Secure Network Request Filtering in .NET MAUI Applications

[FantasiaGArticaWare]

Hello, i have the question for comunity.
From my question stackoverflow https://stackoverflow.com/questions/79497453/secure-network-request-filtering-in-net-maui-applications?noredirect=1#comment140237139_79497453

I'm developing a .NET MAUI application (using .NET 8) for iOS and Android that handles sensitive information. Since the application uses external NuGet packages and involves multiple collaborators, I need to ensure that no malicious code can forward sensitive information to unauthorized servers. I've already analyzed all external packages and my colleagues' Git repositories manually, and I've monitored network traffic for unauthorized calls. Now I'm looking for a way to create a whitelist that filters all network requests.

What I've tried:

Using iOS info.plist - but it only provides functionality for enabling HTTP sites (no filtering for HTTPS). Implementing a DelegatingHandler for HTTP and overriding the SendAsync method - but this approach requires dependency injection for each component, and I want a solution that works transparently at a higher level.

Potential solutions I'm considering:

Forcing my app to use a custom proxy or VPN to route all requests through my server for filtering, but I haven't found example code for this approach.

Question: Has anyone faced a similar challenge securing network requests in .NET MAUI applications? I'm looking for a solution that can globally intercept and filter all outgoing network requests (both HTTP and HTTPS) against a whitelist of authorized domains. Can you share any code examples or solutions that address this security concern?

additional information
I want to filter all https requests and have my app execute only the urls belonging to a withlist. for example in my whitelist I have example.com, example01.com If my app, at any point in the code makes a request to mydomain.com, I want to block and not execute the call to a domain not belonging to the whitelist

After extensive research, I've realized that I cannot use NSUrlProtocol in iOS because it's not associated with HttpClient. I haven't found a method to create a delegate handler for HttpClient, but from the various guides I've reviewed, I've come to this conclusion: I need to use a proxy that filters all requests. For this in iOS, I must create a Network Extension NEAppProxyProvider target in Xcode to filter only the network internal to my app. I opened my MAUI project in Xcode through Rider and added this. screen of xcode

`import NetworkExtension
class AppProxyProvider: NEAppProxyProvider {
override func startProxy(options: [String: Any]? = nil, completionHandler: @escaping (Error?) -> Void) {
NSLog("Proxy started successfully")
self.setTunnelNetworkSettings(nil)
completionHandler(nil)
}

override func stopProxy(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) {
// Add code here to start the process of stopping the tunnel.
completionHandler()
}

override func handleAppMessage(_ messageData: Data, completionHandler: ((Data?) -> Void)?) {
// Add code here to handle the message.
if let handler = completionHandler {
handler(messageData)
}
}

override func sleep(completionHandler: @escaping() -> Void) {
// Add code here to get ready to sleep.
completionHandler()
}

override func wake() {
// Add code here to wake up.
}

override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool {
if let tcpFlow = flow as? NEAppProxyTCPFlow,
let endpoint = tcpFlow.remoteEndpoint as? NWHostEndpoint {

    let hostname = endpoint.hostname

    if isDomainAllowed(hostname) {
        NSLog("Allowed TCP domain: \(hostname)")
        return false // Allow TCP connection
    } else {
        NSLog("Blocked TCP domain: \(hostname)")
        
        return true // Block TCP connection
    }

} else if let udpFlow = flow as? NEAppProxyUDPFlow {
    // UDP doesn't have a single remoteEndpoint, inspect datagrams instead
    udpFlow.readDatagrams { datagrams, remoteEndpoints, error in
        guard error == nil, let endpoints = remoteEndpoints as? [NWHostEndpoint] else {
           
            
            return
        }

        for endpoint in endpoints {
            let hostname = endpoint.hostname
            if !self.isDomainAllowed(hostname) {
                NSLog("Blocked UDP domain: \(hostname)")
                
                return
            }
        }

        NSLog("Allowed UDP domains: \(endpoints.map { $0.hostname })")
        // If allowed, you must handle forwarding UDP packets manually here
    }

    return true // Return true indicating you're handling it
} else {
    NSLog("Unsupported flow type")
    return false
}

}

func isDomainAllowed(_ host: String) -> Bool {
let allowedDomains = ["example.com", "example01.com"]
return allowedDomains.contains(where: host.contains)
}
}`

Now my question is: how can I use this on my Maui application using Rider?

Does anyone have another code/strategy?

[ronanj2]

Since the application uses external NuGet packages

Does it need to?