sensepost
Disabling SSL pinning not working on iOS system apps
The iOS SSL kill switch looks like its working okay for normal apps but I cannot seem to get it to work at all for system apps such as iCloud. I am currently trying to inject the ssl kill switch into the Settings app to view the iCloud sign in process. Objection is able to see and patch some of the calls but I am unable to view any of the requests. Can anyone help me out or at least point me in the right direction? None of the tutorials I can find dive into iOS's system apps. Many others are interested in app store traffic but that doesn't seem to work either.
Charles output:
iOS version: 11.1.2
Commands executed:
objection -g Settings explore
ios sslpinning disable
Objection output:
com.apple.Preferences on (iPhone: 11.1) [usb] # ios sslpinning disable
Job: 16178bde-d891-4f06-bbce-0435a5000242 - Starting
[0435a5000242] [ios-ssl-pinning-bypass] [NSURLSession] Found 18 matches for URLSession:didReceiveChallenge:completionHandler:
[0435a5000242] [ios-ssl-pinning-bypass] [NSURLConnection] Found 5 matches for connection:willSendRequestForAuthenticationChallenge:
[0435a5000242] [ios-ssl-pinning-bypass] Hooking lower level method: SSLSetSessionOption
[0435a5000242] [ios-ssl-pinning-bypass] Hooking lower level method: SSLCreateContext
[0435a5000242] [ios-ssl-pinning-bypass] Hooking lower level method: SSLHandshake
[0435a5000242] [ios-ssl-pinning-bypass] Hooking lower level method: tls_helper_create_peer_trust
Job: 16178bde-d891-4f06-bbce-0435a5000242 - Started
com.apple.Preferences on (iPhone: 11.1) [usb] # [0435a5000242] [ios-ssl-pinning-bypass] [NSURLSession] Got call to -[<RUILoader: 0x1c0494eb0> URLSession:didReceiveChallenge:completionHandler:]. Ensuring pinning passes.
[0435a5000242] [ios-ssl-pinning-bypass] [NSURLSession] Got call to -[<RUILoader: 0x1c0494eb0> URLSession:didReceiveChallenge:completionHandler:]. Ensuring pinning passes.
[0435a5000242] [ios-ssl-pinning-bypass] [NSURLSession] Got call to -[<RUILoader: 0x1c0494eb0> URLSession:didReceiveChallenge:completionHandler:]. Ensuring pinning passes.
[0435a5000242] [ios-ssl-pinning-bypass] [NSURLSession] Got call to -[<RUILoader: 0x1c0494eb0> URLSession:didReceiveChallenge:completionHandler:]. Ensuring pinning passes.
[0435a5000242] [ios-ssl-pinning-bypass] [NSURLSession] Got call to -[<AAURLSession: 0x1c0a4a350> URLSession:didReceiveChallenge:completionHandler:]. Ensuring pinning passes.
[0435a5000242] [ios-ssl-pinning-bypass] [NSURLSession] Got call to -[<AACertificatePinner: 0x1c401aab0> URLSession:didReceiveChallenge:completionHandler:]. Ensuring pinning passes.
[0435a5000242] [ios-ssl-pinning-bypass] [NSURLSession] Got call to -[<AAURLSession: 0x1c0a4a350> URLSession:didReceiveChallenge:completionHandler:]. Ensuring pinning passes.
[0435a5000242] [ios-ssl-pinning-bypass] [NSURLSession] Got call to -[<AACertificatePinner: 0x1c401aab0> URLSession:didReceiveChallenge:completionHandler:]. Ensuring pinning passes.
[0435a5000242] [ios-ssl-pinning-bypass] [NSURLSession] Got call to -[<AAURLSession: 0x1c0a4a350> URLSession:didReceiveChallenge:completionHandler:]. Ensuring pinning passes.
[0435a5000242] [ios-ssl-pinning-bypass] [NSURLSession] Got call to -[<AACertificatePinner: 0x1c401aab0> URLSession:didReceiveChallenge:completionHandler:]. Ensuring pinning passes.
com.apple.Preferences on (iPhone: 11.1) [usb] #
I have not really tested system applications much, so, some reverse engineering will be required for those. That said, objection does not yet hook Trustkit, and adding it as described here may be a step in the right direction.
It's an older article, but might still be relevant: https://nabla-c0d3.github.io/blog/2013/08/20/intercepting-the-app-stores-traffic-on-ios/
I initially thought the issue to be that the strategy used by the SSL Kill Switch to disable certificate validation somehow wasn’t enough to bypass itunesstored’s certificate pinning. However, it turns out that the SSL Kill Switch was just not being injected into the itunesstored process at all, for a couple reasons:
