Nytro Posted January 8, 2015 Report Posted January 8, 2015 Bypass OpenSSL Certificate Pinning on iOSDaniel Mayer (daniel@matasano.com)January 7, 2015Abstract:When mobile applications communicate with an API or web service, this should generally happenvia TLS/SSL (e.g., HTTPS). In order to verify the identity of the server and to prevent man-in-themiddleattacks, TLS relies on certificates which prove the identity of the web server. Browsersand mobile operating systems come preconfigured with a list of trusted Certificate Authorities(CAs). Since any of the CAs may issue a certificate for any hostname/server, security-consciousapplications should “pin” the expected server certificate in the application, i.e., not accept anycertificate but the one issued by the known-good CA which the application developer uses.From a penetration testing perspective, this may cause practical problems since it is difficult tointercept the communication of an application that makes use of this technique. Without pinning,interception typically involves adding the TLS certificate of an intercepting proxy (such as Burp)to the certificate store of the target operating system. However, when the app uses certificatepinning, this store is often ignored. On iOS, when the app uses standard iOS APIs, the iOS SSLKill Switch, developed by Matasano’s sister company iSEC Partners, can be used to bypass pinningand force the application to accept any certificate presented by the server or proxy. The Kill Switchuses Cydia Substrate which hooks the iOS functions used for certificate validation and modifiesthem so that they accept any certificate. It becomes more complicated when the app uses theOpenSSL library instead of the native iOS frameworks since they are not affected by the Kill Switch’shooking.There is more than one way of bypassing OpenSSL-based certificate pinning and, in this paper wedetail two of these methods: binary patching and Cydia Substrate.Download: http://matasano.com/research/bypassing_openssl_pinning.pdf Quote
