Inspecting iOS App Traffic with JavaScript@AndyDavies

https://www.flickr.com/photos/marc-flores/8367323660

WHY?

What’s that app doing when you’re not looking?https://www.flickr.com/photos/clover_1/6664943919

rvictl -s 782ea5ddfa242a6efda29adcc4a5bd7bf1ae4c96

From Xcode’s Command Line Tools

UDID of device

(From itunes, idevice_id, system_profiler)

Network interface that mirrors device traffic

tcpdump -i rvi0 -w capture.pcap

Network interface created in previous step

Capture traffic to a file

View captured network packets in wireshark

DEMO

https://www.flickr.com/photos/ironypoisoning/24223737671

But of course… iOS App traffic is all encrypted

Can still see some patterns

But… wouldn’t it be great if we could see the contents?

CLIENT_RANDOM 5A26BB7043754E31B99DE6ED1EC91807A6BAC4F0C89F80670CE997A7B5191836 84E270AEA7ACFC90009211F6B76541E900FF89474AD33DBB47B3514C7E3669CF60144DB00737267DDC4B178CBD33EA88CLIENT_RANDOM 5A26BB708B7A2A44500FCDCA7518F4C91BC193DE4524EAA7A63CCE30F145087F D7BB97615F58BFB256E3646D0F65F712E40A0164C21959013F99A650F22222D6D39A8EA2A4F6424C20AAEE2593699872CLIENT_RANDOM 5A26BB700E74CC1AAA8884835511159BC8301FC3D55F4264CDE1D3A05985E83F 4DE8143DD8A22A44B0595166DFFE0C3FFB7D57AB5A7FAE1D08D4CB4887F88B0B896E42ECB306E6EB09007FF905635DD0CLIENT_RANDOM 5A26BB701C3AD8998E34F73588E8A8C8688D8BCCCDF9D34D731B4E4D63103722 3BC14A702CC48F24CBFDD92382DDC471C80948770DA4FFACFA73D2BFD36D8526256FFFAE637E99F27DCD485B7C1D44D7CLIENT_RANDOM 5A26BB709F04A771615ED31FBECA28CACA7D49124DC7962EA22C284A2D8AA8E9 4CA4E41F0E4F435C3A0FFCC7F69F0F8DA57E00F409B4335EF2CEEBEDD1C693A53B7DA16EFC31FF766F2D471FDC8A25FFCLIENT_RANDOM 5A26BB70EAA450CF1272E2F3BFF09C367AF0E1DF533DACEAE839599BE3DBFE69 962756AE63ABD2DEE050BC72F27B1DF14DF85C59208B4AD159714F0C41D1801EE0A7B12C220FE122201E4C20210C25CACLIENT_RANDOM 5A26BB70A14A1C2FE650117E6D83BAB3060531E363A99C299437B4D7D9C3A3D6 E9D8BED60249D0A2A403FFECD4F2B63289B8F7B9FCE89C1D97EB6DE5E40F76860E74963EFF25E905E05B12C60EA5C081

Wireshark can decrypt HTTPS if it has a keylog

CLIENT_RANDOM 5A26BB7043754E31B99DE6ED1EC91807A6BAC4F0C89F80670CE997A7B5191836 84E270AEA7ACFC90009211F6B76541E900FF89474AD33DBB47B3514C7E3669CF60144DB00737267DDC4B178CBD33EA88CLIENT_RANDOM 5A26BB708B7A2A44500FCDCA7518F4C91BC193DE4524EAA7A63CCE30F145087F D7BB97615F58BFB256E3646D0F65F712E40A0164C21959013F99A650F22222D6D39A8EA2A4F6424C20AAEE2593699872CLIENT_RANDOM 5A26BB700E74CC1AAA8884835511159BC8301FC3D55F4264CDE1D3A05985E83F 4DE8143DD8A22A44B0595166DFFE0C3FFB7D57AB5A7FAE1D08D4CB4887F88B0B896E42ECB306E6EB09007FF905635DD0CLIENT_RANDOM 5A26BB701C3AD8998E34F73588E8A8C8688D8BCCCDF9D34D731B4E4D63103722 3BC14A702CC48F24CBFDD92382DDC471C80948770DA4FFACFA73D2BFD36D8526256FFFAE637E99F27DCD485B7C1D44D7CLIENT_RANDOM 5A26BB709F04A771615ED31FBECA28CACA7D49124DC7962EA22C284A2D8AA8E9 4CA4E41F0E4F435C3A0FFCC7F69F0F8DA57E00F409B4335EF2CEEBEDD1C693A53B7DA16EFC31FF766F2D471FDC8A25FFCLIENT_RANDOM 5A26BB70EAA450CF1272E2F3BFF09C367AF0E1DF533DACEAE839599BE3DBFE69 962756AE63ABD2DEE050BC72F27B1DF14DF85C59208B4AD159714F0C41D1801EE0A7B12C220FE122201E4C20210C25CACLIENT_RANDOM 5A26BB70A14A1C2FE650117E6D83BAB3060531E363A99C299437B4D7D9C3A3D6 E9D8BED60249D0A2A403FFECD4F2B63289B8F7B9FCE89C1D97EB6DE5E40F76860E74963EFF25E905E05B12C60EA5C081

Wireshark can decrypt HTTPS if it has a keylog

CLIENT_RANDOM 5A26BB7043754E31B99DE6ED1EC91807A6BAC4F0C89F80670CE997A7B5191836 84E270AEA7ACFC90009211F6B76541E900FF89474AD33DBB47B3514C7E3669CF60144DB00737267DDC4B178CBD33EA88CLIENT_RANDOM 5A26BB708B7A2A44500FCDCA7518F4C91BC193DE4524EAA7A63CCE30F145087F D7BB97615F58BFB256E3646D0F65F712E40A0164C21959013F99A650F22222D6D39A8EA2A4F6424C20AAEE2593699872CLIENT_RANDOM 5A26BB700E74CC1AAA8884835511159BC8301FC3D55F4264CDE1D3A05985E83F 4DE8143DD8A22A44B0595166DFFE0C3FFB7D57AB5A7FAE1D08D4CB4887F88B0B896E42ECB306E6EB09007FF905635DD0CLIENT_RANDOM 5A26BB701C3AD8998E34F73588E8A8C8688D8BCCCDF9D34D731B4E4D63103722 3BC14A702CC48F24CBFDD92382DDC471C80948770DA4FFACFA73D2BFD36D8526256FFFAE637E99F27DCD485B7C1D44D7CLIENT_RANDOM 5A26BB709F04A771615ED31FBECA28CACA7D49124DC7962EA22C284A2D8AA8E9 4CA4E41F0E4F435C3A0FFCC7F69F0F8DA57E00F409B4335EF2CEEBEDD1C693A53B7DA16EFC31FF766F2D471FDC8A25FFCLIENT_RANDOM 5A26BB70EAA450CF1272E2F3BFF09C367AF0E1DF533DACEAE839599BE3DBFE69 962756AE63ABD2DEE050BC72F27B1DF14DF85C59208B4AD159714F0C41D1801EE0A7B12C220FE122201E4C20210C25CACLIENT_RANDOM 5A26BB70A14A1C2FE650117E6D83BAB3060531E363A99C299437B4D7D9C3A3D6 E9D8BED60249D0A2A403FFECD4F2B63289B8F7B9FCE89C1D97EB6DE5E40F76860E74963EFF25E905E05B12C60EA5C081

Wireshark can decrypt HTTPS if it has a keylog

64 byte hex encoded value from TLS Client

Hello message

CLIENT_RANDOM 5A26BB7043754E31B99DE6ED1EC91807A6BAC4F0C89F80670CE997A7B5191836 84E270AEA7ACFC90009211F6B76541E900FF89474AD33DBB47B3514C7E3669CF60144DB00737267DDC4B178CBD33EA88CLIENT_RANDOM 5A26BB708B7A2A44500FCDCA7518F4C91BC193DE4524EAA7A63CCE30F145087F D7BB97615F58BFB256E3646D0F65F712E40A0164C21959013F99A650F22222D6D39A8EA2A4F6424C20AAEE2593699872CLIENT_RANDOM 5A26BB700E74CC1AAA8884835511159BC8301FC3D55F4264CDE1D3A05985E83F 4DE8143DD8A22A44B0595166DFFE0C3FFB7D57AB5A7FAE1D08D4CB4887F88B0B896E42ECB306E6EB09007FF905635DD0CLIENT_RANDOM 5A26BB701C3AD8998E34F73588E8A8C8688D8BCCCDF9D34D731B4E4D63103722 3BC14A702CC48F24CBFDD92382DDC471C80948770DA4FFACFA73D2BFD36D8526256FFFAE637E99F27DCD485B7C1D44D7CLIENT_RANDOM 5A26BB709F04A771615ED31FBECA28CACA7D49124DC7962EA22C284A2D8AA8E9 4CA4E41F0E4F435C3A0FFCC7F69F0F8DA57E00F409B4335EF2CEEBEDD1C693A53B7DA16EFC31FF766F2D471FDC8A25FFCLIENT_RANDOM 5A26BB70EAA450CF1272E2F3BFF09C367AF0E1DF533DACEAE839599BE3DBFE69 962756AE63ABD2DEE050BC72F27B1DF14DF85C59208B4AD159714F0C41D1801EE0A7B12C220FE122201E4C20210C25CACLIENT_RANDOM 5A26BB70A14A1C2FE650117E6D83BAB3060531E363A99C299437B4D7D9C3A3D6 E9D8BED60249D0A2A403FFECD4F2B63289B8F7B9FCE89C1D97EB6DE5E40F76860E74963EFF25E905E05B12C60EA5C081

Wireshark can decrypt HTTPS if it has a keylog

hex encoded secret

So where can we get the values from?

Chrome & Firefox can dump them out

WebPageTest makes it super easy to get them - enable tcpdump in advanced options

But… How do we get them for iOS?

https://www.frida.re/

Inject JavaScript into an App!

App

JavaScript VM

Script

HostInjects script

Receives Messages

Three methods for adding Frida

Use a Jailbroken iPhone Install Frida from Cydia

(available for all apps on device)

Resign someone else’s app, and inject the FridaGadget

(app may need decrypting first)

Add the FridaGadget to your own App

What can we do with it?

DEMO

So… back to App traffic…

http://www.delaat.net/rp/2015-2016/p52/report.pdf

https://opensource.apple.com/source/coreTLS/coreTLS-83.20.8/lib/tls1Callouts.c.auto.html

/* * The TLS pseudorandom function, defined in RFC2246, section 5. * This takes as its input a secret block, a label, and a seed, and produces * a caller-specified length of pseudorandom data. * * Optimization TBD: make label optional, avoid malloc and two copies if it's * not there, so callers can take advantage of fixed-size seeds. */// Note: This is exported as SPI.int tls_handshake_internal_prf(

tls_handshake_t ctx,const void *vsecret,size_t secretLen,const void *label, // optional, NULL implies that seed contains

// the labelsize_t labelLen,const void *seed,size_t seedLen,void *vout, // mallocd by caller, length >= outLensize_t outLen)

{int serr = errSSLInternal;

…

Master Secret

Client & Server Randoms

var hexChar = ["0", "1", "2", "3", "4", "5", "6", "7","8", "9", "A", "B", "C", "D", "E", "F"];

function byteToHex(byte) { return hexChar[(byte >> 4) & 0x0f] + hexChar[byte & 0x0f]; }

var f = Module.findExportByName("libsystem_coretls.dylib", "tls_handshake_internal_prf");

Interceptor.attach(f, {onEnter: function (args) {

var secretLength = parseInt(args[2], 16); var seedLength = parseInt(args[6], 16);

if(secretLength == 48 && (seedLength == 64 || seedLength == 77)) { var secretAddr = new NativePointer(args[1]) var secretBytes = new Uint8Array(Memory.readByteArray(secretAddr, secretLength)); var secret = ""; for(var i = 0; i < secretLength; i++) { secret += byteToHex(secretBytes[i]); }

Find function

Hook function

Extract master secret

var seedLength = parseInt(args[6], 16); var seedAddr = new NativePointer(args[5]); var seedBytes = new Uint8Array(Memory.readByteArray(seedAddr, seedLength));

var clientRandom = ""; var serverRandom = ""; if(seedLength == 64) { for(i = 0; i < 32; i++) { clientRandom += byteToHex(seedBytes[i]); } for( ; i < 64; i++) { serverRandom += byteToHex(seedBytes[i]); } } else if(seedLength == 77) { // key expansion

var offset = 13;

for(i = offset; i < 32 + offset; i++) { serverRandom += byteToHex(seedBytes[i]); } for( ; i < 64 + offset; i++) { clientRandom += byteToHex(seedBytes[i]); } }

Extract client and server randoms

if(clientRandom !== "") { send("CLIENT_RANDOM "+ clientRandom + " " + secret); } } }

});

Send it to the host

DEMO

So what did I learn?

★ Just like on the web… sometimes we forget to

Compress JSON responses

Reuse connections

Optimise images

And a whole bunch of other things

Areas that need more work

★ TLS Session Resumption

★ Safari

★ iOS 11

★ Transforming the packet captures into something that’s

easy for any developer to understand

Thank You@AndyDavies