Navigate back to the homepage

Bypass Instagram SSL Certificate Pinning for iOS

Hassan
May 5th, 2020 · 3 min read

Once again, with another iOS app, and this time we will go through the Instagram iOS app trying to bypass its SSL Certificate Pinning protection.


DISCLAIMER: The articles, tutorials, and demos provided on this blog are for informational and educational purposes only, and for those who’re willing and curious to know and learn about Ethical Hacking, Cybersecurity, and Penetration Testing. You shall not misuse the information to gain unauthorized access or any other illegal use.


SSL Pinning

We have mentioned previously in Bypass Facebook SSL Certificate Pinning for iOS blog, the meaning of SSL Pinning, and the importance of implementing it.

Now let’s download the latest version of the Instagram iOS app and step up an HTTP proxy from Wi-Fi settings.

instagram ios v140

Open Burp Suite and configure your proxy options. Then, open the Instagram app and trying to login. If you are using the latest version of Burp Proxy v2020.4 now supports TLS 1.3, you will see a this message in your Dashboard -> Event log tab:

BS v2020 4

Also, your Instagram app will show you a this alert:

insta alert

That’s because of their SSL Certificate Pinning protection which must be bypassed to be able to intercept requests and responses from their server.

Reverse Engineering

Let’s get the decrypted IPA for the app to reverse-engineer it. Using Frida iOS Dump you will be able to pull the app IPA from your jailbroken iPhone. After the script finish, change the app extension from .ipa to .zip then uncompress it.

1$ mv Instagram.ipa Instagram.zip
2$ unzip Instagram.zip

We need to locate the binary that has the SSL Pinning implementation to reverse it. A good way to locate it by using a tools like grep or ack to search for strings that indicate the validation process inside the extracted Payload folder. From the app alert message, we can use strings like OpenSSL, verify error, signed certificate, and verifier failure.

1$ grep -rins "verify error" .
2Binary file ./Instagram.app/Frameworks/FBSharedFramework.framework/FBSharedFramework matches

A Mach-O 64-bit shared library binary file called FBSharedFramework was found. It seems the one we found in the Facebook app but less size. We will use Hopper Disassembler to open the binary file.

A good start is to search with the alert error shown on the app. So, we will try to find the branch that responsible for OpenSSL cert verify error.

hopper search

We found a match result for our string search. Click on it will navigate us to its location at the __cstring segment which contains all of the strings that are included in the application source code and their hexadecimal offsets.

aOpensslCertVer

To locate where the string is used in Hopper you can double-click on the cross-reference (XREF) to move to where the string is referenced in the binary.

branch code

Now we need to gain a better understanding of the code logic that responsible for SSL Pinning using the control flow graph (CFG).

CFG
control flow graph

Our mission is to avoid reaching the OpenSSL branch so that the app can work normally without any error alerts.

full CFG

After analyzing the control flow graph (CFG) starting from your bottom branch, it seems very similar to the one that we found in the Facebook app. We can found the same isolated branch that doesn’t reach the OpenSSL cert verify error branch.

branch sol

We have to invert the b.ne (short for “Branch if Not Equal”) instruction which branches, or “jumps”, to the address specified if, and only if the zero flag is clear, to the b.eq (short for “Branch if Not Equal”) instruction which branches, or “jumps”, to the address specified if, and only if the zero flag is clear. So, instead of entering to loc_22031c branch that causing the OpenSSL cert verify error, it entering the valid branch.

Binary Patching

line

A simple way to do this is by copying the hex encoding for the instruction that we want to change, then past it in an online HEX to ARM converter to get its ARM64 instruction. Then, copy the instruction you got and change it from B.NE to B.EQ as we want it to be. Past it in an online ARM to HEX converter to get our new ARM64 HEX values, as we explained in Bypass Facebook SSL Certificate Pinning for iOS blog.

Now, all we have to do is changing the instruction encoding for b.ne from 41 0C 00 54 to 40 0C 00 54 using the hex editor in hopper.

hex edit

Then, save and extract our new binary, from File Menu -> Choose Produce New Executable and replace the new executable with the old one in the same app directory. Now, let’s compress our new Payload folder and change to an IPA again.

1$ zip -r Instagram.zip Payload
2$ mv Instagram.zip Instagram.ipa

Copy the new IPA to your jailbroken iPhone using iFunbox and install it using Filza File Manager.

instagram app

Intercepting

After a successful installation for the modified application, let’s open it and login when we intercepting the requests using Burp Suite.

burp suite

Now we can intercept all the requests and find interesting vulnerabilities at new endpoints then submit them to Facebook Bug Bounty Program.

More articles from Cyclon3

Bypass Facebook SSL Certificate Pinning for iOS

If you tried to intercept requests from the Facebook app on iOS using a proxy, you will be hitting by their message alert The operation…

May 3rd, 2020 · 4 min read

It's Never Too Late

Hello everyone, my name is Hassan Mostafa, and I am a Security Engineer. I always wanted to make my blog to share my knowledge and…

May 2nd, 2020 · 1 min read
© 2020 Cyclon3
Link to $https://twitter.com/_Cyclon3Link to $mailto:me@cyclon3.com