SlideShare a Scribd company logo

Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018

Andy Davies, profile picture
Andy Davies

This document discusses inspecting iOS app traffic with JavaScript by injecting scripts using Frida. It demonstrates capturing encrypted network traffic from an iOS app, extracting the TLS master secret and client/server randoms using a Frida script, and sending these values to the host computer to allow decrypting the traffic with Wireshark. The key steps are: using Frida to inject a script into an app, hooking the TLS PRF function to extract secret values, and sending these to the host to decrypt the HTTPS traffic in Wireshark. With these techniques, patterns in encrypted app traffic can be observed.

Technology
Related topics:
Reverse Engineering
1 of 32
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Most read
25
Most read
26
Most read
27
28
29
30
31
32
Inspecting iOS App Traffic with JavaScript @AndyDavies https://www.flickr.com/photos/marc-flores/8367323660
WHY?
What’s that app doing when you’re not looking? https://www.flickr.com/photos/clover_1/6664943919
rvictl -s 782ea5ddfa242a6efda29adcc4a5bd7bf1ae4c96 From Xcode’s Command Line Tools UDID of device (From itunes, idevice_id, system_profiler) Network interface that mirrors device traffic
tcpdump -i rvi0 -w capture.pcap Network interface created in previous step Capture traffic to a file
View captured network packets in wireshark
DEMO
https://www.flickr.com/photos/ironypoisoning/24223737671 But of course… iOS App traffic is all encrypted
Can still see some patterns
But… wouldn’t it be great if we could see the contents?
CLIENT_RANDOM 5A26BB7043754E31B99DE6ED1EC91807A6BAC4F0C89F80670CE997A7B5191836 84E270AEA7ACFC90009211F6B76541E900FF89474AD33DBB47B3514C7E3669CF60144DB00737267D DC4B178CBD33EA88 CLIENT_RANDOM 5A26BB708B7A2A44500FCDCA7518F4C91BC193DE4524EAA7A63CCE30F145087F D7BB97615F58BFB256E3646D0F65F712E40A0164C21959013F99A650F22222D6D39A8EA2A4F6424C2 0AAEE2593699872 CLIENT_RANDOM 5A26BB700E74CC1AAA8884835511159BC8301FC3D55F4264CDE1D3A05985E83F 4DE8143DD8A22A44B0595166DFFE0C3FFB7D57AB5A7FAE1D08D4CB4887F88B0B896E42ECB306E6E B09007FF905635DD0 CLIENT_RANDOM 5A26BB701C3AD8998E34F73588E8A8C8688D8BCCCDF9D34D731B4E4D63103722 3BC14A702CC48F24CBFDD92382DDC471C80948770DA4FFACFA73D2BFD36D8526256FFFAE637E99F 27DCD485B7C1D44D7 CLIENT_RANDOM 5A26BB709F04A771615ED31FBECA28CACA7D49124DC7962EA22C284A2D8AA8E9 4CA4E41F0E4F435C3A0FFCC7F69F0F8DA57E00F409B4335EF2CEEBEDD1C693A53B7DA16EFC31FF7 66F2D471FDC8A25FF CLIENT_RANDOM 5A26BB70EAA450CF1272E2F3BFF09C367AF0E1DF533DACEAE839599BE3DBFE69 962756AE63ABD2DEE050BC72F27B1DF14DF85C59208B4AD159714F0C41D1801EE0A7B12C220FE122 201E4C20210C25CA CLIENT_RANDOM 5A26BB70A14A1C2FE650117E6D83BAB3060531E363A99C299437B4D7D9C3A3D6 Wireshark can decrypt HTTPS if it has a keylog
CLIENT_RANDOM 5A26BB7043754E31B99DE6ED1EC91807A6BAC4F0C89F80670CE997A7B5191836 84E270AEA7ACFC90009211F6B76541E900FF89474AD33DBB47B3514C7E3669CF60144DB00737267D DC4B178CBD33EA88 CLIENT_RANDOM 5A26BB708B7A2A44500FCDCA7518F4C91BC193DE4524EAA7A63CCE30F145087F D7BB97615F58BFB256E3646D0F65F712E40A0164C21959013F99A650F22222D6D39A8EA2A4F6424C2 0AAEE2593699872 CLIENT_RANDOM 5A26BB700E74CC1AAA8884835511159BC8301FC3D55F4264CDE1D3A05985E83F 4DE8143DD8A22A44B0595166DFFE0C3FFB7D57AB5A7FAE1D08D4CB4887F88B0B896E42ECB306E6E B09007FF905635DD0 CLIENT_RANDOM 5A26BB701C3AD8998E34F73588E8A8C8688D8BCCCDF9D34D731B4E4D63103722 3BC14A702CC48F24CBFDD92382DDC471C80948770DA4FFACFA73D2BFD36D8526256FFFAE637E99F 27DCD485B7C1D44D7 CLIENT_RANDOM 5A26BB709F04A771615ED31FBECA28CACA7D49124DC7962EA22C284A2D8AA8E9 4CA4E41F0E4F435C3A0FFCC7F69F0F8DA57E00F409B4335EF2CEEBEDD1C693A53B7DA16EFC31FF7 66F2D471FDC8A25FF CLIENT_RANDOM 5A26BB70EAA450CF1272E2F3BFF09C367AF0E1DF533DACEAE839599BE3DBFE69 962756AE63ABD2DEE050BC72F27B1DF14DF85C59208B4AD159714F0C41D1801EE0A7B12C220FE122 201E4C20210C25CA CLIENT_RANDOM 5A26BB70A14A1C2FE650117E6D83BAB3060531E363A99C299437B4D7D9C3A3D6 Wireshark can decrypt HTTPS if it has a keylog
CLIENT_RANDOM 5A26BB7043754E31B99DE6ED1EC91807A6BAC4F0C89F80670CE997A7B5191836 84E270AEA7ACFC90009211F6B76541E900FF89474AD33DBB47B3514C7E3669CF60144DB00737267D DC4B178CBD33EA88 CLIENT_RANDOM 5A26BB708B7A2A44500FCDCA7518F4C91BC193DE4524EAA7A63CCE30F145087F D7BB97615F58BFB256E3646D0F65F712E40A0164C21959013F99A650F22222D6D39A8EA2A4F6424C2 0AAEE2593699872 CLIENT_RANDOM 5A26BB700E74CC1AAA8884835511159BC8301FC3D55F4264CDE1D3A05985E83F 4DE8143DD8A22A44B0595166DFFE0C3FFB7D57AB5A7FAE1D08D4CB4887F88B0B896E42ECB306E6E B09007FF905635DD0 CLIENT_RANDOM 5A26BB701C3AD8998E34F73588E8A8C8688D8BCCCDF9D34D731B4E4D63103722 3BC14A702CC48F24CBFDD92382DDC471C80948770DA4FFACFA73D2BFD36D8526256FFFAE637E99F 27DCD485B7C1D44D7 CLIENT_RANDOM 5A26BB709F04A771615ED31FBECA28CACA7D49124DC7962EA22C284A2D8AA8E9 4CA4E41F0E4F435C3A0FFCC7F69F0F8DA57E00F409B4335EF2CEEBEDD1C693A53B7DA16EFC31FF7 66F2D471FDC8A25FF CLIENT_RANDOM 5A26BB70EAA450CF1272E2F3BFF09C367AF0E1DF533DACEAE839599BE3DBFE69 962756AE63ABD2DEE050BC72F27B1DF14DF85C59208B4AD159714F0C41D1801EE0A7B12C220FE122 201E4C20210C25CA CLIENT_RANDOM 5A26BB70A14A1C2FE650117E6D83BAB3060531E363A99C299437B4D7D9C3A3D6 Wireshark can decrypt HTTPS if it has a keylog 64 byte hex encoded value from TLS Client Hello message
CLIENT_RANDOM 5A26BB7043754E31B99DE6ED1EC91807A6BAC4F0C89F80670CE997A7B5191836 84E270AEA7ACFC90009211F6B76541E900FF89474AD33DBB47B3514C7E3669CF60144DB00737267D DC4B178CBD33EA88 CLIENT_RANDOM 5A26BB708B7A2A44500FCDCA7518F4C91BC193DE4524EAA7A63CCE30F145087F D7BB97615F58BFB256E3646D0F65F712E40A0164C21959013F99A650F22222D6D39A8EA2A4F6424C2 0AAEE2593699872 CLIENT_RANDOM 5A26BB700E74CC1AAA8884835511159BC8301FC3D55F4264CDE1D3A05985E83F 4DE8143DD8A22A44B0595166DFFE0C3FFB7D57AB5A7FAE1D08D4CB4887F88B0B896E42ECB306E6E B09007FF905635DD0 CLIENT_RANDOM 5A26BB701C3AD8998E34F73588E8A8C8688D8BCCCDF9D34D731B4E4D63103722 3BC14A702CC48F24CBFDD92382DDC471C80948770DA4FFACFA73D2BFD36D8526256FFFAE637E99F 27DCD485B7C1D44D7 CLIENT_RANDOM 5A26BB709F04A771615ED31FBECA28CACA7D49124DC7962EA22C284A2D8AA8E9 4CA4E41F0E4F435C3A0FFCC7F69F0F8DA57E00F409B4335EF2CEEBEDD1C693A53B7DA16EFC31FF7 66F2D471FDC8A25FF CLIENT_RANDOM 5A26BB70EAA450CF1272E2F3BFF09C367AF0E1DF533DACEAE839599BE3DBFE69 962756AE63ABD2DEE050BC72F27B1DF14DF85C59208B4AD159714F0C41D1801EE0A7B12C220FE122 201E4C20210C25CA CLIENT_RANDOM 5A26BB70A14A1C2FE650117E6D83BAB3060531E363A99C299437B4D7D9C3A3D6 Wireshark can decrypt HTTPS if it has a keylog hex encoded secret
So where can we get the values from?
Chrome & Firefox can dump them out WebPageTest makes it super easy to get them - enable tcpdump in advanced options
But… How do we get them for iOS?
https://www.frida.re/
Inject JavaScript into an App! App JavaScript VM Script Host Injects script Receives Messages
Three methods for adding Frida Use a Jailbroken iPhone Install Frida from Cydia (available for all apps on device) Resign someone else’s app, and inject the FridaGadget (app may need decrypting first) Add the FridaGadget to your own App
What can we do with it?
DEMO
So… back to App traffic…
http://www.delaat.net/rp/2015-2016/p52/report.pdf
https://opensource.apple.com/source/coreTLS/coreTLS-83.20.8/lib/tls1Callouts.c.auto.html /* * The TLS pseudorandom function, defined in RFC2246, section 5. * This takes as its input a secret block, a label, and a seed, and produces * a caller-specified length of pseudorandom data. * * Optimization TBD: make label optional, avoid malloc and two copies if it's * not there, so callers can take advantage of fixed-size seeds. */ // Note: This is exported as SPI. int tls_handshake_internal_prf( tls_handshake_t ctx, const void *vsecret, size_t secretLen, const void *label, // optional, NULL implies that seed contains // the label size_t labelLen, const void *seed, size_t seedLen, void *vout, // mallocd by caller, length >= outLen size_t outLen) { int serr = errSSLInternal; … Master Secret Client & Server Randoms
var hexChar = ["0", "1", "2", "3", "4", "5", "6", "7","8", "9", "A", "B", "C", "D", "E", "F"]; function byteToHex(byte) { return hexChar[(byte >> 4) & 0x0f] + hexChar[byte & 0x0f]; } var f = Module.findExportByName("libsystem_coretls.dylib", "tls_handshake_internal_prf"); Interceptor.attach(f, {onEnter: function (args) { var secretLength = parseInt(args[2], 16); var seedLength = parseInt(args[6], 16); if(secretLength == 48 && (seedLength == 64 || seedLength == 77)) { var secretAddr = new NativePointer(args[1]) var secretBytes = new Uint8Array(Memory.readByteArray(secretAddr, secretLength)); var secret = ""; for(var i = 0; i < secretLength; i++) { secret += byteToHex(secretBytes[i]); } Find function Hook function Extract master secret
var seedLength = parseInt(args[6], 16); var seedAddr = new NativePointer(args[5]); var seedBytes = new Uint8Array(Memory.readByteArray(seedAddr, seedLength)); var clientRandom = ""; var serverRandom = ""; if(seedLength == 64) { for(i = 0; i < 32; i++) { clientRandom += byteToHex(seedBytes[i]); } for( ; i < 64; i++) { serverRandom += byteToHex(seedBytes[i]); } } else if(seedLength == 77) { // key expansion var offset = 13; for(i = offset; i < 32 + offset; i++) { serverRandom += byteToHex(seedBytes[i]); } for( ; i < 64 + offset; i++) { clientRandom += byteToHex(seedBytes[i]); } } Extract client and server randoms
if(clientRandom !== "") { send("CLIENT_RANDOM "+ clientRandom + " " + secret); } } } }); Send it to the host
DEMO
So what did I learn? ★ Just like on the web… sometimes we forget to Compress JSON responses Reuse connections Optimise images And a whole bunch of other things
Areas that need more work ★ TLS Session Resumption ★ Safari ★ iOS 11 ★ Transforming the packet captures into something that’s easy for any developer to understand
Thank You @AndyDavies

More Related Content

PDF
Cours-Management-des-organisations.pdf
FootballLovers9
 
PPTX
Méthodologie d’élaboration du SROS maroc
Jamal Ti
 
PPTX
La gestion des biens meubles de l’etat
AZOUZ HASNAOUI
 
PPSX
schéma regional de l'offre de soins
mohamed elmarnissi
 
PDF
Ci interpersonnelle
Riadh HAJJI
 
DOC
Rapport de-stage-axa
Naoufal Meknasy
 
PDF
Mtp management des organisations ista
mahmoud achrit
 
PDF
Droit s3 : Téléchargeable sur www.coursdefsjes.com
cours fsjes
 
Cours-Management-des-organisations.pdf
FootballLovers9
 
Méthodologie d’élaboration du SROS maroc
Jamal Ti
 
La gestion des biens meubles de l’etat
AZOUZ HASNAOUI
 
schéma regional de l'offre de soins
mohamed elmarnissi
 
Ci interpersonnelle
Riadh HAJJI
 
Rapport de-stage-axa
Naoufal Meknasy
 
Mtp management des organisations ista
mahmoud achrit
 
Droit s3 : Téléchargeable sur www.coursdefsjes.com
cours fsjes
 

Similar to Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018 (20)

PPTX
iOS Application Exploitation
Positive Hack Days
 
PPT
iOS Application Pentesting
n|u - The Open Security Community
 
PPTX
Pentesting iOS Applications
jasonhaddix
 
PPT
iOS Application Penetration Testing for Beginners
RyanISI
 
PDF
Evaluating iOS Applications
iphonepentest
 
PDF
ASFWS 2012 - Audit d’applications iOS par Julien Bachmann
Cyber Security Alliance
 
PDF
2a Analyzing iOS Apps Part 1
Sam Bowne
 
PPTX
Hacking & Securing of iOS Apps by Saurabh Mishra
OWASP Delhi
 
PDF
CNIT 128 2. Analyzing iOS Applications (Part 1)
Sam Bowne
 
PDF
iOS Application Security
Egor Tolstoy
 
PDF
Pentesting iOS Apps
Herman Duarte
 
PPTX
Pentesting iPhone applications
Satish b
 
PPTX
iOS application (in)security
iphonepentest
 
PDF
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
PPT
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
PROIDEA
 
PPT
iOS Hacking: Advanced Pentest & Forensic Techniques
Ömer Coşkun
 
PDF
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
eightbit
 
PPTX
Hacking and Securing iOS Applications by Satish Bomisstty
ClubHack
 
PDF
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
PPT
iOS Client Side Analysis
Aadarsh N
 
iOS Application Exploitation
Positive Hack Days
 
iOS Application Pentesting
n|u - The Open Security Community
 
Pentesting iOS Applications
jasonhaddix
 
iOS Application Penetration Testing for Beginners
RyanISI
 
Evaluating iOS Applications
iphonepentest
 
ASFWS 2012 - Audit d’applications iOS par Julien Bachmann
Cyber Security Alliance
 
2a Analyzing iOS Apps Part 1
Sam Bowne
 
Hacking & Securing of iOS Apps by Saurabh Mishra
OWASP Delhi
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
Sam Bowne
 
iOS Application Security
Egor Tolstoy
 
Pentesting iOS Apps
Herman Duarte
 
Pentesting iPhone applications
Satish b
 
iOS application (in)security
iphonepentest
 
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
PROIDEA
 
iOS Hacking: Advanced Pentest & Forensic Techniques
Ömer Coşkun
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
eightbit
 
Hacking and Securing iOS Applications by Satish Bomisstty
ClubHack
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
iOS Client Side Analysis
Aadarsh N
 
Ad

More from Andy Davies (20)

PDF
Fast Fashion… How Missguided revolutionised their approach to site performanc...
Andy Davies
 
PDF
Fast Fashion… How Missguided revolutionised their approach to site performanc...
Andy Davies
 
PDF
AB Testing, Ads and other 3rd party tags - London WebPerf - March 2018
Andy Davies
 
PDF
AB Testing, Ads and other 3rd party tags - SmashingConf London - 2018
Andy Davies
 
PDF
Selling Performance - Bristol WebPerf Meetup 2017-07-20
Andy Davies
 
PDF
Speed: The 'Forgotten' Conversion Factor
Andy Davies
 
PDF
Building an Appier Web - London Web Standards - Nov 2016
Andy Davies
 
PDF
Building an Appier Web - Velocity Amsterdam 2016
Andy Davies
 
PDF
The Case for HTTP/2 - GreeceJS - June 2016
Andy Davies
 
PDF
Building an Appier Web - May 2016
Andy Davies
 
PDF
The Fast, The Slow and The Unconverted - Emerce Conversion 2016
Andy Davies
 
PDF
The Case for HTTP/2 - Internetdagarna 2015 - Stockholm
Andy Davies
 
PDF
Making Mobile Sites Faster
Andy Davies
 
PDF
The Case for HTTP/2 - EpicFEL Sept 2015
Andy Davies
 
PDF
Speed matters, So why is your site so slow?
Andy Davies
 
PDF
The Case for HTTP/2
Andy Davies
 
PDF
HTTP2 is Here!
Andy Davies
 
PDF
Speed Matters!
Andy Davies
 
PDF
Speed is Essential for a Great Web Experience
Andy Davies
 
PDF
The web is too slow
Andy Davies
 
Fast Fashion… How Missguided revolutionised their approach to site performanc...
Andy Davies
 
Fast Fashion… How Missguided revolutionised their approach to site performanc...
Andy Davies
 
AB Testing, Ads and other 3rd party tags - London WebPerf - March 2018
Andy Davies
 
AB Testing, Ads and other 3rd party tags - SmashingConf London - 2018
Andy Davies
 
Selling Performance - Bristol WebPerf Meetup 2017-07-20
Andy Davies
 
Speed: The 'Forgotten' Conversion Factor
Andy Davies
 
Building an Appier Web - London Web Standards - Nov 2016
Andy Davies
 
Building an Appier Web - Velocity Amsterdam 2016
Andy Davies
 
The Case for HTTP/2 - GreeceJS - June 2016
Andy Davies
 
Building an Appier Web - May 2016
Andy Davies
 
The Fast, The Slow and The Unconverted - Emerce Conversion 2016
Andy Davies
 
The Case for HTTP/2 - Internetdagarna 2015 - Stockholm
Andy Davies
 
Making Mobile Sites Faster
Andy Davies
 
The Case for HTTP/2 - EpicFEL Sept 2015
Andy Davies
 
Speed matters, So why is your site so slow?
Andy Davies
 
The Case for HTTP/2
Andy Davies
 
HTTP2 is Here!
Andy Davies
 
Speed Matters!
Andy Davies
 
Speed is Essential for a Great Web Experience
Andy Davies
 
The web is too slow
Andy Davies
 
Ad

Recently uploaded (20)

PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Encapsulation theory and applications.pdf
gurumoop
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 

Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018