Skip to content

Instantly share code, notes, and snippets.

@AkdM
Last active April 13, 2024 00:14
Show Gist options
  • Save AkdM/ba97281aadce98e706925e1887ce2773 to your computer and use it in GitHub Desktop.
Save AkdM/ba97281aadce98e706925e1887ce2773 to your computer and use it in GitHub Desktop.
iOS 14 app TLS decrypt / certificate pinning bypass steps

This is not a tutorial, just a small guide to myself but feel free to get some infos here.

Working on an iPhone 7 running iOS 14.5.1

  1. Jailbreak an iPhone/iPad/whatever

  2. If necessary, you'll need to bypass Jailbreak detection for some apps with tweaks like A-Bypass, Hestia, HideJB, etc.

  3. Get the PID of the app you want to capture traffic from with frida-ps -Ua ( a is for showing running apps only, you can -U to show all running processes instead)

  4. Run a capture traffic tool like tcpdump. I've used the Airtool 2.app app with the Capture iPhone Packet Trace feature. I find it easy to use, but tcpdump -i rvi0 is very much the same thing.

  5. At the same time, run frida with

    frida -U -p PID --codeshare AkdM/ios14-tls-keylogger -o dump.keylog

    Make sure to replace PID with the PID you got in 3. obviously. The codeshare I've created is based on the one from Andy Davies, but with the offset of keylog_callback pointer from iOS 14.x. I found the 0x2b8 offset from the comments of his article, as I am not the best guy to use a disassembler 👀

  6. Once you've played a little bit with the app, you should see some logs, like the following:

    > frida -U -p 5107 --codeshare AkdM/ios14-tls-keylogger -o dump.keylog
         ____
        / _  |   Frida 15.0.14 - A world-class dynamic instrumentation toolkit
       | (_| |
        > _  |   Commands:
       /_/ |_|       help      -> Displays the help system
       . . . .       object?   -> Display information about 'object'
       . . . .       exit/quit -> Exit
       . . . .
       . . . .   More info at https://frida.re/docs/home/
    
    [iPhone::PID::5107]-> CLIENT_RANDOM REDACTEDb14aada3d46499f7a0d19779a5ed8b4fd0a59REDACTED REDACTED2c2ae6e52d09228f40857ee9d669e8b0c5f2b99e1a90218c7fc373740bf19fca4edREDACTED
    CLIENT_RANDOM fff90REDACTEDfa42cc9dece46fb2376cb3df0c24080b9REDACTED 8420f7ec9REDACTEDd669e8b0c5f2b99e1a90218c7fc373REDACTEDe956c1a1b0666593e
    CLIENT_RANDOM 72f2aafc3REDACTED709d18e732372960f183738fREDACTEDad02bc8 800f49REDACTEDe0bc217974e928REDACTEDf8887c2ee70ee34c8c4d7a3bafea945cffe1ab297c2c4
    
  7. Exit with exit or quit. Open up Wireshark, apply dump.keylog into Preferences > Protocols > TLS > (Pre)-Master-Secret log filename of the app, import .pcapng/.pcap and voilà, you'll get Decrypted TLS tab in some packets.

Much based on (thanks to him!) :

https://andydavies.me/blog/2019/12/12/capturing-and-decrypting-https-traffic-from-ios-apps/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment