iOS certificate pinning bypass (Unc0ver + AltStore + Frida)
At work, I don’t always do mobile penetration test; but when I do, I usually forget the end-to-end process of preparing the environment. So, I decided to make this compiled guide, so I (and you all) can refer back in the future.
When an application you are testing does not work once you hooked your device onto Burp Suite, it is almost always caused by the implementation of certificate pinning on the application.
It took me 5 hours to figure out the whole process — troubleshooting included. I have now wrote this down to a 3 minutes manual (so you don’t have to spend 5 hours troubleshooting).
This write up offers you a step-by-step process on how to:
- Prepare your iOS device
- Prepare your testing machine
- Setting up and bypassing cert-pinning with Frida
Please note that at the point of this writing — I am using an iPhone 11 iOS version 14.0
iOS device staging (iPhone 11 iOS 14.0)
The first thing you would need to do to get Frida working with your device is to jailbreak it. At the point of this writing, you can use unc0ver to jailbreak your device. In order to run unc0ver however, you would need to run it from AltStore. Here is a really good video on how to use the two: https://www.youtube.com/watch?v=JrUU84wQUps&t=0s
Hacking device staging (Kali Linux on VMware)
If you don’t have python3 on your machine yet — this is the best time to install it.
The first thing you would need is to install pip3 by using the following command: sudo apt-get -y install python3-pip
Once pip3 is installed, you would want to install Frida and Frida-tools. Make sure that they are the latest version (Frida v15 and Frida-tools v10+) — Kali does not come with these versions, so I had issues using Frida.
Next, you will get an error about a failing TLS handshake with your iPhone
(Failed to spawn: error performing TLS handshake: error:00000001:lib(0):func(0):reason(1))
— I managed to find a fix for this: Mounting the Developer Disk Image (DDI) for your current device’s iOS version (14.0) using a tool called ideviceimagemounter (This tool comes with Kali). Before mounting it however, you need to download the Developer Disk Image for your device’s iOS version. You can do that here: https://github.com/xushuduo/Xcode-iOS-Developer-Disk-Image/releases/tag/14.0
ideviceimagemounter <pathToDeveloperDiskImage> <pathToDeveloperDiskImageSignature>Once loaded and everything is set-up, time to bypass certificate pinning.
Bypassing certificate pinning
- Connect your device to your Hacking station
- On the terminal, run frida-ps -Uai to find out the process name of the application which certificate you want to bypass
3. Run the following command:
frida --codeshare federicodotta/ios13-pinning-bypass -f <application_identifier> -U --no-pause
If that gives you an unexpected crash error, follow these steps:
- Open the application
- On your hacking terminal, run the following command to inject the “most front” application on the device:
frida --codeshare federicodotta/ios13-pinning-bypass -F -U --no-pause
CONGRATS! You’ve bypassed certificate pinning
Hooking device onto BurpSuite
If you haven’t already — hook your iOS device onto Burp Suite. You can follow the process here:
https://portswigger.net/support/configuring-an-ios-device-to-work-with-burp
Happy testing!
