preface
As a crawler engineer, packet capture is one of the most important and frequently encountered skills. Especially with the development of mobile terminals, many protective measures have been taken in App packet capture. This paper mainly summarizes the packet capture of iOS App. It mainly aims at conventional App packet capture, breaking through direct route capture and breaking through SSL Ping protection through simple reverse Hook method to capture packets.
Conventional caught
For the conventional App data capture without packet capture protection, the data packets of the target App can be captured directly on the mobile phone by setting HTTP proxy and working with Charles, without using other complex or reverse Hook technologies for assistance.
- Device: iPhone 5S, Mac
- Mac packet capture tool: Charles
Caught practice
The phone and computer connect to the same wifi, on the same LAN.
- After Charles is installed on the Mac, set the packet capture port to 8888
- View the Intranet IP address of the Mac terminal
- The packet capture agent is set on the mobile phone. Wifi Find the connected network – open configuration proxy – switch to manual – enter Charles’ IP 192.168.43.16 and port 8888
- The content of data packets transmitted through HTTP can be captured successfully after the preceding operations. However, for some apps that use HTTPS to transfer data, you need to do something extra to see the plaintext data before encryption. HTTPS is also known as HTTP+SSL/TLS. It adds SSL layer to HTTP to improve security. Here we use Charles certificate to decrypt traffic. Here are the steps to install Charles SSL certificate: Open CHLS. Pro/SSL in mobile browser, click Allow to download description file, install and trust the certificate in Settings, there are two things to do in the new iOS
- Setup description file: Setup – General – Description file, just install the description file.
- Trust Certificate: Settings – General – Certificate Trust – Find the certificate and trust.
- Open Charles, proxy -SSL proxy Settings – enable SSL proxy – add the included location to host to * and port to 443
- You can then view the App’s packet on Charles.
Routing directly connected
Protection is introduced
In direct connection, client traffic directly reaches the server without passing through the proxy or no proxy server is configured. Refer to the ZXRequestBlock project:
+(NSURLSession *)zx_sessionWithConfiguration:(NSURLSessionConfiguration *)configuration delegate:(nullable id<NSURLSessionDelegate>)delegate delegateQueue:(nullable NSOperationQueue *)queue{ if (! configuration){ configuration = [[NSURLSessionConfiguration alloc] init]; } the if (isDisableHttpProxy) {/ / open the agent caught configuration. ConnectionProxyDictionary = @ {}; / / set the agent to return empty dictionary} [self zx_sessionWithConfiguration: configuration delegate: delegate delegateQueue: queue]; }Copy the codeDiscover that the item is to beconnectionProxyDictionarySet up an empty dictionary to bypass the man-in-the-middle agent’s data fetching analysis. aboutconnectionProxyDictionaryThis is described in the official documentation:
connectionProxyDictionarySet to an empty dictionary to bypass Charles and other packet capture software. That is, all network requests in App are normal, but all network requests do not go through Charles agent software. For such packet capture protection, data traffic capture can be carried out by establishing virtual network card.
Caught practice
- Use the agent software App on the mobile terminal and follow the following Settings. Open agent software App- the plus sign in the upper right corner of the home page
- Type: HTTP, address: Charles IP :192.168.43.16, and port: 8888.
- Create an HTTPS proxy. The other proxy types are the same as HTTP proxies. Global routing on the home page
The agent - Turn on the switch to catch the data packets of the sample App.
Connect to the mobile phone through Shell on the Mac and view the network adapter information on the mobile phone.
- The agent software is not enabled:
- Start the agent software:
As you can see, the agent sets up a virtual network card on the phone and then forwards the traffic to Charles to capture the sample App’s packets.
Frida bypasses iOS SSL Pinning
An introduction to SSL Pinning
SSL Pinning is called certificate locking (SSL/TLS Pinning). As the name suggests, SSL/TLS certificates are built into mobile App clients. When the client makes a request, they can compare the internal and server certificates. To determine the validity of the connection. SSL Pinning is divided into one-way certificate verification and two-way certificate verification:
- In unidirectional certificate verification, the App verifies the certificate of the server, but the server does not verify the certificate of the App.
- Bidirectional certificate verification Means that the App verifies the server certificate, and the server also verifies the App certificate. Today, many applications are already implementing SSL Pinning in their mobile applications, showing you when you capture packets
Unable to connect to the networkorThe request failedAnd so on, such protection is unable to complete the specific analysis of packet capture, packet capture has become the first barrier of analysis. This barrier uses Frida and the tools developed based on Frida in this articleobjectionBreak through. Used hereThe app storeAs an example, break through one-way certificate verification. - Devices: Jailbroken iPhone 5S, Mac
- Mac packet capture tool: Charles
Install Frida
-
Frida is a very common open source Hook tool. You only need to write a piece of Javascript code to Hook the specified function, and it can basically cover all mainstream platforms, in addition to iOS, Android and PC applications can also use it to Hook, very convenient.
-
Start Cydia and Add the build.frida.re repository by going to Manage -> Sources -> Edit -> Add. Then I found the Frida installation package in Cydia and finally plugged my iOS device into my computer and started using Frida.
-
Use python3 on your computer, then PIP install frida-tools
Frida Hook App Store
Connect the COMPUTER USB to the phone and turn it onThe app store“, and then enter it at the terminal on the Macfrida-ps -Ua, you can see the app store information.
When you open the app store and do a packet grab, you can clearly see the features of SSL Pinning without the web.
Frida script:
/* * Description: iOS 12 SSL Bypass based on blog post https://nabla-c0d3.github.io/blog/2019/05/18/ssl-kill-switch-for-iOS12/ * Author: @macho_reverser */ // Variables var SSL_VERIFY_NONE = 0; var ssl_ctx_set_custom_verify; var ssl_get_psk_identity; /* Create SSL_CTX_set_custom_verify NativeFunction * Function signature https://github.com/google/boringssl/blob/7540cc2ec0a5c29306ed852483f833c61eddf133/include/openssl/ssl.h#L2294 */ ssl_ctx_set_custom_verify = new NativeFunction( Module.findExportByName("libboringssl.dylib", "SSL_CTX_set_custom_verify"), 'void', ['pointer', 'int', 'pointer'] ); /* Create SSL_get_psk_identity NativeFunction * Function signature https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_get_psk_identity */ ssl_get_psk_identity = new NativeFunction( Module.findExportByName("libboringssl.dylib", "SSL_get_psk_identity"), 'pointer', ['pointer'] ); function custom_verify_callback_that_does_not_validate(ssl, out_alert) { return SSL_VERIFY_NONE; } var ssl_verify_result_t = new NativeCallback(function (ssl, out_alert) { custom_verify_callback_that_does_not_validate(ssl, out_alert); }, 'int', ['pointer', 'pointer']); function bypassSSL() { console.log("[+] Bypass successfully loaded "); Interceptor.replace(ssl_ctx_set_custom_verify, new NativeCallback(function (ssl, mode, callback) { ssl_ctx_set_custom_verify(ssl, mode, ssl_verify_result_t); }, 'void', ['pointer', 'int', 'pointer'])); Interceptor.replace(ssl_get_psk_identity, new NativeCallback(function (ssl) { return "notarealPSKidentity"; }, 'pointer', ['pointer'])); } bypassSSL();Copy the codeSave the above script as killssl. js file, use Frida to load the script to Hook:frida -U --no-pause -f com.***.AppStore -l killSSL.jsAfter opening the app store, you can capture packages.
This script replaces the callback function ssl_ctx_set_custom_verify and SSL_get_psk_identity in the Hook App without checking the certificate chain on the server.
Quickly bypass SSL Pinning using Avoidance
Object has been developed based on Frida and is very powerful. There are many commands, and you can implement things like memory search, class and module search, method Hook to print parameter return value call stack without writing a line of code.
Objection Hook SSL Pinning practice
These scripts are available for iOS12 but are not available on iOS9, iOS10, iOS11, etc. Here we have integrated our files into our files for future referenceobjectionIn the source code (specific pathobjection/blob/master/agent/src/ios/pinning.ts) you can see it for multiple versions of iOS as wellFrameworkBy observing the source code, we find that certificate binding has been circumventing through common libraries such as Hook AFNetworking and some low-level methods.
pip install objectionTo perform objection -g com.**.AppStore exploreAt this time,objectionIt’s already attached to the app store, and then executed on objecton’s terminal ios sslpinning disableYou can quickly bypass SSL Pinning, although the success of this command depends on the App.
summary
Short link capture on iOS is not protected for most apps, which makes it easier to capture packets. However, you can make breakthroughs one by one for all apps that have packet capture protection. Currently, there are two commonly used things like direct routing and SSL Pinning mentioned in this article. Both can be broken through using proxy software or reverse Hook technology.
reference
- Codeshare. Frida. Re / @ snooze6 / IO…
- Github.com/sensepost/o…
- Github.com/SmileZXLee/…
- Developer.Apple.com/documentati…
