// SSL Pinning Bypass iOS - Frida Script
// Cobertura: SecTrustEvaluate, NSURLSession, BoringSSL
console.log("[*] Iniciando SSL Bypass para iOS...");
const SSL_VERIFY_NONE = 0;
// --- SecTrustEvaluate ---
const trustEvaluate = Module.findExportByName(null, "SecTrustEvaluate");
if (trustEvaluate) {
Interceptor.replace(trustEvaluate, new NativeCallback(function (trustRef, resultPtr) {
console.log("[*] SecTrustEvaluate interceptado");
if (!resultPtr.isNull()) {
Memory.writeU32(resultPtr, 1); // kSecTrustResultProceed
}
return 0; // errSecSuccess
}, 'int', ['pointer', 'pointer']));
}
const trustEvaluateWithError = Module.findExportByName(null, "SecTrustEvaluateWithError");
if (trustEvaluateWithError) {
Interceptor.replace(trustEvaluateWithError, new NativeCallback(function (trust, error) {
console.log("[*] SecTrustEvaluateWithError interceptado");
return 1; // true
}, 'bool', ['pointer', 'pointer']));
}
// --- CFNetwork (opcional) ---
const cfSetAllowsAny = Module.findExportByName(null, "CFURLConnectionSetAllowsAnyHTTPSCertificate");
if (cfSetAllowsAny) {
Interceptor.replace(cfSetAllowsAny, new NativeCallback(function (conn, host) {
console.log("[*] CFURLConnectionSetAllowsAnyHTTPSCertificate interceptado");
}, 'void', ['pointer', 'pointer']));
}
// --- BoringSSL (solo si está presente) ---
try {
const boring = Process.getModuleByName("libboringssl.dylib");
const setVerifyPtr = boring.findExportByName("SSL_set_custom_verify");
const getPskPtr = boring.findExportByName("SSL_get_psk_identity");
if (setVerifyPtr) {
const SSL_set_custom_verify = new NativeFunction(setVerifyPtr, 'void', ['pointer', 'int', 'pointer']);
const verifyCallback = new NativeCallback(function (ssl, alert) {
console.log("[*] SSL verify callback ejecutado");
return SSL_VERIFY_NONE;
}, 'int', ['pointer', 'pointer']);
Interceptor.replace(setVerifyPtr, new NativeCallback(function (ssl, mode, cb) {
console.log("[*] Reemplazando SSL_set_custom_verify");
SSL_set_custom_verify(ssl, mode, verifyCallback);
}, 'void', ['pointer', 'int', 'pointer']));
}
if (getPskPtr) {
Interceptor.replace(getPskPtr, new NativeCallback(function (ssl) {
console.log("[*] SSL_get_psk_identity interceptado");
return Memory.allocUtf8String("notarealPSKidentity");
}, 'pointer', ['pointer']));
}
} catch (e) {
console.log("[-] libboringssl.dylib no presente o no cargado");
}
console.log("[+] SSL Bypass cargado correctamente.");
https://codeshare.frida.re/@Andr3sM12/ssl-ios-jun25/
Frida CodeShare
codeshare.frida.re
https://www.redfoxsec.com/blog/bypassing-ssl-pinning-on-ios-applications
Bypassing SSL Pinning on iOS Applications: A Complete Pentesting Guide
Learn how to bypass SSL pinning on iOS applications using tools like Frida, Objection, and SSL Kill Switch 2. A practical, command-driven guide for penetration testers and security researchers.
www.redfoxsec.com
반응형
'iOS' 카테고리의 다른 글
| iOS frida 설치 (1) | 2026.04.04 |
|---|---|
| iOS 탈옥 (2) | 2026.03.13 |
| frida iOS dump IPA 추출 (0) | 2026.03.06 |
| iOS Class method / Instance method (0) | 2025.07.17 |
| iOS DFU 모드 (0) | 2025.07.03 |