Case Study: SSL Pinning
As someone who likes to poke around iOS and its apps, one very important source of information and method to understand the app and its functions is to view the network communications. However, because all the new security measures developers put in to secure the app (i.e. SSL Pinning) we now need to find a way around that.
The following is a walkthrough showing how to bypass SSL Pinning against an iOS app that I have come to love to hate.
Scene: The iOS app has been decrypted, modified, resigned and repackaged using resign, and loaded onto my iOS 10.1b3 device. Burp proxy is running on my laptop and my iOS device wifi HTTP Proxy has been configured to point to my laptop.
- Start the app with the following command and just simply running Frida will result in not being able to see any SSL pinned traffic.
ios-deploy -b /Users/vincent/Desktop/ios/resign/build/Debug-iphoneos/resign.app -mfrida -U Gadget
So now, let us use the ssl_killswitch.js frida script
- Start the app with the following command
ios-deploy -b /Users/vincent/Desktop/ios/resign/build/Debug-iphoneos/resign.app -m
- Load Frida with the ssl_killswitch.js script
frida -U --load=/Users/vincent/Desktop/swizzlerv2/frida_hooks/ssl_killswitch.js Gadget
This results in a lot more traffic that can be seen
ssl_killswitch.js is a Frida script that is a collection of hooks, the first section of hooks is a rewrite of nabla-c0d3's SSL Kill Switch 2 project into JS.
I have noticed that on iOS 10, hooking of the SSLHandshake, SSLCreateContext and SSLSetSessionOption functions no longer work
Thus I have also included SSL pinning bypass methods the normal way, by rewriting SecTrustEvaluate and also hooking of SSL pinning methods of the various frameworks that I have come across such as AFNetworking and Kony. More will be added as I come across them. Also appreciate any contributions by you, the community.