search

datatheorem / TrustKit

Easy SSL pinning validation and reporting for iOS, macOS, tvOS and watchOS.
MIT License
2.03k stars 364 forks source link

Delegates cannot be added #122

Closed manizzle closed 7 years ago

manizzle commented 7 years ago

So I understand that not all callers of NSURLSession will have supplied Delegates, but if I wanted to sniff all SSL certs, shouldn't I be able to add my own delegate to all calls of sessionWithConfiguration:delegate:delegateQueue: ? Why does the code specifically not do this when there is no delegate defined?

I am referring to this line: https://github.com/datatheorem/TrustKit/blob/master/TrustKit/Swizzling/TSKNSURLSessionDelegateProxy.m#L66

manizzle commented 7 years ago

Just for example, if I were to uncomment that line, and allow the swizzled delegate to passed along, https://github.com/datatheorem/TrustKit/blob/master/TrustKit/Swizzling/TSKNSURLSessionDelegateProxy.m#L170 and https://github.com/datatheorem/TrustKit/blob/master/TrustKit/Swizzling/TSKNSURLSessionDelegateProxy.m#L207 are never called.

nabla-c0d3 commented 7 years ago

In this case, if we set our own custom delegate, it means that we override the NSURLSession default delegate (referred as the "System-Provided delegate" in the documentation) and then have to properly handle all the delegate methods. However, TrustKit would not know what do in most scenarios (such as when an error or a response was received).

In theory we could forward the calls to the system-provided delegate, but the delegate doesn't seem to be documented and might be a private API.

manizzle commented 7 years ago

Seems like if a user does not use a custom delegate, they are required to set a completion handler. In this case, the delegate methods will not be called, and only the completion handler will be called.

https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/URLLoadingSystem/Articles/UsingNSURLSession.html

https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/URLLoadingSystem/NSURLSessionConcepts/NSURLSessionConcepts.html#//apple_ref/doc/uid/10000165i-CH2-SW1

So, basically if the user doesn't pass a custom delegate we are screwed, because they will pass a completion handler and that will override any delegate we inject by swizzling. I am guessing that is probably why I wasn't see any calls to the custom delegate methods.

I came across this: https://github.com/vtky/Swizzler2 and will give it a try. Seems they have a solution that works for iOS 10+

manizzle commented 7 years ago

Looks like Frida is doing something pretty cool. And hooking SecTrustEvaluate, and it seems to be working.