SSLStrip / Fake SSL certs for emulated domains

[lessless]

Hi,

I know that it's a bit away from the mainline of business, but something that I'd be happy to pay for, so here it is.

I have an app on iOS that talks to a remote server that I can't control and it doesn't work for God know why. I'd like to debug what it's doing and write my own client but I can't because it can't connect to the remote host handshakeFailed(NIOSSL.BoringSSLError.sslError([])) .

I can spawn a local HTTP server and start reverse-engineering the API but in order to do that, I need to trick iOS to accept a root cert with which I signed an SSL cert for emulated domain on the localhost.

It'd be great if I could generate an SSL cert for a specific host off the ProxyMan CA cert which is already installed on the iOS (thanks for the handy procedure btw) or if ProxyMan could strip SSL.

[NghiaTranUIT]

handshakeFailed(NIOSSL.BoringSSLError.sslError([])

if you get this error from the iOS app, even though you have installed and trusted the Proxyman Certificate on your iOS device, it seems that the app is using SSL-Pinning, which prevents Proxyman to intercept its HTTPS Traffic.

You can verify it by trying to intercept https://google.com on Safari on your iOS devices. If you can intercept it => You set up properly. Then trying on your iOS app => If it doesn't work -> It's likely that the app is using SSL Pinning.

In this case, there is no way to intercept the app because it always rejects all invalid HTTPS connections.

I need to trick iOS to accept a root cert with which I signed an SSL cert for emulated domain on the localhost.

I'm not sure why you need to generate an SSL Certificate on your own? Because Proxyman is automatically done that. If you follow the iOS Guideline and set it up properly. Proxyman dynamically generates a leaf certificate from a self-signed Proxyman Root certificate, which you've installed on your device.

Spawn a local HTTP server and start reverse-engineering

If you would like to capture from your HTTP server. You can step the following diagram:

Your iOS app -> Proxyman -> Proxy to your fake localhost by using the Scripting tool with this snippet code.

However, you have to make sure that in this step: Your iOS app -> Proxyman, Proxyman is able to capture HTTPS traffic without any errors.

[lessless]

Thanks for the quick response @NghiaTranUIT.

Indeed Scripting might help here, but I'm struggling to make it work - the request still goes to the original host

[NghiaTranUIT]

Just wondering:

1. If you don't use the Scripting. Are you able to see HTTPS traffic from this domain? It needs to be working before using the Scripting.
2. Have you installed and trusted the certificate on your iOS device from https://docs.proxyman.io/debug-devices/ios-device ?

[NghiaTranUIT]

From your Main Window screenshot, it seems that the app doesn't accept SSL handshakes from Proxyman. I suppose that it's using SSL-Pinning.

What app are you trying to intercept? 🤔

[lessless]

If you don't use the Scripting. Are you able to see HTTPS traffic from this domain? It needs to be working before using the Scripting.

That app has one screen and one button and that's the only request that I can trigger

Have you installed and trusted the certificate on your iOS device from https://docs.proxyman.io/debug-devices/ios-device ?

Yes, I can open https://google.com without any problems

What app are you trying to intercept? 🤔

https://apps.apple.com/lb/app/track-my-application/id1455491722. As you can see from the comments it's not in the working state and I suspect it's a problem with a client.

[lessless]

Just to double-check that I've really installed & trusted ProxyMan cert on the iOS device

[NghiaTranUIT]

It seems that it's the app problem (The app server is down), so I don't know how to fix it.

[lessless]

@NghiaTranUIT https://gw.apim.tlscontact.com/ itself is not down, so I believe it's the problem with an iOS client.

That's why I want to re-route its requests to a local web server running on the the same machine with ProxyMan. But I couldn't do that nor with Scripting neither with Mapping Tool - the requests are still going to the original server.