Shulou(Shulou.com)05/31 Report--

This article shows you four ways to bypass iOS SSL verification and certificate fixation, which are concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

In the following example, I will use Burp Suite as my Web agent. This article assumes that readers have a basic understanding of iOS,Xcode, setting up mobile phones, and using Burp to block HTTP traffic in iOS. I will introduce you to the following four ways to bypass SSL authentication and certificate fixing in iOS:

Method 1: install your own CA certificate

Installing your own CA certificate is the first step to getting rid of SSL errors. It is relatively easy to install CA certificates in iOS. The first thing to do is to put the CA certificate on the device. This can be done by opening an email attachment or downloading a certificate. Then, we need to configure the mobile device and the Web agent to block the network traffic passing through. Specifically, for Burp Suite, all you have to do is visit http://burp in your browser and click "CA Certificate".

Next, you will be prompted for a "Install" certificate, as shown below.

When you click the Install button, you are prompted to add the certificate to be installed to the list of trusted certificates.

You can go to Settings > General > Profile to verify that the certificate has been installed successfully.

Method 2: install the software to the iOS device

If SSL errors still occurs, or if the application itself is jammed while waiting for a connection, the application server may be using some kind of TLS chain authentication or SSL certificate to fix. The easiest way to bypass SSL certificate fixing is to install easy-to-use tools to help us with this process. Here are two tools I use:

SSLKillSwitch

Burp Mobile Assistant

For the specific installation, you can directly refer to the installation instructions of the tool. But using these methods, we need jailbreak iOS devices. In recent years, with Apple's increasing security for iOS devices, jailbreaking has become more and more difficult.

Method 3: use Objection and Frida

Another method that has been verified is to use Frida hooks and Objection. Frida is a very advanced framework that allows you to interfere with the application's code at run time. But Frida needs the device to break out of prison before it can be used. However, we can use Frida Gadget with a full framework library so that we don't need jailbreak devices. Objection is the wrapper of this framework and will automate all the work for us.

First, we need a valid profile and code signing certificate for the Apple Developer account. You can create a valid configuration file by creating a test application in Xcode and sign up for a free developer account here.

After you create the test project, the next step is to set up the code signing certificate. First, open the Xcode preferences, and then select "Accounts". To add an Apple ID account, click the plus sign in the lower left corner and log in to your account. Then click "Manage Certificates" in the lower right corner.

When you click this button, you will jump to the following interface. To create a certificate, click the plus sign in the lower left box, and then select iOS Development. After loading, click Done, and then click Download Manual Profiles to load the certificate on your computer.

After loading the code signing certificate on the computer, we can find it by running the following command:

NetSPIs-MacBook-Pro:Test netspi$ security find-identityPolicy: X.509 BasicMatching identities1) A [REDACTED] 1 "iPhone Developer: [REDACTED] @ netspi.com ([REDACTED])" 2) 0 [REDACTED] C "iPhone Developer: [REDACTED] @ netspi.com ([REDACTED])" 2 identities foundValid identities only1) A [REDACTED] 1 "iPhone Developer: [REDACTED] @ netspi.com ([REDACTED])" 2) 0 [REDACTED] C "iPhone Developer: [REDACTED] @ netspi.com ([REDACTED])" 2 valid identities found

We want to load the Frida Gadget dynamic library to be able to modify the application at run time. In the context of the iOS application, we want to extract the IPA file, modify the binaries to load the FridaGadget.dylib, code sign the binaries and dylib, and then repackage the updated IPA file. As mentioned above, we can use Objection to automate all of this work for us. Simply run the following simple command, where-s is the IPA file and-c is the code signing certificate.

NetSPIs-MacBook-Pro:NetSPI netspi$ objection patchipa-s netspi_test.ipa-c 0 [REDACTED] CUsing latest Github gadget version: 12.0.3Remote FridaGadget version is v12.0.3, local is v12.0.1. Downloading...Downloading from: https://github.com/frida/frida/releases/download/12.0.3/frida-gadget-12.0.3-ios-universal.dylib.xzDownloading iOS dylib to / Users/netspi/.objection/ios/FridaGadget.dylib.xz...Unpacking / Users/netspi/.objection/ios/FridaGadget.dylib.xz...Cleaning up downloaded archives...Patcher will be using Gadget version: 12.0.3No provision file specified Searching for one...Found provision file / Users/netspi/Library/Developer/Xcode/DerivedData/test-fbleootdcdwdyafhyzjmvihvfiga/Build/Products/Debug-iphoneos/test.app/embedded.mobileprovision expiring in 307 days 1:40:03.015176Found a valid provisioning profileWorking with app: NetSPI.appBundle identifier is: com.netspi.testCodesigning 13. Dylib's with signature 0 [REDACTED] CCode signing: libswiftDarwin.dylibCode signing: libswiftUIKit.dylibCode signing: libswiftCoreImage.dylibCode signing: libswiftos.dylibCode signing: libswiftObjectiveC.dylibCode signing: libswiftCoreGraphics.dylibCode signing: FridaGadget.dylibCode signing: libswiftCore.dylibCode signing: libswiftCoreFoundation.dylibCode signing: libswiftMetal.dylibCode signing: libswiftQuartzCore.dylibCode signing: libswiftFoundation.dylibCode signing: libswiftDispatch.dylibCreating new archive with patched contents...Codesigning patched IPA...Cannot find entitlements in binary. Using defaultsCopying final ipa from / var/folders/1k/mw7w1kfd4c96jkvkw5mp3qfm0000gn/T/netspi_test-frida-codesigned.ipa to current directory...Cleaning up temp files...

Once the command is executed, a new IPA file called netspi_test-frida-codesigned.ipa will be generated for us, and we can deploy it to the iOS device. There is a tool called ios-deploy that works with non-jailbreaking iOS devices. We can use a number of different options, depending on the task you want to accomplish (for example, running the debugger, deploying the application through USB, etc.).

To use ios-deploy, we need to extract the IPA file and run the ios-deploy command. In the following example, I specify the application I want to deploy through USB (- W), as well as the package (- b) that I want to deploy.

NetSPIs-MacBook-Pro:NetSPI netspi$ ios-deploy-W-b. / Payload/NetSPI.app [....] Waiting for iOS device to be connected [....] Using 3ff9c90d2b23beadeefdf7bc240211730c84adef (P105AP, iPad mini, iphoneos, armv7) a.k.a. 'MAPen's iPad'.- Install phase-[0] Found 3ff9c90d2b23beadeefdf7bc240211730c84adef (P105AP, iPad mini, iphoneos, armv7) a.k.a. 'MAPen's iPad' connected through USB, beginning install [5%] Copying / Users/netspi/test/NetSPI/Payload/NetSPI.app/META-INF/ to device [TRUNCATED] [52%] CreatingStagingDirectory [57%] InspectingPackage [60%] TakingInstallLock [65%] PreflightingApplication [65%] InstallingEmbeddedProfile [70%] VerifyingApplication [75%] CreatingContainer [85%] PostflightingApplication [95%] GeneratingApplicationMap [100%] Installed package. / Payload/NetSPI.app

We have now installed the application on the iOS device. The next thing to do is to open the application and establish a connection to it through Objection.

NetSPIs-MacBook-Pro:NetSPI netspi$ objection explore_ _ _ _ | | _ | _ _ _. |. |-_ | |. | _ _ | _ _ | _ | | _ _ | | _ | _ _ | | _ _ | | (object) inject (ion) v1.3.0Runtime Mobile Explorationby: @ leonjza from @ sensepost [tab] for command suggestionscom.netspi.test on (iPad: 9.0.1) [usb] #

After establishing the connection, we just need to run the built-in command that bypasses certificate verification and proxy traffic.

Com.netspi.test on (iPad: 9.0.1) [usb] # ios sslpinning disableJob: b748974e-ed6d-4aaf-b5ea-3fb35a13720a-Starting [3fb35a13720a] [ios-ssl-pinning-bypass] [NSURLSession] Found 1 matches for URLSession:didReceiveChallenge:completionHandler: [3fb35a13720a] [ios-ssl-pinning-bypass] [NSURLConnection] Found 5 matches for connection:willSendRequestForAuthenticationChallenge: [3fb35a13720a] [ios-ssl-pinning-bypass] Hooking lower level method: SSLSetSessionOption [3fb35a13720a] [ios-ssl-pinning-bypass] Hooking lower level method: SSLCreateContext [3fb35a13720a] [ios-ssl-pinning-bypass] Hooking lower level method: SSLHandshakeJob: b748974e-ed6d-4aaf-b5ea-3fb35a13720a-Started method 4: modify the IPA file using the disassembler

If all three attempts fail, you can choose to use the disassembler to modify the IPA file to bypass certificate verification. The disassembly of iOS is beyond the scope of this article. For iOS, the most commonly used disassemblers are Hopper and IDA. You can simply load the binaries into the application and observe the logic behind the function that the mobile application calls when it tries to establish a SSL connection with the application server to find where the certificate is pinned. Modifying IPA is likely to damage signed applications and prevent them from being installed on iOS devices. You can solve this problem by re-signing the IPA file.

What are the four ways to bypass iOS SSL authentication and certificate fixation? have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.