diff --git a/README.md b/README.md index c5f4f3b..11e1a39 100644 --- a/README.md +++ b/README.md @@ -121,6 +121,7 @@ that you need to inject in the process where you want to disable SSL pinning. Changelog --------- +* v0.10: Added support for proxy-ing [CocoaSPDY][https://github.com/twitter/CocoaSPDY] Apps (ie. Twitter iOS). * v0.9: Extended the MobileLoader filter to simplify the proxy-ing of the Apple App Store application. * V0.8: Added support for iOS 9. * v0.7: Renamed tool to SSL Kill Switch 2; added support for OS X Apps and TrustKit. diff --git a/SSLKillSwitch/SSLKillSwitch.m b/SSLKillSwitch/SSLKillSwitch.m index 008d852..0e804d9 100644 --- a/SSLKillSwitch/SSLKillSwitch.m +++ b/SSLKillSwitch/SSLKillSwitch.m @@ -121,6 +121,35 @@ static OSStatus replaced_SSLHandshake(SSLContextRef context) } +#pragma mark CocoaSPDY hook + +static void (*oldSetTLSTrustEvaluator)(id self, SEL _cmd, id evaluator); + +static void newSetTLSTrustEvaluator(id self, SEL _cmd, id evaluator) +{ + // Set a nil evaluator to disable SSL validation + oldSetTLSTrustEvaluator(self, _cmd, nil); +} + +static void (*oldSetprotocolClasses)(id self, SEL _cmd, NSArray *protocolClasses); + +static void newSetprotocolClasses(id self, SEL _cmd, NSArray *protocolClasses) +{ + // Do not register protocol classes which is how CocoaSPDY works + // This should force the App to downgrade from SPDY to HTTPS +} + +static void (*oldRegisterOrigin)(id self, SEL _cmd, NSString *origin); + +static void newRegisterOrigin(id self, SEL _cmd, NSString *origin) +{ + // Do not register protocol classes which is how CocoaSPDY works + // This should force the App to downgrade from SPDY to HTTPS +} + + + + #pragma mark Dylib Constructor __attribute__((constructor)) static void init(int argc, const char **argv) @@ -131,9 +160,26 @@ static OSStatus replaced_SSLHandshake(SSLContextRef context) { // Substrate-based hooking; only hook if the preference file says so SSKLog(@"Subtrate hook enabled."); + + // SecureTransport hooks MSHookFunction((void *) SSLHandshake,(void *) replaced_SSLHandshake, (void **) &original_SSLHandshake); MSHookFunction((void *) SSLSetSessionOption,(void *) replaced_SSLSetSessionOption, (void **) &original_SSLSetSessionOption); MSHookFunction((void *) SSLCreateContext,(void *) replaced_SSLCreateContext, (void **) &original_SSLCreateContext); + + // CocoaSPDY hooks - https://github.com/twitter/CocoaSPDY + // TODO: Enable these hooks for the fishhook-based hooking so it works on OS X too + Class spdyProtocolClass = NSClassFromString(@"SPDYProtocol"); + if (spdyProtocolClass) + { + // Disable trust evaluation + MSHookMessageEx(object_getClass(spdyProtocolClass), NSSelectorFromString(@"setTLSTrustEvaluator:"), (IMP) &newSetTLSTrustEvaluator, (IMP *)&oldSetTLSTrustEvaluator); + + // CocoaSPDY works by getting registered as a NSURLProtocol; block that so the Apps switches back to HTTP as SPDY is tricky to proxy + Class spdyUrlConnectionProtocolClass = NSClassFromString(@"SPDYURLConnectionProtocol"); + MSHookMessageEx(object_getClass(spdyUrlConnectionProtocolClass), NSSelectorFromString(@"registerOrigin:"), (IMP) &newRegisterOrigin, (IMP *)&oldRegisterOrigin); + + MSHookMessageEx(NSClassFromString(@"NSURLSessionConfiguration"), NSSelectorFromString(@"setprotocolClasses:"), (IMP) &newSetprotocolClasses, (IMP *)&oldSetprotocolClasses); + } } else { diff --git a/layout/DEBIAN/control b/layout/DEBIAN/control index cec63f2..23f49e7 100644 --- a/layout/DEBIAN/control +++ b/layout/DEBIAN/control @@ -1,7 +1,7 @@ Package: com.nablac0d3.SSLKillSwitch2 Name: SSL Kill Switch 2 Depends: mobilesubstrate, preferenceloader -Version: 0.9 +Version: 0.10 Architecture: iphoneos-arm Description: Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and OS X Apps. Maintainer: Alban Diquet