VPN-5469: Fix unsecured WiFi detection on macOS 14 and later (#10779)

* Fix unsecured WiFi detection on macOS 14 and later
* Add generic unsecured Wi-Fi notification string
* Network watcher should use a global cooldown

Author: oskirby

src/mozillavpn.cpp

@@ -1979,8 +1979,7 @@ void MozillaVPN::registerInspectorCommands() {
   InspectorHandler::registerCommand(
       "force_unsecured_network", "Force an unsecured network detection", 0,
       [](InspectorHandler*, const QList<QByteArray>&) {
-        MozillaVPN::instance()->networkWatcher()->unsecuredNetwork("Dummy",
-                                                                   "Dummy");
+        MozillaVPN::instance()->networkWatcher()->unsecuredNetwork("Dummy");
         return QJsonObject();
       });
 

src/networkwatcher.cpp

@@ -121,10 +121,8 @@ void NetworkWatcher::settingsChanged() {
   }
 }
 
-void NetworkWatcher::unsecuredNetwork(const QString& networkName,
-                                      const QString& networkId) {
-  logger.debug() << "Unsecured network:" << logger.sensitive(networkName)
-                 << "id:" << logger.sensitive(networkId);
+void NetworkWatcher::unsecuredNetwork(const QString& networkName) {
+  logger.debug() << "Unsecured network:" << logger.sensitive(networkName);
 
 #ifndef UNIT_TEST
   if (!m_reportUnsecuredNetwork) {
@@ -147,15 +145,12 @@ void NetworkWatcher::unsecuredNetwork(const QString& networkName,
     return;
   }
 
-  if (!m_networks.contains(networkId)) {
-    m_networks.insert(networkId, QElapsedTimer());
-  } else if (!m_networks[networkId].hasExpired(NETWORK_WATCHER_TIMER_MSEC)) {
+  // Set a cooldown timer to prevent notification loops.
+  if (!m_cooldown.hasExpired(NETWORK_WATCHER_TIMER_MSEC)) {
     logger.debug() << "Notification already shown. Ignoring unsecured network";
     return;
   }
-
-  // Let's activate the QElapsedTimer to avoid notification loops.
-  m_networks[networkId].start();
+  m_cooldown.start();
 
   // We don't connect the system tray handler in the CTOR because it can be too
   // early. Maybe the NotificationHandler has not been created yet. We do it at

src/networkwatcher.h

@@ -25,7 +25,7 @@ class NetworkWatcher final : public QObject {
   void initialize();
 
   // Public for the Inspector.
-  void unsecuredNetwork(const QString& networkName, const QString& networkId);
+  void unsecuredNetwork(const QString& networkName);
   // Used for the Inspector. simulateOffline = true to mock being disconnected,
   // false to restore.
   void simulateDisconnection(bool simulatedDisconnection);
@@ -46,8 +46,7 @@ class NetworkWatcher final : public QObject {
 
   // Platform-specific implementation.
   NetworkWatcherImpl* m_impl = nullptr;
-
-  QMap<QString, QElapsedTimer> m_networks;
+  QElapsedTimer m_cooldown;
 
   // This is used to connect NotificationHandler lazily.
   bool m_firstNotification = true;

src/networkwatcherimpl.h

@@ -36,7 +36,7 @@ class NetworkWatcherImpl : public QObject {
 
  signals:
   // Fires when the Device Connects to an unsecured Network
-  void unsecuredNetwork(const QString& networkName, const QString& networkId);
+  void unsecuredNetwork(const QString& networkName);
   // Fires on when the connected WIFI Changes
   // TODO: Only windows-networkwatcher has this, the other plattforms should
   // too.

src/notificationhandler.cpp

@@ -279,9 +279,14 @@ void NotificationHandler::unsecuredNetworkNotification(
 
   QString title =
       i18nStrings->t(I18nStrings::NotificationsUnsecuredNetworkTitle);
-  QString message =
-      i18nStrings->t(I18nStrings::NotificationsUnsecuredNetworkMessage)
-          .arg(networkName);
+
+  QString message;
+  if (networkName.isEmpty()) {
+    message = i18nStrings->t(I18nStrings::NotificationsUnsecuredNetworkGeneric);
+  } else {
+    message = i18nStrings->t(I18nStrings::NotificationsUnsecuredNetworkMessage)
+                  .arg(networkName);
+  }
 
   notifyInternal(UnsecuredNetwork, title, message,
                  Constants::UNSECURED_NETWORK_ALERT_MSEC);

src/platforms/linux/linuxnetworkwatcherworker.cpp

@@ -162,15 +162,14 @@ void LinuxNetworkWatcherWorker::checkDevices() {
 
     if (!checkUnsecureFlags(rsnFlags.toInt(), wpaFlags.toInt())) {
       QString ssid = ap.property("Ssid").toString();
-      QString bssid = ap.property("HwAddress").toString();
 
       // We have found 1 unsecured network. We don't need to check other wifi
       // network devices.
       logger.warning() << "Unsecured AP detected!"
                        << "rsnFlags:" << rsnFlags.toInt()
                        << "wpaFlags:" << wpaFlags.toInt()
                        << "ssid:" << logger.sensitive(ssid);
-      emit unsecuredNetwork(ssid, bssid);
+      emit unsecuredNetwork(ssid);
       break;
     }
   }

src/platforms/linux/linuxnetworkwatcherworker.h

@@ -22,7 +22,7 @@ class LinuxNetworkWatcherWorker final : public QObject {
   void checkDevices();
 
  signals:
-  void unsecuredNetwork(const QString& networkName, const QString& networkId);
+  void unsecuredNetwork(const QString& networkName);
 
  public slots:
   void initialize();

src/platforms/macos/macosnetworkwatcher.mm

@@ -100,30 +100,31 @@ - (void)bssidDidChangeForWiFiInterfaceWithName:(NSString*)interfaceName {
     return;
   }
 
+  logger.debug() << "WiFi interface:" << [interface interfaceName];
   if (![interface powerOn]) {
     logger.debug() << "The interface is off";
     return;
   }
 
-  NSString* ssidNS = [interface ssid];
-  if (!ssidNS) {
+  if ([interface activePHYMode] == kCWPHYModeNone) {
     logger.debug() << "WiFi is not in used";
     return;
   }
 
-  QString ssid = QString::fromNSString(ssidNS);
-  if (ssid.isEmpty()) {
-    logger.debug() << "WiFi doesn't have a valid SSID";
+  CWSecurity security = [interface security];
+  if (security != kCWSecurityNone && security != kCWSecurityWEP) {
+    // WiFi network appears to be reasonably secured.
+    logger.debug() << "Secure WiFi interface";
     return;
   }
+  logger.debug() << "Unsecured network found!";
 
-  CWSecurity security = [interface security];
-  if (security == kCWSecurityNone || security == kCWSecurityWEP) {
-    logger.debug() << "Unsecured network found!";
-    emit unsecuredNetwork(ssid, ssid);
-    return;
+  QString ssid = QString::fromNSString([interface ssid]);
+  if (ssid.isEmpty()) {
+    // Note: Starting with macOS 14, retrieving the SSID requires location
+    // permissions for the application, which we are unlikely to be granted.
+    logger.debug() << "Unable to fetch WiFi SSID";
   }
 
-  logger.debug() << "Secure WiFi interface";
+  emit unsecuredNetwork(ssid);
 }
-

src/platforms/wasm/wasmnetworkwatcher.cpp

@@ -22,5 +22,5 @@ void WasmNetworkWatcher::initialize() { logger.debug() << "initialize"; }
 
 void WasmNetworkWatcher::start() {
   logger.debug() << "actived";
-  emit unsecuredNetwork("WifiName", "NetworkID");
+  emit unsecuredNetwork("WifiName");
 }

src/platforms/windows/windowsnetworkwatcher.cpp

@@ -134,7 +134,6 @@ void WindowsNetworkWatcher::processWlan(PWLAN_NOTIFICATION_DATA data) {
         (char)connectionInfo->wlanAssociationAttributes.dot11Ssid.ucSSID[i]));
   }
 
-  logger.debug() << "Unsecure network:" << logger.sensitive(ssid)
-                 << "id:" << logger.sensitive(bssid);
-  emit unsecuredNetwork(ssid, bssid);
-}
+  logger.debug() << "Unsecure network:" << logger.sensitive(ssid);
+  emit unsecuredNetwork(ssid);
+}