Scorched Earth — How to REALLY Disable Certificate Verification on iOS
Some days, you are just going about your life, happily reversing and tearing apart software, which developers spent hundreds of hours to build, when certificate pinning happens. Certificate pinning, in my opinion, is generally a good thing. It just isn’t good when I want to MiTM your traffic. I am used to my easy life of installing a CA certificate or two from my tools, such as Mallory and Burp, and going about my business.
I caught some MiTM failing in my most recent assessment and thought to myself, no problem. I will go grab ios-ssl-kill-switch, and everything will be ok, even with this application’s certificate pinning. Alas, this is where our tale takes a turn for the dark and unseemly. This application was not using NSURLConnection, which ios-ssl-kill-switch knows how to defeat. Using some data gathered from the logs, and my knowledge of iOS security guts, I identified one function SecTrustEvaluate, that I thought was responsible for all of the certificate trust decisions in my application. I spent some time in IDA, verifying these assumptions. I was reasonably convinced that hooking SecTrustEvaluate would solve my problem. As it turns out, SecTrustEvaluate is used, well, everywhere in OS X and iOS. most Apple components that verify a certificate chain rely on this function as the entry point to the code that verifies the certificate chain.
Happily, SecTrustEvaluate is a simple C function that returns a simple integer result and modifies the value of one pointer. I thought, I can write a MUCH better version of SecTrustEvaluate!
Enter MobileSubstrate. MobileSubstrate is installed along with Cydia. MobileSubstrate, using DYLD_INSERT_LIBRARIES (which is like LD_PRELOAD), allows you to use a couple of handy functions to hook virtually any C function or Objective-C method in applications on an iOS device. MobileSubstrate requires a simple dynamic library with a few bits of the right code. These libraries are often called, “Tweaks”, as they originally focused on SpringBoard, the equivalent of the Explorer shell in windows. However, it is a general purpose function and message hooking facility that works system wide.
I decided to name my Tweak trustme. You can visit our Github project for more details on its construction, downloads, and to see how it works under the hood. The code is quite small. The result is quite big. I patterned the project on ios-ssl-kill-switch. The tweak disables virtually all certificate chain checking. I successfully tested Facebook, MobileSafari and a few other apps with full MiTM running. I tested in transparent mode Burp and Mallory successfully. The beauty of hooking SecTrustEvalaute is that it usually much deeper and ultimately used to resolve most trust decisions on iOS.
Jan 25 09:18:19 HackPhone4 MobileSafari[760]: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/trustme.dylib
Jan 25 09:18:19 HackPhone4 MobileSafari[760]: trustme: Loaded
Jan 25 09:18:19 HackPhone4 MobileSafari[760]: trustme: Hooking SecTrustEvaluatetl;dr — Wrote a MobileSubstrate tweak that hooks SecTrustEvaluate and disables certificate checking almost everywhere. Download trustme via our Github page.
If you have any suggestions for other calls that might belong in trustme, let us know!
Thanks,
Both comments and trackbacks are currently closed.
