Use Frida and Objection!
By now you should know how to install Burp Suite and set it up to proxy your iOS device. If this is all you do then you will come up against TLS errors.
You have to use Frida and Objection to inject an SSL bypass into the app you’re interested in. Only then will you be able to proxy all network traffic from that app.
Use a jailbroken device, and you can start
frida-server after installing it on your device as well as the client tools on your laptop. There is no need to patch applications to embed the Frida gadget as Frida can simply inject into a target process.
With everything installed, run
frida-ps -Uia to list all of the processes on the device.
$ frida-ps -Uia PID Name Identifier --- ---------------- --------------------------- - App Store com.apple.AppStore - Calendar com.apple.mobilecal - Camera com.apple.camera
Great. That is all the information you need. Each of those “Identifier”‘s are what we refer to as Gadgets in objection. So, to “connect” to one of those apps, specify the name with the
--gadget flag after you launched the app on the device.
~ » objection --gadget "com.apple.AppStore" explore _ _ _ _ ___| |_ |_|___ ___| |_|_|___ ___ | . | . | | | -_| _| _| | . | | |___|___|_| |___|___|_| |_|___|_|_| |___|(object)inject(ion) Runtime Mobile Exploration by: @leonjza from @sensepost [tab] for command suggestions com.apple.AppStore on (iPad: 8.1) [usb] # ios sslpinning disable
After injecting the process just call
ios sslpinning disable
Objection should start telling you about calling
SSL_CTX_set_custom_verify(), setting custom callback
etc. and at this point just go back to the Proxy tab in Burp and view all of that previous secure communication 🙂
As always, stay safe. James xx
p.s. I’m led to believe you can build SSL KillSwitch 2 with a modification that has been sitting in the repo’s pull requests for two months and it will then work. Just use my guide, much simpler!
Most of the instructions above are from the Objection repo and written by Leon Jacobs.