search

nabla-c0d3 / ssl-kill-switch2

Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and macOS applications.
Other
3.08k stars 466 forks source link

Not working on iOS 12.1: Apps are crashing, SpringBoard in safe mode #60

Closed markus0m closed 5 years ago

markus0m commented 5 years ago

I can't seem to get the latest release to properly work with iOS 12.1 Apps initially seemed to just crash on accessing network data when the tweak was active. Respring with the tweak active now always puts SpringBoard in safe mode. So I have no way of disabling it through the Settings any more but can only re-/deinstall it.

I managed to fire a request from the App Store app with the tweak (probably) active but all I got in Charles was _handshakefailure (40)

Any hints where I could start? Does anyone have a working setup on 12.1?

Ruegg commented 5 years ago

@markus0m Same here, any app will just crash upon making a request with me when SSLKillSwitch is toggled, and I'm on 12.1.2

Tustin commented 5 years ago

Same problem here. I even tried re-implementing the iOS 12 method using Frida but I didn't have much success. Not sure if I'm just doing something wrong as this was my first attempt at using Frida for scripting. If anyone wants to try messing with it then feel free:

note: For some reason, I couldn't find SSL_get_psk_identity in the symbols list so I just ignored it considering the blog post (which is awesome btw) stated that it only fixed the error on the first connection.

function main()
{
    var module = Process.getModuleByName('libboringssl.dylib');

    var symbols = module.enumerateSymbols();

    var SSL_get_psk_identity_pointer = null;
    var SSL_CTX_set_custom_verify_pointer = null;

    for (var i = 0; i < symbols.length; i++)
    {
        if (symbols[i]['name'] == 'SSL_get_psk_identity')
        {
            console.log('found SSL_get_psk_identity');
            SSL_get_psk_identity_pointer = symbols[i]['address'];
            break;
        }
        else if (symbols[i]['name'] == 'SSL_CTX_set_custom_verify')
        {
            console.log('found SSL_CTX_set_custom_verify');
            SSL_CTX_set_custom_verify_pointer = symbols[i]['address'];
            break;
        }
    }

    // if (SSL_get_psk_identity_pointer == null)
    // {
    //     console.log('ERROR: SSL_get_psk_identity address pointer not found!');
    //     return;
    // }
    if (SSL_CTX_set_custom_verify_pointer == null)
    {
        console.log('ERROR: SSL_CTX_set_custom_verify address pointer not found!');
        return;
    }

    const SSL_VERIFY_NONE = 0;

    var SSL_CTX_set_custom_verify = new NativeFunction(SSL_CTX_set_custom_verify_pointer, "void", ["pointer", "int", "pointer"]);
    var SSL_CTX_set_custom_verify_callback = new NativeCallback(function(ssl, out_alert) {
        console.log('called fake callback');
        return 0; // ssl_verify_ok
    }, "int", ["pointer", "pointer"]);

    Interceptor.replace(
        ptr(SSL_CTX_set_custom_verify_pointer),
        new NativeCallback(function(ctx, mode, callback) {
            console.log('hit');

            SSL_CTX_set_custom_verify(ctx, SSL_VERIFY_NONE, ptr(SSL_CTX_set_custom_verify_callback));
        },
    "void", ["pointer", "int", "pointer"]));

}

main();
blunden commented 5 years ago

It works fine for me on two different devices, one with iOS 12.1 and one with iOS 12.2. Both are jailbroken with the unc0ver jailbreak. Others with the same issue described here seemed to use the Chimera jailbreak which uses their own Mobile Substrate replacement called Substitute which can cause issues with some tweaks from what I've heard.

nabla-c0d3 commented 5 years ago

Duplicate of https://github.com/nabla-c0d3/ssl-kill-switch2/issues/63