not work on IOS 9.0.1 AppStore

nabla-c0d3 / ssl-kill-switch2

Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and macOS applications.

Other

3.08k stars 466 forks source link

not work on IOS 9.0.1 AppStore #8

Closed mskmkt0704 closed 8 years ago

mskmkt0704 commented 9 years ago

i am try download a app,then i input my apple id.it finally failed at the step:connect to gsa.apple.com

itunesstored is restarted and the log show that ssl-kill-switch2 is successful inject to itunesstored at:iphone 5s/ios 9.0.1

kings0527 commented 8 years ago

SSLHandshake: Remote host closed connection during handshake 9.0.2/iphone 6

kings0527 commented 8 years ago

https://itunes.apple.com/cn/app/99-rockets/id922871241?mt=8 Complete 200 OK HTTP/1.1 GET Yes application/json; target=itml; charset=UTF-8 /192.168.1.105 itunes.apple.com/221.228.64.212

this remote server can capture

but

https://init.itunes.apple.com Failed

SSLHandshake: Remote host closed connection during handshake

HTTP/1.1 CONNECT

No

/192.168.1.105 init.itunes.apple.com/221.228.64.212

this server can't.

Hope4hope commented 8 years ago

For proxy-ing the App Store things are different; please read the README as it has a link to the instructions. And also, make sure you restart the Apps after having enabled SSL Kill Switch.

The SSL Kill Switch had a MobileLoader filter so that the code disabling certificate validation would only be loaded into apps linking the UIKit bundle (ie. applications with a user interface). This was initially done to restrict the effect of the SSL Kill Switch to App Store apps only. However, itunesstored is a daemon that doesn’t have a user interface, hence the filter prevented MobileLoader from injecting the SSL Kill Switch into the process.

http://iphonedevwiki.net/index.php/MobileSubstrate#MobileLoader

PS: SOURCE: http://nabla-c0d3.github.io/blog/2013/08/20/intercepting-the-app-stores-traffic-on-ios/

nabla-c0d3 commented 8 years ago

@Hope4hope can you confirm that it works once you've followed the instructions ? If yes I will close the issue. Thanks!

kings0527 commented 8 years ago

my filter bundle is "com.apple.UIKit".

It can work success.

I guess some server of Apple used SSL 3.0 protocol and the server will check client's cert, but the tweak just turn off client's SSL.

Now I complete a tweak to capture AppStore.

You can hook sslread and sslwrite.

mskmkt0704 commented 8 years ago

@nabla-c0d3 i fixed it.i parsed itunesstored with IDA,finally i find AuthKit did the real job for login. so add com.apple.AuthKit to filter bundle,then it worked.

nabla-c0d3 commented 8 years ago

@mskmkt0704 Nice! I will add AuthKit to the filter then. Thanks!