Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Not working with Apple Push Service (apsd) #67

Open
a3135134 opened this issue Sep 4, 2019 · 7 comments
Open

Not working with Apple Push Service (apsd) #67

a3135134 opened this issue Sep 4, 2019 · 7 comments
Labels

Comments

@a3135134
Copy link

a3135134 commented Sep 4, 2019

Hi,
I'm trying to decrypt the SSL traffic of Apple's Home App (official homekit app). After installing the newest SSL-Kill-Swich2, I thought I killed related process (e.g. , apsd, homed), but it didn't work. I still got the Handshake failed error: the client may not trust proxy's certificate for courier.push.apple.com.
Could anyone provide any ideas on this issue? Can ssl-kill hook Apple's push service?
Thanks!

@a3135134
Copy link
Author

a3135134 commented Sep 5, 2019

In addition, from the log on Xcode, I saw that "apsd" got error in SSL Handshake and the error still continously occurred though I killed the apsd process.

(I'm using IOS 12.2)

@a3135134 a3135134 changed the title Not working with Apple Home (the official homekit app of Apple) Not working with Apple Push Service (apsd) Sep 5, 2019
@a3135134
Copy link
Author

a3135134 commented Sep 8, 2019

Well, I use Frida and hook the SecTrustEvaluate(), it works.

Reference:https://kov4l3nko.github.io/blog/2018-05-27-sll-pinning-hook-sectrustevaluate/

@philok93
Copy link

Hi @a3135134 , I keep have the same problem even after hooking with Frida. Are you sure that you get the response from Charles with Frida hook? I still have the problem of SSL failed.
I tried hooking with cydia substrate but no solution. Charles shows error in the requests going to icloud. (iOS 12.4)
I appreciate any help, thank you!

@a3135134
Copy link
Author

Hi @a3135134 , I keep have the same problem even after hooking with Frida. Are you sure that you get the response from Charles with Frida hook? I still have the problem of SSL failed.
I tried hooking with cydia substrate but no solution. Charles shows error in the requests going to icloud. (iOS 12.4)
I appreciate any help, thank you!

Yes, it worked when I hooked SecTrustEvaluate() in apsd. I saw SSL connection (like courier.apple.com) established successfully in mitmdump, however, the server of Apples didn't response to the client's message! I even saw the client sent the first message to server in wireshark, and the client shutdown the connection because of no response from server. It it said that the server also checks the certificate of client. Even though I configured the client's certificate in mitmproxy, it didn't work.

@philok93
Copy link

Hi @a3135134 , I keep have the same problem even after hooking with Frida. Are you sure that you get the response from Charles with Frida hook? I still have the problem of SSL failed.
I tried hooking with cydia substrate but no solution. Charles shows error in the requests going to icloud. (iOS 12.4)
I appreciate any help, thank you!

Yes, it worked when I hooked SecTrustEvaluate() in apsd. I saw SSL connection (like courier.apple.com) established successfully in mitmdump, however, the server of Apples didn't response to the client's message! I even saw the client sent the first message to server in wireshark, and the client shutdown the connection because of no response from server. It it said that the server also checks the certificate of client. Even though I configured the client's certificate in mitmproxy, it didn't work.

I face the same problem, even configuring client and server certificates for authentication, I don't get response from apple servers. Maybe apsd uses low-level ssl certificate check or I don't know what should be the reason. For sure certificates are hardcoded in apsd and frida doesn't work for low level hook functions (at least what I understand). Did you find any other daemon that tries to authenticate with apple?

@a3135134
Copy link
Author

Hi @a3135134 , I keep have the same problem even after hooking with Frida. Are you sure that you get the response from Charles with Frida hook? I still have the problem of SSL failed.
I tried hooking with cydia substrate but no solution. Charles shows error in the requests going to icloud. (iOS 12.4)
I appreciate any help, thank you!

Yes, it worked when I hooked SecTrustEvaluate() in apsd. I saw SSL connection (like courier.apple.com) established successfully in mitmdump, however, the server of Apples didn't response to the client's message! I even saw the client sent the first message to server in wireshark, and the client shutdown the connection because of no response from server. It it said that the server also checks the certificate of client. Even though I configured the client's certificate in mitmproxy, it didn't work.

I face the same problem, even configuring client and server certificates for authentication, I don't get response from apple servers. Maybe apsd uses low-level ssl certificate check or I don't know what should be the reason. For sure certificates are hardcoded in apsd and frida doesn't work for low level hook functions (at least what I understand). Did you find any other daemon that tries to authenticate with apple?

I'm sure the client trust the proxy's certificate after hooking by Frida because I saw the first message from apsd clientin my proxy. I also hooked imagent, cloudd, identityservicesd and there was no error from my mitm proxy. However, I still face that problem: the server didn't response in that established ssl connection from my proxy. Carefully inspecting the traffics may throw some lights upon this strange behavior?
Instead, now I'm considering to hook the functions that deal with the messages, e.g., SSL_read() and SSL_write(), to read the plaintext from apsd, though I have not been able to find the correct functions yet. Did you consider this method?

@philok93
Copy link

I didn't try hooking SSL_read() function but it may be a solution for this problem. I need to do some research first to find the correct functions that do the pinning. At least when I enable SSL -kill-switch it disables pinning for some icloud requests but not those we want.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants