Closed ghost closed 4 years ago
I've encountered the problem that adding too much hook will slow down the launch of application, which caused the target app crash immediately. I temporary disabled some hooks in this commit https://github.com/chaitin/passionfruit/commit/7ced7a642ee261ddb6d5160efa714b1cc5551861, including the TouchID bypass hook.
Thank you for reporting the issue! Will find out a better approach.
Thanks for considering. It's such a great application and a lifesaver. I've used it recently for testing an application using FaceID authentication.
@ChiChou Have you had the chance to look into it?
@antoniozekic Oh sorry It's Chinese New Year holiday now
Just pushed a temporary workaround to the master branch. git pull && npm install && cd gui && npm install
to upgrade.
Should add a preference page to control touch id bypass and other hooks. But I can't tell when it will be shipped.
Thanks, I'll check it out right away.
Actually the Touch ID / Face ID bypass is here: https://github.com/chaitin/passionfruit/blob/17d0aea/agent/app/ui.js#L10
The problem is my only jailbroken device that physically supports touch id is on iOS 11, and I am waiting for the stable Cydia.
I've tried the fix but the whole app just wasn't working (just listing), so I'll try again to make sure it's because of my setup, however it was just git pull && npm install && cd gui && npm install
.
Cydia for iOS 11 is out, but seems like frida is broken. Need an app to reproduce this
Frida is working for me on iOS 11.0.3 and 11.1.1 so I can try...
Finally frida for iOS 11 is out. Will investigate it tomorrow.
Great! Please let me know if I can help with testing! I do own iOS 11.1.2 device and have an application that uses TouchID for authentication.
@ChiChou Hi! Have you by any chance had the time to look at this?
I get the TouchID prompt and after the confirmation the result is: "Empty result"
Which app
An application I'm pentesting available only via TestFlight. However, the same problem persists on other apps that have TouchID login such as Box, Simplenote, Telegram, Outlook.
Are you on the fix/touchid
branch?
git fetch origin
git checkout fix/touchid
npm run dev
I'm 100% sure that I'm on a fix/touchid
branch. I even double-checked it now.
Does this standalone script work for you app?
$ frida -U TheApp
And paste this
method = ObjC.classes.LAContext['- evaluatePolicy:localizedReason:reply:'];
method.implementation = ObjC.implement(method, function (self, sel, policy, reason, reply) {
const callback = new ObjC.Block(ptr(reply));
callback.implementation(1, null);
})
It should bypass the prompt (if as expected)
[iPhone::TheApp]-> method = ObjC.classes.LAContext['- evaluatePolicy:localizedReason:reply:']; method.implementation = ObjC.implement(method, function (self, sel, policy, reason, reply) { const callback = new ObjC.Block(ptr(reply)); callback.implementation(1, null); }) "0x101e78000" [iPhone::TheApp]->
Needle has this option which is working: https://github.com/mwrlabs/needle/blob/master/needle/modules/storage/data/keychain_dump_frida.py
Sorry for referencing another tool...
Did the prompt show?
I've successfully used this on Safari password manager.
Prompt showed successfully.
That's not successful... It is expected to bypass the dialog
Is there any hope that this can be solved and that passionfruit can show keychain items? I haven't been successful on displaying keychain items on iOS 9.x, 10.x or 11.x on any application...
Wish this commit could help... https://github.com/chaitin/passionfruit/commit/1b79c84891408971afea06a742ce95786e65407e
Finally I can reproduce it on Safari
Okay I know what it is
query.setObject_forKey_(
Module.findExportByName('Security', 'kSecUseAuthenticationUIFail')!.readPointer(),
Module.findExportByName('Security', 'kSecUseAuthenticationUI')!.readPointer())
Is it possible to modify the «https://github.com/chaitin/passionfruit/blob/master/agent/keychain.js» in order to list the keychain items and their attributes when TouchID or FaceID s used for authentication?
For some reason, when TouchID is active in the application, no data is displayed.
MWR needle has a great example (I'm using this script currently): https://github.com/mwrlabs/needle/blob/master/needle/modules/storage/data/keychain_dump_frida.py