search

nabla-c0d3 / ssl-kill-switch2

Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and macOS applications.
Other
3.05k stars 466 forks source link

Not working with Apple Push Service (apsd) #67

Open a3135134 opened 5 years ago

a3135134 commented 5 years ago

Hi, I'm trying to decrypt the SSL traffic of Apple's Home App (official homekit app). After installing the newest SSL-Kill-Swich2, I thought I killed related process (e.g. , apsd, homed), but it didn't work. I still got the Handshake failed error: the client may not trust proxy's certificate for courier.push.apple.com. Could anyone provide any ideas on this issue? Can ssl-kill hook Apple's push service? Thanks!

a3135134 commented 5 years ago

In addition, from the log on Xcode, I saw that "apsd" got error in SSL Handshake and the error still continously occurred though I killed the apsd process.

(I'm using IOS 12.2)

a3135134 commented 5 years ago

Well, I use Frida and hook the SecTrustEvaluate(), it works.

Reference:https://kov4l3nko.github.io/blog/2018-05-27-sll-pinning-hook-sectrustevaluate/

philok93 commented 5 years ago

Hi @a3135134 , I keep have the same problem even after hooking with Frida. Are you sure that you get the response from Charles with Frida hook? I still have the problem of SSL failed. I tried hooking with cydia substrate but no solution. Charles shows error in the requests going to icloud. (iOS 12.4) I appreciate any help, thank you!

a3135134 commented 5 years ago

Hi @a3135134 , I keep have the same problem even after hooking with Frida. Are you sure that you get the response from Charles with Frida hook? I still have the problem of SSL failed. I tried hooking with cydia substrate but no solution. Charles shows error in the requests going to icloud. (iOS 12.4) I appreciate any help, thank you!

Yes, it worked when I hooked SecTrustEvaluate() in apsd. I saw SSL connection (like courier.apple.com) established successfully in mitmdump, however, the server of Apples didn't response to the client's message! I even saw the client sent the first message to server in wireshark, and the client shutdown the connection because of no response from server. It it said that the server also checks the certificate of client. Even though I configured the client's certificate in mitmproxy, it didn't work.

philok93 commented 4 years ago

Hi @a3135134 , I keep have the same problem even after hooking with Frida. Are you sure that you get the response from Charles with Frida hook? I still have the problem of SSL failed. I tried hooking with cydia substrate but no solution. Charles shows error in the requests going to icloud. (iOS 12.4) I appreciate any help, thank you!

Yes, it worked when I hooked SecTrustEvaluate() in apsd. I saw SSL connection (like courier.apple.com) established successfully in mitmdump, however, the server of Apples didn't response to the client's message! I even saw the client sent the first message to server in wireshark, and the client shutdown the connection because of no response from server. It it said that the server also checks the certificate of client. Even though I configured the client's certificate in mitmproxy, it didn't work.

I face the same problem, even configuring client and server certificates for authentication, I don't get response from apple servers. Maybe apsd uses low-level ssl certificate check or I don't know what should be the reason. For sure certificates are hardcoded in apsd and frida doesn't work for low level hook functions (at least what I understand). Did you find any other daemon that tries to authenticate with apple?

a3135134 commented 4 years ago

Hi @a3135134 , I keep have the same problem even after hooking with Frida. Are you sure that you get the response from Charles with Frida hook? I still have the problem of SSL failed. I tried hooking with cydia substrate but no solution. Charles shows error in the requests going to icloud. (iOS 12.4) I appreciate any help, thank you!

Yes, it worked when I hooked SecTrustEvaluate() in apsd. I saw SSL connection (like courier.apple.com) established successfully in mitmdump, however, the server of Apples didn't response to the client's message! I even saw the client sent the first message to server in wireshark, and the client shutdown the connection because of no response from server. It it said that the server also checks the certificate of client. Even though I configured the client's certificate in mitmproxy, it didn't work.

I face the same problem, even configuring client and server certificates for authentication, I don't get response from apple servers. Maybe apsd uses low-level ssl certificate check or I don't know what should be the reason. For sure certificates are hardcoded in apsd and frida doesn't work for low level hook functions (at least what I understand). Did you find any other daemon that tries to authenticate with apple?

I'm sure the client trust the proxy's certificate after hooking by Frida because I saw the first message from apsd clientin my proxy. I also hooked imagent, cloudd, identityservicesd and there was no error from my mitm proxy. However, I still face that problem: the server didn't response in that established ssl connection from my proxy. Carefully inspecting the traffics may throw some lights upon this strange behavior? Instead, now I'm considering to hook the functions that deal with the messages, e.g., SSL_read() and SSL_write(), to read the plaintext from apsd, though I have not been able to find the correct functions yet. Did you consider this method?

philok93 commented 4 years ago

I didn't try hooking SSL_read() function but it may be a solution for this problem. I need to do some research first to find the correct functions that do the pinning. At least when I enable SSL -kill-switch it disables pinning for some icloud requests but not those we want.