
Bypassing OpenSSL Certificate Pinning in iOS Apps - silenteh
http://chargen.matasano.com/chargen/2015/1/6/bypassing-openssl-certificate-pinning-in-ios-apps.html
======
sjtgraham
I don't even attempt to circumvent SSL pinning. IMO it's easier and safer to
use Cydia substrate to decorate the networking classes to print args and
return values to the console. I've reversed a few APIs in this way, including
a bank's.

~~~
jerematasno
Note that the associated whitepaper discusses using Cydia -- specifically
cycript -- to do the same thing.

~~~
dmayer
Yes, often times that can be sufficient. If you just want to study the
protocol or build a custom client. Often times one would like to modify
messages of the protocol in order to find flaws in either the server or the
client and the ability to man-in-the-middle the protocol makes that easier, in
my opinion.

For completeness, the whitepaper is here:
[http://matasano.com/research/bypassing_openssl_pinning.pdf](http://matasano.com/research/bypassing_openssl_pinning.pdf)

~~~
wglb
Awesome article and white paper.

------
jrochkind1
> From a penetration testing perspective, this may cause practical problems

I was super confused what they were talking about, until I remembered that
"penetration testing" really just means "penetration", not "testing", it's
just a euphemism for "attacking". I think?

~~~
dmayer
Yea, I think a better term would be application security assessment where one
tests the application for security flaws. Penetration testing stems originally
from network security where one actually tries to penetrate a network. It's
not a great term for software, I agree.

~~~
bartbes
I think the intent here is to decrypt and then reverse engineer the network
traffic, so they can then check for vulnerabilities server-side. So they
aren't auditing the application, they're just trying to find a way in.

~~~
wglb
(You are plying to the author of the article, possibly intending to reply to
the parent.)

This is part of auditing an application. Finding a way in is only one step of
the process.

------
mwcampbell
Wouldn't it be much harder to patch the binary if it were stripped? Is it not
common to strip release builds of iOS apps?

~~~
dmayer
(Disclaimer: I'm the author of the blog post)

I think, there is two things to that.

First, for dynamic C/C++ libraries like OpenSSL, some degree of symbols have
to be maintained in order to relocate the library and find the entry point to
the corresponding function.

Second, Objective-C is a dynamic language and as such the binary will always
include the Objective-C method names. The reason is that they are resolved at
runtime (via so-called "selectors"). In fact, Objective-C doesn't technically
call methods but they use a message passing system. So if you pull any app
from the app store, you can determine all classes, methods, and mostly
arguments of the methods.

