Bypassing OpenSSL Certificate Pinning in iOS Apps

Bypassing OpenSSL Certificate Pinning in iOS Apps(chargen.matasano.com)

32 points by silenteh 11 years ago | 13 comments

sjtgraham 11 years ago |

I don't even attempt to circumvent SSL pinning. IMO it's easier and safer to use Cydia substrate to decorate the networking classes to print args and return values to the console. I've reversed a few APIs in this way, including a bank's.

jerematasno 11 years ago | |

Note that the associated whitepaper discusses using Cydia -- specifically cycript -- to do the same thing.

dmayer 11 years ago | | |

Yes, often times that can be sufficient. If you just want to study the protocol or build a custom client. Often times one would like to modify messages of the protocol in order to find flaws in either the server or the client and the ability to man-in-the-middle the protocol makes that easier, in my opinion.

For completeness, the whitepaper is here: http://matasano.com/research/bypassing_openssl_pinning.pdf

jerematasno 11 years ago | | |

(Modifying the binary is much more fun to blog about, though.)

alimoeeny 11 years ago | | |

jerematasno thanks for mentioning cycript. I didn't know about it. Just watched Saurik's intro video. Very fascinating.

jrochkind1 11 years ago |

> From a penetration testing perspective, this may cause practical problems

I was super confused what they were talking about, until I remembered that "penetration testing" really just means "penetration", not "testing", it's just a euphemism for "attacking". I think?

dmayer 11 years ago | |

Yea, I think a better term would be application security assessment where one tests the application for security flaws. Penetration testing stems originally from network security where one actually tries to penetrate a network. It's not a great term for software, I agree.

bartbes 11 years ago | | |

I think the intent here is to decrypt and then reverse engineer the network traffic, so they can then check for vulnerabilities server-side. So they aren't auditing the application, they're just trying to find a way in.

wglb 11 years ago | |

Penetration testing is what security folks do to measure the insecurity of networks or application software or device security. It is a standard term in the industry.

mwcampbell 11 years ago |

Wouldn't it be much harder to patch the binary if it were stripped? Is it not common to strip release builds of iOS apps?

dmayer 11 years ago | |

(Disclaimer: I'm the author of the blog post)

I think, there is two things to that.

First, for dynamic C/C++ libraries like OpenSSL, some degree of symbols have to be maintained in order to relocate the library and find the entry point to the corresponding function.

Second, Objective-C is a dynamic language and as such the binary will always include the Objective-C method names. The reason is that they are resolved at runtime (via so-called "selectors"). In fact, Objective-C doesn't technically call methods but they use a message passing system. So if you pull any app from the app store, you can determine all classes, methods, and mostly arguments of the methods.