Not working with Apple Push Service (apsd)

[a3135134]

Hi,
I'm trying to decrypt the SSL traffic of Apple's Home App (official homekit app). After installing the newest SSL-Kill-Swich2, I thought I killed related process (e.g. , apsd, homed), but it didn't work. I still got the Handshake failed error: the client may not trust proxy's certificate for courier.push.apple.com.
Could anyone provide any ideas on this issue? Can ssl-kill hook Apple's push service?
Thanks!

[a3135134]

In addition, from the log on Xcode, I saw that "apsd" got error in SSL Handshake and the error still continously occurred though I killed the apsd process.

(I'm using IOS 12.2)

[a3135134]

Well, I use Frida and hook the SecTrustEvaluate(), it works.

Reference:https://kov4l3nko.github.io/blog/2018-05-27-sll-pinning-hook-sectrustevaluate/

[philok93]

Hi @a3135134 , I keep have the same problem even after hooking with Frida. Are you sure that you get the response from Charles with Frida hook? I still have the problem of SSL failed.
I tried hooking with cydia substrate but no solution. Charles shows error in the requests going to icloud. (iOS 12.4)
I appreciate any help, thank you!

[a3135134]

Hi @a3135134 , I keep have the same problem even after hooking with Frida. Are you sure that you get the response from Charles with Frida hook? I still have the problem of SSL failed.
I tried hooking with cydia substrate but no solution. Charles shows error in the requests going to icloud. (iOS 12.4)
I appreciate any help, thank you!

Yes, it worked when I hooked SecTrustEvaluate() in apsd. I saw SSL connection (like courier.apple.com) established successfully in mitmdump, however, the server of Apples didn't response to the client's message! I even saw the client sent the first message to server in wireshark, and the client shutdown the connection because of no response from server. It it said that the server also checks the certificate of client. Even though I configured the client's certificate in mitmproxy, it didn't work.

[philok93]

Hi @a3135134 , I keep have the same problem even after hooking with Frida. Are you sure that you get the response from Charles with Frida hook? I still have the problem of SSL failed.
I tried hooking with cydia substrate but no solution. Charles shows error in the requests going to icloud. (iOS 12.4)
I appreciate any help, thank you!

Yes, it worked when I hooked SecTrustEvaluate() in apsd. I saw SSL connection (like courier.apple.com) established successfully in mitmdump, however, the server of Apples didn't response to the client's message! I even saw the client sent the first message to server in wireshark, and the client shutdown the connection because of no response from server. It it said that the server also checks the certificate of client. Even though I configured the client's certificate in mitmproxy, it didn't work.

I face the same problem, even configuring client and server certificates for authentication, I don't get response from apple servers. Maybe apsd uses low-level ssl certificate check or I don't know what should be the reason. For sure certificates are hardcoded in apsd and frida doesn't work for low level hook functions (at least what I understand). Did you find any other daemon that tries to authenticate with apple?

[a3135134]

Hi @a3135134 , I keep have the same problem even after hooking with Frida. Are you sure that you get the response from Charles with Frida hook? I still have the problem of SSL failed.
I tried hooking with cydia substrate but no solution. Charles shows error in the requests going to icloud. (iOS 12.4)
I appreciate any help, thank you!

Yes, it worked when I hooked SecTrustEvaluate() in apsd. I saw SSL connection (like courier.apple.com) established successfully in mitmdump, however, the server of Apples didn't response to the client's message! I even saw the client sent the first message to server in wireshark, and the client shutdown the connection because of no response from server. It it said that the server also checks the certificate of client. Even though I configured the client's certificate in mitmproxy, it didn't work.

I face the same problem, even configuring client and server certificates for authentication, I don't get response from apple servers. Maybe apsd uses low-level ssl certificate check or I don't know what should be the reason. For sure certificates are hardcoded in apsd and frida doesn't work for low level hook functions (at least what I understand). Did you find any other daemon that tries to authenticate with apple?

I'm sure the client trust the proxy's certificate after hooking by Frida because I saw the first message from apsd clientin my proxy. I also hooked imagent, cloudd, identityservicesd and there was no error from my mitm proxy. However, I still face that problem: the server didn't response in that established ssl connection from my proxy. Carefully inspecting the traffics may throw some lights upon this strange behavior?
Instead, now I'm considering to hook the functions that deal with the messages, e.g., SSL_read() and SSL_write(), to read the plaintext from apsd, though I have not been able to find the correct functions yet. Did you consider this method?

[philok93]

I didn't try hooking SSL_read() function but it may be a solution for this problem. I need to do some research first to find the correct functions that do the pinning. At least when I enable SSL -kill-switch it disables pinning for some icloud requests but not those we want.