SSL Killswitch

SSL Killswitch

Introduction

SSL Killswitch is a technique used to bypass SSL pinning in iOS applications. SSL pinning is a security measure that ensures the application only communicates with servers presenting specific SSL/TLS certificates. Bypassing this mechanism allows security professionals to intercept and analyze encrypted traffic between the app and the server.

Overview of SSL Pinning

SSL pinning involves hardcoding the expected SSL certificate or public key into the application. This ensures that the app only trusts specific certificates and prevents Man-in-the-Middle (MitM) attacks. However, during penetration testing, this mechanism can hinder the ability to intercept and analyze traffic.

SSL Killswitch Techniques

1. Using Frida

Frida is a dynamic instrumentation toolkit that allows you to modify the behavior of applications at runtime. It can be used to bypass SSL pinning by injecting scripts that alter the app’s SSL/TLS handling.

Setup

1. Install Frida:

   • Install Frida on your host machine:

     Copy

     pip install frida-tools

2. Install Frida on iOS Device:

   • Use Cydia to install Frida from the repository or manually sideload it.

3. Create Frida Script:

   • Write a Frida script to bypass SSL pinning. Here is an example script:

     Copy

     Java.perform(function () {
         var TrustManager = Java.use('javax.net.ssl.TrustManager');
         TrustManager.checkServerTrusted.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String').implementation = function (chain, authType) {
             console.log('Bypassing SSL Pinning');
         };
     });

4. Run Frida Script:

   • Attach Frida to the app and run the script:

     Copy

     frida -U -p <app_pid> -l <script.js>

2. Using Objection

Objection is a runtime mobile exploration toolkit that includes support for bypassing SSL pinning.

Setup

1. Install Objection:

   • Install Objection on your host machine:

     Copy

     pip install objection

2. Setup Objection on iOS Device:

   • Use Cydia to install Objection or sideload it manually.

3. Bypass SSL Pinning:

   • Start objection and bypass SSL pinning:

     Copy

     objection --gdb --p <app_pid> explore

   • In the objection console, run:

     Copy

     ios sslpinning disable

3. Using SSL Kill Switch 2

SSL Kill Switch 2 is a tool specifically designed for disabling SSL pinning on iOS applications. It is a more specialized approach compared to Frida or Objection.

Setup

1. Install SSL Kill Switch 2:

   • Install using Cydia:

     • Add the repository from the developer's source and install SSL Kill Switch 2 directly from Cydia.

   • Manual Installation:

     • Compile and sideload the app using tools like Xcode or AltStore.

2. Bypass SSL Pinning:

   • Once installed, SSL Kill Switch 2 runs in the background and automatically disables SSL pinning for applications.

4. Patching the App Binary

Another technique involves directly modifying the app’s binary to bypass SSL pinning.

Steps

1. Decompile the App:

   • Use tools like IDA Pro or Ghidra to decompile the app binary.

2. Identify SSL Pinning Code:

   • Search for functions related to SSL pinning, such as NSURLSession or NSURLConnection.

3. Patch the Binary:

   • Modify the binary to bypass SSL pinning. This requires detailed knowledge of the app’s internals and assembly language.

4. Repackage and Deploy:

   • Repackage the modified binary and deploy it to your iOS device.

Conclusion

Bypassing SSL pinning is a critical step in mobile application penetration testing. Tools like Frida, Objection, and SSL Kill Switch 2 provide effective methods for disabling SSL pinning and intercepting encrypted traffic. Understanding these techniques allows security professionals to thoroughly assess the security of iOS applications.

For more detailed information on using these tools, refer to their respective documentation and resources: