter 17, Layer II, Case Study: utun. Wiley, 2012.

I have received several more reports of unsuccessful attempts to get access to the VPN API. Apparently despite now offering a generic utun interface, Apple continues to be very strict about it. And to date, there still isn’t an OpenVPN client for iOS.

Update 2013: OpenVPN Connect was released today. It supports tun-style OpenVPN connections. Hooray, finally we can use OpenVPN on iOS! Apparently it can even be managed using the “Custom SSL” option in iPhone Configuration Utility.