1 Introduction
1. Problems encountered
When doing app penetration testing, I encountered a problem, that is, when using burpsuite or stream to capture app packets, it shows that the certificate is invalid
2. Break through SSL Pinning
1. SSL Pinning
SSL Pinning is also called SSL certificate binding. After receiving the certificate from the server, the client performs a strong check on the certificate to verify whether the certificate is recognized by the client. If not, the connection is directly disconnected. It also caused the network request to fail after I encountered a hanging proxy before, but this method is not all because of this reason.
2. Solutions
App for IOS bypasses SSL Pinning here using SSL Kill Switch 2
What needs to be prepared are:
- A jailbroken IOS phone
- Debian Packager plugin
- Cydia Substrate plugin
- PreferenceLoader plugin
- deb package of SSL Kill Switch2
First import the downloaded deb package into the jailbroken ios phone
Install these 3 packages separately in cydia
ssh connects to the mobile phone and executes commands in sequence to install
dpkg -i com.nablac0d3.sslkillswitch2_0.13.deb
killall -HUP SpringBoard
iPhone:~ root# ls
Application Support Library Media com.nablac0d3.sslkillswitch2_0.13.deb
iPhone:~ root# dpkg -i com.nablac0d3.sslkillswitch2_0.13.deb
Selecting previously unselected package com.nablac0d3.sslkillswitch2.
(Reading database ... 2959 files and directories currently installed.)
Preparing to unpack com.nablac0d3.sslkillswitch2_0.13.deb ...
Unpacking com.nablac0d3.sslkillswitch2 (0.13-1+debug) ...
Setting up com.nablac0d3.sslkillswitch2 (0.13-1+debug) ...
iPhone:~ root# killall -HUP SpringBoard
After executing the command, check the software package and find that there is a plug-in for SSL Kill Switch 2
After booting and restarting, I found that there is SSL Kill Switch 2 in the settings. If not, it may be because the phone is not fully jailbroken due to restarting. After jailbreaking again, it will be in the settings.
Turn on the plug-in switch, reopen the corresponding software to capture the packet, and then the data packet can be successfully captured