Bypassing OpenSSL Certificate Pinning in iOS Apps
chargen.matasano.comI don't even attempt to circumvent SSL pinning. IMO it's easier and safer to use Cydia substrate to decorate the networking classes to print args and return values to the console. I've reversed a few APIs in this way, including a bank's.
Note that the associated whitepaper discusses using Cydia -- specifically cycript -- to do the same thing.
Yes, often times that can be sufficient. If you just want to study the protocol or build a custom client. Often times one would like to modify messages of the protocol in order to find flaws in either the server or the client and the ability to man-in-the-middle the protocol makes that easier, in my opinion.
For completeness, the whitepaper is here: http://matasano.com/research/bypassing_openssl_pinning.pdf
Awesome article and white paper.
(Modifying the binary is much more fun to blog about, though.)
jerematasno thanks for mentioning cycript. I didn't know about it. Just watched Saurik's intro video. Very fascinating.
> From a penetration testing perspective, this may cause practical problems
I was super confused what they were talking about, until I remembered that "penetration testing" really just means "penetration", not "testing", it's just a euphemism for "attacking". I think?
Yea, I think a better term would be application security assessment where one tests the application for security flaws. Penetration testing stems originally from network security where one actually tries to penetrate a network. It's not a great term for software, I agree.
I think the intent here is to decrypt and then reverse engineer the network traffic, so they can then check for vulnerabilities server-side. So they aren't auditing the application, they're just trying to find a way in.
(You are plying to the author of the article, possibly intending to reply to the parent.)
This is part of auditing an application. Finding a way in is only one step of the process.
Penetration testing is what security folks do to measure the insecurity of networks or application software or device security. It is a standard term in the industry.
Wouldn't it be much harder to patch the binary if it were stripped? Is it not common to strip release builds of iOS apps?
(Disclaimer: I'm the author of the blog post)
I think, there is two things to that.
First, for dynamic C/C++ libraries like OpenSSL, some degree of symbols have to be maintained in order to relocate the library and find the entry point to the corresponding function.
Second, Objective-C is a dynamic language and as such the binary will always include the Objective-C method names. The reason is that they are resolved at runtime (via so-called "selectors"). In fact, Objective-C doesn't technically call methods but they use a message passing system. So if you pull any app from the app store, you can determine all classes, methods, and mostly arguments of the methods.