iOS SSL Kill Switch v0.5 Released
Version 0.5 of the iOS SSL Kill Switch is now available. iOS SSL Kill Switch is a tool to disable SSL certificate validation - including certificate pinning - within iOS Apps in order to facilitate blackbox testing.
The main goal for this version was to add the ability to disable certification within the iTunes App Store app. While working on this feature, I discovered a new way to disable certificate validation that worked on many more applications than previous versions of the tweak. As a consequence, version 0.5 of the SSL Kill Switch is a complete rewrite.
How it works
Just like the previous versions of the tool, the SSL Kill Switch uses MobileSubstrate to patch system functions. However, this new version of the tweak hooks functions within the Secure Transport API instead of hooking NSURLConnection methods and SecTrustEvaluate().
The Secure Transport API is ``the lowest-level TLS implementation on iOS’’ which makes it an interesting target because other higher level APIs such as NSURLConnection internally rely on the Secure Transport API for their certificate validation routines. This means that disabling SSL certificate validation in the Secure Transport API should affect most (if not all) of the network APIs available within the iOS framework.
According to the documentation, disabling or performing custom certificate validation is implemented the following way when using the Secure Transport API:
- Before starting the connection, call SSLSetSessionOption() to set the kSSLSessionOptionBreakOnServerAuth option to
true'' on the SSL context. Setting this option totrue’’ disables the framework’s built-in certificate validation to let the application perform its own certificate verification.
- Run the Secure Transport handshake as per usual using the SSLHandshake() function.
- When SSLHandshake() returns errSSLServerAuthCompleted, call SSLCopyPeerTrust() to get a trust object for the connection and use that trust object to implement whatever custom server trust evaluation you desire.
- Either continue the Secure Transport handshake by calling SSLHandshake() again, or shut down the connection.
The SSL Kill Switch removes the ability to do any kind of certificate validation by hooking and modifying three functions within the Secure Transport API.
Patch SSLCreateContext(): Disable the built-in certificate validation in all SSL contexts
SSLCreateContext() is used to create a new SSL context. SSL Kill Switch modifies this function so that all new SSL contexts have the kSSLSessionOptionBreakOnServerAuth set to true by default:
Patch SSLSetSessionOption(): Remove the ability to re-enable the built-in certificate validation
SSLSetSessionOption() can be called to set the value of specific options on a given SSL context. The tweak patches this function in order to prevent the kSSLSessionOptionBreakOnServerAuth from being set to any value. The goal here is to ensure that all SSL contexts keep the default value of ``true’’ for the kSSLSessionOptionBreakOnServerAuth option (as set in the previous section):
Patch SSLHandshake(): Force a trust-all custom certificate validation
Lastly, SSLHandshake() is modified in order to prevent this function from ever returning errSSLServerAuthCompleted, which is the return value that will trigger the caller’s certificate checking/pinning code:
That’s it ! After patching those three functions, certificate validation was disabled in all the applications that I tried including Safari, Twitter, Square as well as the iTune App Store (with a few additional steps).
Have a look at the full code by browsing to the project page on GitHub.