Convert Figma logo to code with AI

nabla-c0d3 logossl-kill-switch2

Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and macOS applications.

3,087
466
3,087
16
View on GitHub

Top Related Projects

datatheorem's avatar

TrustKit

2,021

Easy SSL pinning validation and reporting for iOS, macOS, tvOS and watchOS.

MobSF's avatar

Mobile-Security-Framework-MobSF

17,259

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

OWASP's avatar

owasp-mastg

11,691

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).

google's avatar

nogotofail

2,935

An on-path blackbox network traffic security testing tool

frida's avatar

frida

15,995

Clone this repo to build Frida

Quick Overview

SSL Kill Switch 2 is a tool designed to disable SSL certificate validation in iOS and macOS applications. It functions as a dynamic library that can be injected into processes to bypass SSL pinning and other certificate validation mechanisms, making it useful for security researchers and developers debugging network issues.

Pros

  • Enables easy inspection of HTTPS traffic in iOS and macOS apps
  • Useful for debugging and security research purposes
  • Works with various SSL/TLS implementations, including OpenSSL and Secure Transport
  • Can be used with popular debugging tools like Frida

Cons

  • Can potentially be misused for malicious purposes if not handled responsibly
  • May not work with all applications, especially those with advanced security measures
  • Requires a jailbroken device for iOS or disabling System Integrity Protection (SIP) on macOS
  • Regular updates may be needed to keep up with OS changes and security enhancements

Code Examples

This project is not a code library but a tool, so code examples are not applicable. However, here's a brief overview of how to use it:

  1. Build the project using Xcode or the provided build script.
  2. For iOS, install the dylib on a jailbroken device and inject it into the target process.
  3. For macOS, disable SIP and use DYLD_INSERT_LIBRARIES to inject the dylib into the target process.

Getting Started

To get started with SSL Kill Switch 2:

  1. Clone the repository:

    git clone https://github.com/nabla-c0d3/ssl-kill-switch2.git

  2. Build the project:

    cd ssl-kill-switch2
./build.sh

  3. For iOS, install on a jailbroken device and use a tool like Frida to inject the dylib:

    frida-inject -n "Target App" -s ssl_kill_switch.js

  4. For macOS, disable SIP and run the target application with the dylib:

    DYLD_INSERT_LIBRARIES=./SSLKillSwitch.dylib /path/to/application

Remember to use this tool responsibly and only on applications and systems you have permission to test.

Competitor Comparisons

datatheorem logo

TrustKit

2,021

Easy SSL pinning validation and reporting for iOS, macOS, tvOS and watchOS.

Pros of TrustKit

  • Provides a comprehensive SSL pinning solution for iOS and macOS applications
  • Offers additional features like reporting and pinning configuration options
  • Actively maintained with regular updates and community support

Cons of TrustKit

  • More complex implementation compared to ssl-kill-switch2
  • Requires integration into the application code, which may not be suitable for all use cases
  • Potentially higher performance overhead due to additional features

Code Comparison

TrustKit implementation:

let trustKitConfig = [
    kTSKSwizzleNetworkDelegates: false,
    kTSKPinnedDomains: [
        "example.com": [
            kTSKPublicKeyAlgorithms: [kTSKAlgorithmRsa2048],
            kTSKPublicKeyHashes: [
                "HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY=",
                "0SDf3cRToyZJaMsoS17oF72VMavLxj/N7WBNasNuiR8="
            ]
        ]
    ]
]
TrustKit.initSharedInstance(withConfiguration: trustKitConfig)

ssl-kill-switch2 implementation:

#import "SSLKillSwitch.h"

- (void)viewDidLoad {
    [super viewDidLoad];
    [SSLKillSwitch enableSSLKillSwitch];
}

The code comparison shows that TrustKit requires more configuration and integration into the application, while ssl-kill-switch2 offers a simpler, one-line implementation for disabling SSL certificate validation.

MobSF logo

Mobile-Security-Framework-MobSF

17,259

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

Pros of Mobile-Security-Framework-MobSF

  • Comprehensive mobile app security assessment tool for both Android and iOS
  • Provides static and dynamic analysis, along with web API testing capabilities
  • Active development with frequent updates and a large community

Cons of Mobile-Security-Framework-MobSF

  • More complex setup and usage compared to ssl-kill-switch2
  • Requires more system resources due to its extensive features
  • May have a steeper learning curve for beginners

Code Comparison

ssl-kill-switch2 (Objective-C):

static void (*original_SSLSetSessionOption)(SSLContextRef context, SSLSessionOption option, Boolean value);
static void replaced_SSLSetSessionOption(SSLContextRef context, SSLSessionOption option, Boolean value) {
    // Disable certificate validation
    if (option == kSSLSessionOptionBreakOnServerAuth) {
        value = true;
    }
    original_SSLSetSessionOption(context, option, value);
}

Mobile-Security-Framework-MobSF (Python):

def apk_analysis(app_dir, tool_dir, app_path, manifest_file):
    """Perform APK Analysis."""
    try:
        logger.info('APK Analysis Started')
        qark = os.path.join(tool_dir, 'qark', 'qark', 'qark.py')
        args = [
            'python3', qark,
            '--java', app_dir,
            '--apk', app_path,
            '-m', manifest_file,
            '-a', app_dir,
            '-r', os.path.join(app_dir, 'qark'),
        ]
        subprocess.call(args)
        logger.info('APK Analysis Completed')
    except Exception:
        logger.exception('APK Analysis')
OWASP logo

owasp-mastg

11,691

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).

Pros of owasp-mastg

  • Comprehensive mobile app security testing guide covering both Android and iOS
  • Regularly updated with community contributions and industry best practices
  • Includes detailed testing procedures, code examples, and security recommendations

Cons of owasp-mastg

  • Larger project scope, which may be overwhelming for specific SSL/TLS testing needs
  • Requires more time to navigate and find relevant information for SSL/TLS bypassing
  • Not focused solely on SSL/TLS certificate pinning bypass techniques

Code Comparison

ssl-kill-switch2:

%hook NSURLSessionTask
- (void)resume {
    %orig;
    [SSLKillSwitch swizzleNSURLSessionTaskResume:self];
}
%end

owasp-mastg:

@Override
public void checkServerTrusted(X509Certificate[] chain, String authType)
        throws CertificateException {
    try {
        TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
        tmf.init((KeyStore) null);
        for (TrustManager tm : tmf.getTrustManagers()) {
            ((X509TrustManager) tm).checkServerTrusted(chain, authType);
        }
    } catch (Exception e) {
        throw new CertificateException(e);
    }
}

The ssl-kill-switch2 code focuses on swizzling NSURLSessionTask for SSL pinning bypass, while the owasp-mastg example demonstrates a more general approach to custom certificate validation in Android.

google logo

nogotofail

2,935

An on-path blackbox network traffic security testing tool

Pros of nogotofail

  • Broader scope: Focuses on network security testing beyond just SSL/TLS
  • Cross-platform support: Works on various operating systems and devices
  • Active development: More recent updates and contributions

Cons of nogotofail

  • More complex setup: Requires additional components and configuration
  • Steeper learning curve: Less straightforward for beginners
  • Not specifically tailored for iOS SSL/TLS manipulation

Code Comparison

ssl-kill-switch2 (Objective-C):

%hook NSURLSessionTask
- (void)resume {
    if (shouldHookNSURLSessionTask()) {
        [self setValue:[NSNumber numberWithBool:YES] forKey:@"_kCFStreamPropertySSLPeerCertificatesEnabled"];
    }
    %orig;
}
%end

nogotofail (Python):

def on_ssl(self, client_hello):
    if self.mitm_params.get("strip_heartbleed"):
        return client_hello.modify(
            extensions=client_hello.extensions.filter(
                lambda x: x.type != 15
            )
        )
    return client_hello

The code snippets demonstrate the different approaches: ssl-kill-switch2 focuses on iOS-specific SSL/TLS manipulation, while nogotofail provides a more general network security testing framework.

frida logo

frida

15,995

Clone this repo to build Frida

Pros of Frida

  • More versatile and powerful, supporting dynamic instrumentation across multiple platforms and languages
  • Actively maintained with frequent updates and a large community
  • Offers a rich API for complex runtime manipulation and analysis

Cons of Frida

  • Steeper learning curve due to its extensive features and capabilities
  • Requires more setup and configuration for specific use cases
  • May have a larger performance overhead for simple tasks

Code Comparison

SSL-Kill-Switch2 (Objective-C):

static void (*original_SSLSetSessionOption)(SSLContextRef context, SSLSessionOption option, Boolean value);
static void replaced_SSLSetSessionOption(SSLContextRef context, SSLSessionOption option, Boolean value) {
    if (option == kSSLSessionOptionBreakOnServerAuth) {
        value = true;
    }
    original_SSLSetSessionOption(context, option, value);
}

Frida (JavaScript):

Interceptor.attach(Module.findExportByName(null, 'SSLSetSessionOption'), {
  onEnter: function(args) {
    if (args[1].toInt32() === 0) { // kSSLSessionOptionBreakOnServerAuth
      args[2] = ptr(1);
    }
  }
});

SSL-Kill-Switch2 focuses specifically on disabling SSL certificate validation in iOS apps, while Frida provides a more general-purpose framework for dynamic instrumentation and modification of running processes across multiple platforms.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

SSL Kill Switch 2

Blackbox tool to disable SSL/TLS certificate validation - including certificate pinning - within iOS and macOS applications. Second iteration of https://github.com/iSECPartners/ios-ssl-kill-switch .

Description

Once loaded into an iOS or macOS application, SSL Kill Switch 2 will patch low-level functions responsible for handling SSL/TLS connections in order to override and disable the system's default certificate validation, as well as any kind of custom certificate validation (such as certificate pinning).

It was successfully tested against various applications implementing certificate pinning including the Apple App Store. The first version of SSL Kill Switch was released at Black Hat Vegas 2012.

The most recent version iOS that is known to be supported is 14.2.

iOS Instructions

On iOS, SSL Kill Switch 2 can be installed as a Cydia Subtrate tweak on a jailbroken device.

WARNING: THIS TWEAK WILL MAKE YOUR DEVICE INSECURE

Installing SSL Kill Switch 2 allows anyone on the same network as the device to easily perform man-in-the-middle attacks against any SSL or HTTPS connection. This means that it is trivial to get access to emails, websites viewed in Safari and any other data downloaded by any App running on the device.

Installation

The following dependencies should be installed using Cydia:

  • Debian Packager
  • Cydia Substrate
  • PreferenceLoader

Then, download the latest pre-compiled package available in the release tab of the SSL Kill Switch 2's GitHub page. Copy it to the device, install it and respring the device:

dpkg -i <package>.deb
killall -HUP SpringBoard

There should be a new menu in the device's Settings where you can enable the extension. Finally, kill and restart the App you want to test.

The tweak can later be uninstalled using:

dpkg -r com.nablac0d3.SSLKillSwitch2

Intercepting the App Store's traffic

Lots of people have asked about how to intercept the App Store's traffic using SSL Kill Switch 2. I wrote down some instructions here but there are now outdated: http://nabla-c0d3.github.io/blog/2013/08/20/intercepting-the-app-stores-traffic-on-ios/

Intercepting with Charles Proxy

By default, SSL Kill Switch will disrupt the Charles Proxy iOS app and you will not be able to proxy any network traffic with it. To fix this, add the Charles Proxy app (com.xk72.Charles) to the list of excluded bundle IDs in the SSL Kill Switch config:

Charles proxy

Build

The build requires the Theos suite to be installed available at http://www.iphonedevwiki.net/index.php/Theos/Getting_Started .

Then, within SSL Kill Switch 2's root foler, create a symlink to your theos installation:

ln -s /<path_to_your_theos_folder> theos

Make sure dpkg is installed. If you have Homebrew, use:

brew install dpkg

Then, the SSL Kill Switch 2 Debian package can be built using:

make package

macOS Instructions

SSL Kill Switch 2 can be used in macOS applications as a dynamic library to be injected into processes.

WARNING: THIS HAS NOT BEEN TESTED ON RECENT VERSIONS OF MACOS

Usage

On macOS, the SSLKillSwitch library needs to be manually injected into the process where SSL pinning needs to be disabled. Once injected, it will automatically override and disable SSL validation.

There are several ways to do this including:

  • Starting the process with LLDB or in Xcode Debug->Attach to process then pause, and load SSLKillSwitch using dlopen():

      (lldb) expr (void*)dlopen("/path/to/build/SSLKillSwitch.framework/Versions/A/SSLKillSwitch", 1)

    Expected result is a non-zero pointer:

      (void *) $1 = 0x00007f92e74d10c0

    If you receive a zero pointer then you may need to enable code-signing and build for profiling then use the binary in the release folder, and even may have to copy the binary to the app's resources folder. In which case you would have seen a sandbox read violation output to console. To test a new version of the binary you need to kill the app and load it in again.

  • Using DYLD_INSERT_LIBRARIES to inject SSLKillSwitch and start the process.

Restricted Apps

TBD

Build

Use the Xcode project to build SSL Kill Switch 2 for macOS. The compiled library will then be available in Products/SSLKillSwitch.framework/Versions/A/SSLKillSwitch. This is the binary that you need to inject in the process where you want to disable SSL pinning.

Changelog

  • v0.14: Added support for iOS 13.
  • v0.13: Added support for iOS 12.
  • v0.12: Added support for iOS 11.
  • v0.11: Added support for iOS 10.
  • v0.10: Added support for proxy-ing CocoaSPDY Apps (ie. Twitter iOS).
  • v0.9: Extended the MobileLoader filter to simplify the proxy-ing of the Apple App Store application.
  • V0.8: Added support for iOS 9.
  • v0.7: Renamed tool to SSL Kill Switch 2; added support for macOS applications and TrustKit.
  • v0.6: Added support for iOS 7.
  • v0.5: Complete rewrite in order to add support for proxy-ing Apple's App Store application.
  • v0.4: Added hooks for SecTrustEvaluate().
  • v0.3: Bug fixes and support for iOS 6.
  • v0.2: Initial release.

License

MIT - See ./LICENSE.

Author

Alban Diquet - @nabla_c0d3