ssl-kill-switch2 icon indicating copy to clipboard operation
ssl-kill-switch2 copied to clipboard
verified publisher icon nabla-c0d3

Not working with Apple Push Service (apsd)

Open a3135134 opened this issue 6 years ago • 7 comments

Hi, I'm trying to decrypt the SSL traffic of Apple's Home App (official homekit app). After installing the newest SSL-Kill-Swich2, I thought I killed related process (e.g. , apsd, homed), but it didn't work. I still got the Handshake failed error: the client may not trust proxy's certificate for courier.push.apple.com. Could anyone provide any ideas on this issue? Can ssl-kill hook Apple's push service? Thanks!

a3135134 avatar Sep 04 '19 01:09 a3135134

In addition, from the log on Xcode, I saw that "apsd" got error in SSL Handshake and the error still continously occurred though I killed the apsd process.

(I'm using IOS 12.2)

a3135134 avatar Sep 05 '19 18:09 a3135134

Well, I use Frida and hook the SecTrustEvaluate(), it works.

Reference:https://kov4l3nko.github.io/blog/2018-05-27-sll-pinning-hook-sectrustevaluate/

a3135134 avatar Sep 08 '19 20:09 a3135134

Hi @a3135134 , I keep have the same problem even after hooking with Frida. Are you sure that you get the response from Charles with Frida hook? I still have the problem of SSL failed. I tried hooking with cydia substrate but no solution. Charles shows error in the requests going to icloud. (iOS 12.4) I appreciate any help, thank you!

philok93 avatar Sep 13 '19 13:09 philok93

Hi @a3135134 , I keep have the same problem even after hooking with Frida. Are you sure that you get the response from Charles with Frida hook? I still have the problem of SSL failed. I tried hooking with cydia substrate but no solution. Charles shows error in the requests going to icloud. (iOS 12.4) I appreciate any help, thank you!

Yes, it worked when I hooked SecTrustEvaluate() in apsd. I saw SSL connection (like courier.apple.com) established successfully in mitmdump, however, the server of Apples didn't response to the client's message! I even saw the client sent the first message to server in wireshark, and the client shutdown the connection because of no response from server. It it said that the server also checks the certificate of client. Even though I configured the client's certificate in mitmproxy, it didn't work.

a3135134 avatar Sep 13 '19 19:09 a3135134

Hi @a3135134 , I keep have the same problem even after hooking with Frida. Are you sure that you get the response from Charles with Frida hook? I still have the problem of SSL failed. I tried hooking with cydia substrate but no solution. Charles shows error in the requests going to icloud. (iOS 12.4) I appreciate any help, thank you!

Yes, it worked when I hooked SecTrustEvaluate() in apsd. I saw SSL connection (like courier.apple.com) established successfully in mitmdump, however, the server of Apples didn't response to the client's message! I even saw the client sent the first message to server in wireshark, and the client shutdown the connection because of no response from server. It it said that the server also checks the certificate of client. Even though I configured the client's certificate in mitmproxy, it didn't work.

I face the same problem, even configuring client and server certificates for authentication, I don't get response from apple servers. Maybe apsd uses low-level ssl certificate check or I don't know what should be the reason. For sure certificates are hardcoded in apsd and frida doesn't work for low level hook functions (at least what I understand). Did you find any other daemon that tries to authenticate with apple?

philok93 avatar Sep 14 '19 07:09 philok93

Hi @a3135134 , I keep have the same problem even after hooking with Frida. Are you sure that you get the response from Charles with Frida hook? I still have the problem of SSL failed. I tried hooking with cydia substrate but no solution. Charles shows error in the requests going to icloud. (iOS 12.4) I appreciate any help, thank you!

Yes, it worked when I hooked SecTrustEvaluate() in apsd. I saw SSL connection (like courier.apple.com) established successfully in mitmdump, however, the server of Apples didn't response to the client's message! I even saw the client sent the first message to server in wireshark, and the client shutdown the connection because of no response from server. It it said that the server also checks the certificate of client. Even though I configured the client's certificate in mitmproxy, it didn't work.

I face the same problem, even configuring client and server certificates for authentication, I don't get response from apple servers. Maybe apsd uses low-level ssl certificate check or I don't know what should be the reason. For sure certificates are hardcoded in apsd and frida doesn't work for low level hook functions (at least what I understand). Did you find any other daemon that tries to authenticate with apple?

I'm sure the client trust the proxy's certificate after hooking by Frida because I saw the first message from apsd clientin my proxy. I also hooked imagent, cloudd, identityservicesd and there was no error from my mitm proxy. However, I still face that problem: the server didn't response in that established ssl connection from my proxy. Carefully inspecting the traffics may throw some lights upon this strange behavior? Instead, now I'm considering to hook the functions that deal with the messages, e.g., SSL_read() and SSL_write(), to read the plaintext from apsd, though I have not been able to find the correct functions yet. Did you consider this method?

a3135134 avatar Sep 14 '19 18:09 a3135134

I didn't try hooking SSL_read() function but it may be a solution for this problem. I need to do some research first to find the correct functions that do the pinning. At least when I enable SSL -kill-switch it disables pinning for some icloud requests but not those we want.

philok93 avatar Sep 15 '19 07:09 philok93