[HN Gopher] Cracking Meta's Messenger Certificate Pinning on macOS
___________________________________________________________________
Cracking Meta's Messenger Certificate Pinning on macOS
Author : KishanBagaria
Score : 132 points
Date : 2024-03-05 21:25 UTC (1 hours ago)
(HTM) web link (texts.blog)
(TXT) w3m dump (texts.blog)
| dvt wrote:
| Very clever way of doing this (though I have a feeling you could
| probably enforce pinning even in sandboxed mode). I remember
| trying to MitM Snapchat back in college and couldn't figure it
| out as they were also using cert pinning.
| 4death4 wrote:
| Fundamentally, it's hard to enforce certificate pinning if the
| user can modify the binary. Even if sandbox mode used
| certificate pinning, there would likely be some other way of
| removing the pinned cert checks.
| detourdog wrote:
| This is a large part of Apple's control/Secure Enclave
| decisions. These decisions can seem arbitrary and anti-
| completive from the outside.
| dvt wrote:
| > there would likely be some other way of removing the pinned
| cert checks
|
| Yes, but it's _significantly_ harder than flipping a bit.
| There 's also clever ways of countering this (e.g.
| checksumming the public key). Of course, even this is
| _technically_ hackable, but extremely time-consuming in
| practice.
| Thaxll wrote:
| It prevents very basic RE / MITM.
| julkali wrote:
| I tried the same thing, and while I managed to patch the
| application and intercept the requests, I gave up when trying
| to RE the shared object responsible for request signing. I
| couldn't even find the entry point. For a relatively small
| social media app they had insane security already back in 2015.
| bevekspldnw wrote:
| Ha, I found myself going down a similar route and threw in the
| towel once I was trying to decompile/edit/recompile. This is
| dedication, would love to know the hours involved. I set myself a
| cutoff and stuck to it.
| ridafkih wrote:
| This was initially an internal post at Texts.com that we
| decided to share, and I scrapped mention of the fact I had
| tried the exact same approach a few weeks prior and reached my
| time-box as well.
|
| I initially spent two hours trying to modify different
| instructions, and then gave up. I saw another blog post written
| by a reverse engineer by the name of "Hassan Mostafa" (aka
| cyclon3) that previously succeeded in the same approach (taking
| Hopper Disassembler to Instagram on iOS) and I was inspired to
| try again that night, but I had no luck. I even found and
| attempted to modify the same instructions.
|
| I decided to call it quits, and then a few weeks later with a
| bit of a grudge, I spontaneously tried again and I had it done
| in about 30 minutes after finding the sandbox function.
| bevekspldnw wrote:
| Ok, that makes sense! Sometimes when you read a blog post
| that is well written and cogent it makes it feel like the
| author did it in 20 min!
|
| If I end up in the same arena I think I'll look for debugging
| code next. I love certificate pinning as a user, but as a
| forensic analyst I fucking loath it.
| sneak wrote:
| I remember the first time I ever cracked an app, I was so
| convinced I would fail, but it turns out that finding these sorts
| of easy-to-modify JNE/JEZ spots is easier than it seems. Even if
| you pick wrong you can just revert to the original file and try a
| different spot.
|
| I imagine this would be something that AI will be able to do
| easily in an automated fashion, you can literally just try
| flipping the JEZ/JNZ in a bunch of candidate spots and launching
| the app and seeing if the nag screen comes up.
___________________________________________________________________
(page generated 2024-03-05 23:00 UTC)