The Only Way to Bypass SSL Pinning on iOS 13

Posted byJamesPosted inGeneral

Use Frida and Objection!

By now you should know how to install Burp Suite and set it up to proxy your iOS device. If this is all you do then you will come up against TLS errors.

You have to use Frida and Objection to inject an SSL bypass into the app you’re interested in. Only then will you be able to proxy all network traffic from that app.

Use a jailbroken device, and you can start frida-server after installing it on your device as well as the client tools on your laptop. There is no need to patch applications to embed the Frida gadget as Frida can simply inject into a target process.

With everything installed, run frida-ps -Uia to list all of the processes on the device.

$ frida-ps -Uia
PID  Name              Identifier
---  ----------------  ---------------------------
  -  App Store         com.apple.AppStore
  -  Calendar          com.apple.mobilecal
  -  Camera            com.apple.camera

Great. That is all the information you need. Each of those “Identifier”‘s are what we refer to as Gadgets in objection. So, to “connect” to one of those apps, specify the name with the --gadget flag after you launched the app on the device.

~ » objection --gadget "com.apple.AppStore" explore

     _     _         _   _
 ___| |_  |_|___ ___| |_|_|___ ___
| . | . | | | -_|  _|  _| | . |   |
|___|___|_| |___|___|_| |_|___|_|_|
        |___|(object)inject(ion)

     Runtime Mobile Exploration
        by: @leonjza from @sensepost

[tab] for command suggestions
com.apple.AppStore on (iPad: 8.1) [usb] # ios sslpinning disable

After injecting the process just call ios sslpinning disable

Objection should start telling you about calling SSL_CTX_set_custom_verify(), setting custom callback

etc. and at this point just go back to the Proxy tab in Burp and view all of that previous secure communication 🙂

As always, stay safe. James xx

p.s. I’m led to believe you can build SSL KillSwitch 2 with a modification that has been sitting in the repo’s pull requests for two months and it will then work. Just use my guide, much simpler!

p.p.s. Thanks for reading! Please Share this post with your friends and if you need cyber security advice and services for your business then talk to us now.

Most of the instructions above are from the Objection repo and written by Leon Jacobs.

Published by James

ZeroInfoSec CEO. Family man, hacker, football fan, BMW enthusiast.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: