Cracking Meta's Messenger Certificate Pinning on macOS

Ha, I found myself going down a similar route and threw in the towel once I was trying to decompile/edit/recompile. This is dedication, would love to know the hours involved. I set myself a cutoff and stuck to it.

It seems that with ebpf you can read data before TLS encryption : Debugging with eBPF Part 3: Tracing SSL&#x2F;TLS connections <a href="https:&#x2F;&#x2F;blog.px.dev&#x2F;ebpf-openssl-tracing&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.px.dev&#x2F;ebpf-openssl-tracing&#x2F;</a>

Very clever way of doing this (though I have a feeling you could probably enforce pinning even in sandboxed mode). I remember trying to MitM Snapchat back in college and couldn&#x27;t figure it out as they were also using cert pinning.

This made me think back of the days of +Orc [1]. I believe a lot of knowledge common back then, like how to find and nop out an undesired branch, has been lost. Which is fair, there’s way more other tech to learn nowadays.<p>[1]: <a href="https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Old_Red_Cracker" rel="nofollow">https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Old_Red_Cracker</a>

You don&#x27;t really need to do that if you want to intercept Meta apps traffic.<p><a href="https:&#x2F;&#x2F;www.facebook.com&#x2F;whitehat&#x2F;bugbounty-education&#x2F;261571715763453&#x2F;?helpref=topq" rel="nofollow">https:&#x2F;&#x2F;www.facebook.com&#x2F;whitehat&#x2F;bugbounty-education&#x2F;261571...</a>

Would a runtime binary checksum have helped to complicate such modification? This isn’t sop for mobile apps? Do iOS or Android SDK’s provide such facilities? Presumably associated with the official release process and enforced on their respective non-jailbroken platforms?<p>Basic questions, admittedly. Just noticed that the final solution was to simply modify a few bytes of the binary, which seemed preventable.

Seems Meta’s (or at least Messenger’s) RE defense is quite lenient here. Should be trivial for them to drop IsUsingSandbox() from prod builds entirely, that’s before we get into advanced obfuscation techniques.

I remember the first time I ever cracked an app, I was so convinced I would fail, but it turns out that finding these sorts of easy-to-modify JNE&#x2F;JEZ spots is easier than it seems. Even if you pick wrong you can just revert to the original file and try a different spot.<p>I imagine this would be something that AI will be able to do easily in an automated fashion, you can literally just try flipping the JEZ&#x2F;JNZ in a bunch of candidate spots and launching the app and seeing if the nag screen comes up.

How come applications from such big players are not completely obfuscated and have all kinds of other protections in them to e.g. deny modified binaries from running?

What proxy tool are you using in that write up? Does it route all application traffic through it when running? Sorry if these are dumb questions.

I&#x27;m really glad this is possible, because it&#x27;s important for dispelling conspiracy theories.<p>Plenty of people are convinced that Facebook&#x27;s apps spy on them through their microphone and use that to show them targeted ads.<p>The easiest way to disprove this is to monitor the traffic between the apps and Facebook&#x27;s servers... but certificate pinning prevents this!<p>(Not that anyone who believes this can ever be talked out of it, see <a href="https:&#x2F;&#x2F;simonwillison.net&#x2F;2023&#x2F;Dec&#x2F;14&#x2F;ai-trust-crisis&#x2F;#facebook-dont-spy-microphone" rel="nofollow">https:&#x2F;&#x2F;simonwillison.net&#x2F;2023&#x2F;Dec&#x2F;14&#x2F;ai-trust-crisis&#x2F;#faceb...</a> - but it&#x27;s nice to know that we can keep tabs on this kind of thing anyway)

I am curious about the legality of this. I guess I assumed that doing this type of thing would technically a DCMA type breech? So this makes me wonder if my assumption wrong? How does this work legally?

Good reminder that no app is truly ever &quot;closed source&quot; after all there is still the compiled machine code. People used to hand code in this language.<p>Though I&#x27;m personally glad we no longer have to :) it&#x27;s still way more difficult and compilers can really obfuscate the code (if it isn&#x27;t already by design)

Does anyone know WHERE the HELL Facebook stores tracking data on iOS?<p>It shows my previous account even after I delete the app, clear the cache and Keychain, disable iCloud Drive, AND sign out of iCloud??<p>Why can&#x27;t I see where this data is stored? Same for TikTok.<p>WHY does Apple, parading around as a pompous paragon of privacy, even allow this shit?

I did something similar for Instagram on android few years ago. The usual methods for bypassing certificate didn&#x27;t work on Instagram, they were statically linking openssl into a shared library called libcoldstart.so. I Spent some time reading openssl documentation and ended up installing a hook to the function that configured the certificate verification.<p>In case you are curious. I used Frida for installing hooks to native functions.

I can see an argument that software&#x27;s communication over the network must be inspectable by the owner of the hardware.

There&#x27;s no point in implementing cert pinning if you don&#x27;t also have integrity checking... Being able to alter bytes in the physical file and running it should not be possible (without another bypass).

Okay why just use the web interface and intercept that