Decrypting iOS app traffic with Wireshark and TLS secrets extracted using Frida

1. Inspecting iOS App Traffic with JavaScript
@AndyDavies
https://www.flickr.com/photos/marc-flores/8367323660

2. WHY?

3. What’s that app doing when you’re not looking?
https://www.flickr.com/photos/clover_1/6664943919

4. rvictl -s 782ea5ddfa242a6efda29adcc4a5bd7bf1ae4c96
From Xcode’s
Command Line Tools
UDID of device
(From itunes, idevice_id, system_profiler)
Network interface that mirrors device traffic

5. tcpdump -i rvi0 -w capture.pcap
Network interface
created in previous step
Capture traffic to a file

6. View captured network packets in wireshark

7. DEMO

8. https://www.flickr.com/photos/ironypoisoning/24223737671
But of course… iOS App traffic is all encrypted

9. Can still see some patterns

10. But… wouldn’t it be great if we could
see the contents?

11. CLIENT_RANDOM 5A26BB7043754E31B99DE6ED1EC91807A6BAC4F0C89F80670CE997A7B5191836
84E270AEA7ACFC90009211F6B76541E900FF89474AD33DBB47B3514C7E3669CF60144DB00737267D
DC4B178CBD33EA88
CLIENT_RANDOM 5A26BB708B7A2A44500FCDCA7518F4C91BC193DE4524EAA7A63CCE30F145087F
D7BB97615F58BFB256E3646D0F65F712E40A0164C21959013F99A650F22222D6D39A8EA2A4F6424C2
0AAEE2593699872
CLIENT_RANDOM 5A26BB700E74CC1AAA8884835511159BC8301FC3D55F4264CDE1D3A05985E83F
4DE8143DD8A22A44B0595166DFFE0C3FFB7D57AB5A7FAE1D08D4CB4887F88B0B896E42ECB306E6E
B09007FF905635DD0
CLIENT_RANDOM 5A26BB701C3AD8998E34F73588E8A8C8688D8BCCCDF9D34D731B4E4D63103722
3BC14A702CC48F24CBFDD92382DDC471C80948770DA4FFACFA73D2BFD36D8526256FFFAE637E99F
27DCD485B7C1D44D7
CLIENT_RANDOM 5A26BB709F04A771615ED31FBECA28CACA7D49124DC7962EA22C284A2D8AA8E9
4CA4E41F0E4F435C3A0FFCC7F69F0F8DA57E00F409B4335EF2CEEBEDD1C693A53B7DA16EFC31FF7
66F2D471FDC8A25FF
CLIENT_RANDOM 5A26BB70EAA450CF1272E2F3BFF09C367AF0E1DF533DACEAE839599BE3DBFE69
962756AE63ABD2DEE050BC72F27B1DF14DF85C59208B4AD159714F0C41D1801EE0A7B12C220FE122
201E4C20210C25CA
CLIENT_RANDOM 5A26BB70A14A1C2FE650117E6D83BAB3060531E363A99C299437B4D7D9C3A3D6
Wireshark can decrypt HTTPS if it has a keylog

12. CLIENT_RANDOM 5A26BB7043754E31B99DE6ED1EC91807A6BAC4F0C89F80670CE997A7B5191836
84E270AEA7ACFC90009211F6B76541E900FF89474AD33DBB47B3514C7E3669CF60144DB00737267D
DC4B178CBD33EA88
CLIENT_RANDOM 5A26BB708B7A2A44500FCDCA7518F4C91BC193DE4524EAA7A63CCE30F145087F
D7BB97615F58BFB256E3646D0F65F712E40A0164C21959013F99A650F22222D6D39A8EA2A4F6424C2
0AAEE2593699872
CLIENT_RANDOM 5A26BB700E74CC1AAA8884835511159BC8301FC3D55F4264CDE1D3A05985E83F
4DE8143DD8A22A44B0595166DFFE0C3FFB7D57AB5A7FAE1D08D4CB4887F88B0B896E42ECB306E6E
B09007FF905635DD0
CLIENT_RANDOM 5A26BB701C3AD8998E34F73588E8A8C8688D8BCCCDF9D34D731B4E4D63103722
3BC14A702CC48F24CBFDD92382DDC471C80948770DA4FFACFA73D2BFD36D8526256FFFAE637E99F
27DCD485B7C1D44D7
CLIENT_RANDOM 5A26BB709F04A771615ED31FBECA28CACA7D49124DC7962EA22C284A2D8AA8E9
4CA4E41F0E4F435C3A0FFCC7F69F0F8DA57E00F409B4335EF2CEEBEDD1C693A53B7DA16EFC31FF7
66F2D471FDC8A25FF
CLIENT_RANDOM 5A26BB70EAA450CF1272E2F3BFF09C367AF0E1DF533DACEAE839599BE3DBFE69
962756AE63ABD2DEE050BC72F27B1DF14DF85C59208B4AD159714F0C41D1801EE0A7B12C220FE122
201E4C20210C25CA
CLIENT_RANDOM 5A26BB70A14A1C2FE650117E6D83BAB3060531E363A99C299437B4D7D9C3A3D6
Wireshark can decrypt HTTPS if it has a keylog

13. CLIENT_RANDOM 5A26BB7043754E31B99DE6ED1EC91807A6BAC4F0C89F80670CE997A7B5191836
84E270AEA7ACFC90009211F6B76541E900FF89474AD33DBB47B3514C7E3669CF60144DB00737267D
DC4B178CBD33EA88
CLIENT_RANDOM 5A26BB708B7A2A44500FCDCA7518F4C91BC193DE4524EAA7A63CCE30F145087F
D7BB97615F58BFB256E3646D0F65F712E40A0164C21959013F99A650F22222D6D39A8EA2A4F6424C2
0AAEE2593699872
CLIENT_RANDOM 5A26BB700E74CC1AAA8884835511159BC8301FC3D55F4264CDE1D3A05985E83F
4DE8143DD8A22A44B0595166DFFE0C3FFB7D57AB5A7FAE1D08D4CB4887F88B0B896E42ECB306E6E
B09007FF905635DD0
CLIENT_RANDOM 5A26BB701C3AD8998E34F73588E8A8C8688D8BCCCDF9D34D731B4E4D63103722
3BC14A702CC48F24CBFDD92382DDC471C80948770DA4FFACFA73D2BFD36D8526256FFFAE637E99F
27DCD485B7C1D44D7
CLIENT_RANDOM 5A26BB709F04A771615ED31FBECA28CACA7D49124DC7962EA22C284A2D8AA8E9
4CA4E41F0E4F435C3A0FFCC7F69F0F8DA57E00F409B4335EF2CEEBEDD1C693A53B7DA16EFC31FF7
66F2D471FDC8A25FF
CLIENT_RANDOM 5A26BB70EAA450CF1272E2F3BFF09C367AF0E1DF533DACEAE839599BE3DBFE69
962756AE63ABD2DEE050BC72F27B1DF14DF85C59208B4AD159714F0C41D1801EE0A7B12C220FE122
201E4C20210C25CA
CLIENT_RANDOM 5A26BB70A14A1C2FE650117E6D83BAB3060531E363A99C299437B4D7D9C3A3D6
Wireshark can decrypt HTTPS if it has a keylog
64 byte hex encoded
value from TLS Client
Hello message

14. CLIENT_RANDOM 5A26BB7043754E31B99DE6ED1EC91807A6BAC4F0C89F80670CE997A7B5191836
84E270AEA7ACFC90009211F6B76541E900FF89474AD33DBB47B3514C7E3669CF60144DB00737267D
DC4B178CBD33EA88
CLIENT_RANDOM 5A26BB708B7A2A44500FCDCA7518F4C91BC193DE4524EAA7A63CCE30F145087F
D7BB97615F58BFB256E3646D0F65F712E40A0164C21959013F99A650F22222D6D39A8EA2A4F6424C2
0AAEE2593699872
CLIENT_RANDOM 5A26BB700E74CC1AAA8884835511159BC8301FC3D55F4264CDE1D3A05985E83F
4DE8143DD8A22A44B0595166DFFE0C3FFB7D57AB5A7FAE1D08D4CB4887F88B0B896E42ECB306E6E
B09007FF905635DD0
CLIENT_RANDOM 5A26BB701C3AD8998E34F73588E8A8C8688D8BCCCDF9D34D731B4E4D63103722
3BC14A702CC48F24CBFDD92382DDC471C80948770DA4FFACFA73D2BFD36D8526256FFFAE637E99F
27DCD485B7C1D44D7
CLIENT_RANDOM 5A26BB709F04A771615ED31FBECA28CACA7D49124DC7962EA22C284A2D8AA8E9
4CA4E41F0E4F435C3A0FFCC7F69F0F8DA57E00F409B4335EF2CEEBEDD1C693A53B7DA16EFC31FF7
66F2D471FDC8A25FF
CLIENT_RANDOM 5A26BB70EAA450CF1272E2F3BFF09C367AF0E1DF533DACEAE839599BE3DBFE69
962756AE63ABD2DEE050BC72F27B1DF14DF85C59208B4AD159714F0C41D1801EE0A7B12C220FE122
201E4C20210C25CA
CLIENT_RANDOM 5A26BB70A14A1C2FE650117E6D83BAB3060531E363A99C299437B4D7D9C3A3D6
Wireshark can decrypt HTTPS if it has a keylog
hex encoded secret

15. So where can we get the values from?

16. Chrome & Firefox can dump them out
WebPageTest makes it super easy to get them -
enable tcpdump in advanced options

17. But… How do we get them for iOS?

18. https://www.frida.re/

19. Inject JavaScript into an App!
App
JavaScript VM
Script
Host
Injects script
Receives Messages

20. Three methods for adding Frida
Use a Jailbroken iPhone Install
Frida from Cydia
(available for all apps on device)
Resign someone else’s app, and
inject the FridaGadget
(app may need decrypting first)
Add the FridaGadget to your own
App

21. What can we do with it?

22. DEMO

23. So… back to App traffic…

24. http://www.delaat.net/rp/2015-2016/p52/report.pdf

25. https://opensource.apple.com/source/coreTLS/coreTLS-83.20.8/lib/tls1Callouts.c.auto.html
/*
* The TLS pseudorandom function, defined in RFC2246, section 5.
* This takes as its input a secret block, a label, and a seed, and produces
* a caller-specified length of pseudorandom data.
*
* Optimization TBD: make label optional, avoid malloc and two copies if it's
* not there, so callers can take advantage of fixed-size seeds.
*/
// Note: This is exported as SPI.
int tls_handshake_internal_prf(
tls_handshake_t ctx,
const void *vsecret,
size_t secretLen,
const void *label, // optional, NULL implies that seed contains
// the label
size_t labelLen,
const void *seed,
size_t seedLen,
void *vout, // mallocd by caller, length >= outLen
size_t outLen)
{
int serr = errSSLInternal;
…
Master Secret
Client & Server
Randoms

26. var hexChar = ["0", "1", "2", "3", "4", "5", "6", "7","8", "9", "A", "B", "C", "D", "E", "F"];
function byteToHex(byte) {
return hexChar[(byte >> 4) & 0x0f] + hexChar[byte & 0x0f];
}
var f = Module.findExportByName("libsystem_coretls.dylib", "tls_handshake_internal_prf");
Interceptor.attach(f, {onEnter: function (args) {
var secretLength = parseInt(args[2], 16);
var seedLength = parseInt(args[6], 16);
if(secretLength == 48 && (seedLength == 64 || seedLength == 77)) {
var secretAddr = new NativePointer(args[1])
var secretBytes = new Uint8Array(Memory.readByteArray(secretAddr, secretLength));
var secret = "";
for(var i = 0; i < secretLength; i++) {
secret += byteToHex(secretBytes[i]);
}
Find function
Hook function
Extract master secret

27. var seedLength = parseInt(args[6], 16);
var seedAddr = new NativePointer(args[5]);
var seedBytes = new Uint8Array(Memory.readByteArray(seedAddr, seedLength));
var clientRandom = "";
var serverRandom = "";
if(seedLength == 64) {
for(i = 0; i < 32; i++) {
clientRandom += byteToHex(seedBytes[i]);
}
for( ; i < 64; i++) {
serverRandom += byteToHex(seedBytes[i]);
}
}
else if(seedLength == 77) { // key expansion
var offset = 13;
for(i = offset; i < 32 + offset; i++) {
serverRandom += byteToHex(seedBytes[i]);
}
for( ; i < 64 + offset; i++) {
clientRandom += byteToHex(seedBytes[i]);
}
}
Extract client and
server randoms

28. if(clientRandom !== "") {
send("CLIENT_RANDOM "+ clientRandom + " " + secret);
}
}
}
});
Send it to the host

29. DEMO

30. So what did I learn?
★ Just like on the web… sometimes we forget to
Compress JSON responses
Reuse connections
Optimise images
And a whole bunch of other things

31. Areas that need more work
★ TLS Session Resumption
★ Safari
★ iOS 11
★ Transforming the packet captures into something that’s
easy for any developer to understand

32. Thank You
@AndyDavies