How to bypass SSL pinning on iOS apps

Bypassing SSL pinning on iOS devices can be quite complex and often involves using various tools and techniques. Here are some common methods and tools used for this purpose:

1. Using Frida:

Frida is a dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. It can be used to bypass SSL pinning by injecting custom scripts into running applications.

Steps:

1. Install Frida and Objection in your computer (Windows/Mac/Linux):

   pip install frida-tools

   pip install objection

2. Launch the app and attach Frida:

   frida -U -f <APP_BUNDLE_ID> -l frida_script.js --no-pause

3. Example Frida script (frida_script.js):

  // Hooking common SSL pinning methods

   Java.perform(function() {

       var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');

       var SSLContext = Java.use('javax.net.ssl.SSLContext');

       // TrustManager

       var TrustManager = Java.registerClass({

           // Implement a custom TrustManager

           name: 'com.sensepost.test.TrustManager',

           implements: [X509TrustManager],

           methods: {

               checkClientTrusted: function(chain, authType) {},

               checkServerTrusted: function(chain, authType) {},

               getAcceptedIssuers: function() { return []; }

           }

       });

       // SSLContext Init

       var TrustManagers = [TrustManager.$new()];

       var SSLContext_init = SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom');

       SSLContext_init.implementation = function(keyManager, trustManager, secureRandom) {

           print('[*] SSLContext init');

           SSLContext_init.call(this, keyManager, TrustManagers, secureRandom);

       };

   });

There are more examples like this one in Frida Codeshare: https://codeshare.frida.re/@snooze6/ios-pinning-disable/

4. Running Objection:

   objection -g <APP_NAME> explore

In the Objection console, use:

   ios sslpinning disable

Now you can see the https traffic in your Burp “Proxy” window.

2. Using Burp Suite with SSL Kill Switch 3:

SSL Kill Switch 3 is a dynamic library that disables SSL certificate validation on iOS devices. This tool can be used in conjunction with Burp Suite to intercept and analyze HTTPS traffic.

You can use this technique even if you do not have a jailbroken iPhone.

Steps:

1. Download the latest release of SSL Kill Switch 3 from https://github.com/NyaMisty/ssl-kill-switch3.

2. Jailbreak your iOS device and install Sileo app store or if you don’t have a jailbroken iPhone you can skip this and next step and use sideloadly or esign to inject the dylib into the IPA file and install it. Additionally, you can also use “objection patchipa” command, to attach frida to your app.

3. Install SSL Kill Switch 3 from Sileo.

4. Configure Burp Suite:

– Set up Burp Suite to listen on a specific port.

– Install the Burp Suite CA certificate on your iOS device.

5. Trust the Burp Suite CA certificate in your iPhone:

– Go to Settings > General > About > Certificate Trust Settings and enable full trust for the Burp Suite CA certificate.

6. Enable SSL Kill Switch 3 in the settings of the jailbreak tweak.

3. Using Charles Proxy with iOS Settings:

Charles Proxy is another popular web debugging proxy application that can be used to intercept HTTP and HTTPS traffic from your iOS device.

Steps:

1. Install Charles Proxy on your computer.

2. Configure Charles Proxy to allow SSL proxying.

3. Install the Charles CA certificate on your iOS device:

– Download the Charles CA certificate from http://charlesproxy.com/getssl.

– Go to Settings > General > Profile and install the Charles Proxy certificate.

4. **Trust the Charles Proxy certificate**:

– Go to Settings > General > About > Certificate Trust Settings and enable full trust for the Charles Proxy certificate.

  1. Configure your iOS device to use Charles Proxy:

– Go to Settings > Wi-Fi > [Your Network] > HTTP Proxy and set it to manual with the IP address and port of your computer running Charles Proxy.

  1. After this if the app is using certificate pinning, you will have to use:

security find-identity -p codesigning -v

// Next command injects FridaGadget.dylib into the app
objection patchipa --source app.ipa --codesign-signature XXXXXXXX

// Deploy app into the iPhone again
ios-deploy --bundle Payload/app.app -W -d

Other tools for traffic inspection worth to mention are:

Disclaimer:

Bypassing SSL pinning can be used for legitimate security research and testing purposes. However, it can also be misused. Ensure you have proper authorization before attempting to bypass SSL pinning on any application or device. Unauthorized tampering with applications can have legal and ethical implications. Always follow ethical guidelines and legal requirements.


Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *