So I get the package installed, the preference pane is showing up with a single toggle, which I enabled.
Testing with Instagram app and iOS 11.0.3.
The settings app crashes a bunch of times before opening properly as well.

I have followed the instruction. First load SSLKillSwitch2, to finger out whether this is success. I print out syslog and see /Library/MobileSubstrate/DynamicLibraries/SSLKillSwitch2.dylib message. Secondly I kill both appstored and itunestored. Finally I still can not catch the traffic of apple store, any suggestion about this?

Hi, sorry for bothering, but could you please help me, or just point me in to the right direction, i used ios-ssl-kill-switch (iSECPartners) on iOS 8 and previous, on iOS 9 it works, but it prevents a phone (4s, armv7, 9.0.2) from booting, so i can install it and use it, but i can't reboot the phone with the tweak installed, i think it might be related to this (sauriks' tweet), so i want to try to build ssl-kill-switch2 with those settings enabled, but unfortunately i can't, here is an error log which i gets, thanks!

I cannot create new apple ID via "Settings" -> "iCloud" -> "Create a new Apple ID".

It says "Verification Failed. There was a problem connecting to the server."

Any idea how to fix it?

Start time: 12:19:19 12/10/18

Model Identifier: MacBookPro13,3
System Version: macOS 10.14.1 (18B75)
Kernel Version: Darwin 18.2.0
System Integrity Protection: Enabled
Time since boot: 2:35

FileVault: On

Log

Dec 10 09:38:47 com.apple.cloudd: Service exited with abnormal code: 1
Dec 10 09:44:49 com.apple.xpc.launchd.domain.pid.SecurityAgent.218: Path not allowed in target domain: type = uid, path = /System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle
Dec 10 09:44:49 com.apple.xpc.launchd.domain.pid.SecurityAgent.218: Path not allowed in target domain: type = uid, path = /System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/XPCServices/com.apple.FCiCloudPrefUpdater.xpc/Contents/MacOS/com.apple.FCiCloudPrefUpdater error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle
Dec 10 11:47:38 com.apple.duetknowledged: Service setup event to handle failure and will not launch until it fires.
Dec 10 11:47:38 com.apple.duetknowledged: Service exited with abnormal code: 78

Daemons

com.macpaw.CleanMyMac4.Agent

Agents

com.apple.SafariHistoryServiceAgent
com.macpaw.CleanMyMac4.HealthMonitor
com.apple.SafariBookmarksSyncAgent
ch.protonvpn.ProtonVPNStarter
com.apple.webinspectord
com.apple.SafariNotificationAgent
com.apple.SafariCloudHistoryPushAgent
com.apple.iBooksX.CacheDelete
com.apple.SafariPlugInUpdateNotifier

Bundles

/Library/Internet Plug-Ins/Flash Player.plugin

• N/A
  /Library/PreferencePanes/Flash Player.prefPane
• com.adobe.flashplayerpreferences
  Library/Keyboard/en-dynamic.lm
• com.apple.LanguageModeling.en
  Library/Keyboard/de-dynamic.lm
• com.apple.LanguageModeling.de

App extensions

com.microsoft.onenote.mac.shareextension
com.anchorfree.hss-mac.HydraTunnelProvider
com.microsoft.OneDrive.FinderSync

Contents of /etc/hosts (checksum 3099933916)

127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost

Contents of /etc/pf.conf (checksum 2891177609)

scrub-anchor "com.apple/"
nat-anchor "com.apple/"
rdr-anchor "com.apple/"
dummynet-anchor "com.apple/"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

Contents of /etc/syslog.conf (checksum 2399118465)

install.* @127.0.0.1:32376

Contents of /etc/pam.d/authorization (checksum 1288902703)

auth optional pam_krb5.so use_first_pass use_kcminit
auth optional pam_ntlm.so use_first_pass
auth required pam_opendirectory.so use_first_pass nullok
account required pam_opendirectory.so

Contents of /etc/pam.d/authorization_aks (checksum 841932527)

auth required pam_aks.so
account required pam_opendirectory.so

Contents of /etc/pam.d/authorization_ctk (checksum 2418984201)

auth required pam_smartcard.so use_first_pass pkinit
account required pam_opendirectory.so

Contents of /etc/pam.d/authorization_la (checksum 2713564393)

auth required pam_localauthentication.so
auth required pam_aks.so
account required pam_opendirectory.so

Contents of /etc/pam.d/authorization_lacont (checksum 3048101696)

auth required pam_localauthentication.so continuityunlock
auth required pam_aks.so
account required pam_opendirectory.so

Contents of /etc/pam.d/checkpw (checksum 2672765862)

auth required pam_opendirectory.so use_first_pass nullok
account required pam_opendirectory.so no_check_home no_check_shell

Contents of /etc/pam.d/chkpasswd (checksum 335781771)

auth required pam_opendirectory.so
account required pam_opendirectory.so
password required pam_permit.so
session required pam_permit.so

Contents of /etc/pam.d/cups (checksum 2842188894)

auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so

Contents of /etc/pam.d/login (checksum 1242678644)

auth optional pam_krb5.so use_kcminit
auth optional pam_ntlm.so try_first_pass
auth optional pam_mount.so try_first_pass
auth required pam_opendirectory.so try_first_pass
account required pam_nologin.so
account required pam_opendirectory.so
password required pam_opendirectory.so
session required pam_launchd.so
session required pam_uwtmp.so
session optional pam_mount.so

Contents of /etc/pam.d/login.term (checksum 3930746290)

account required pam_nologin.so
account required pam_opendirectory.so
session required pam_uwtmp.so

Contents of /etc/pam.d/other (checksum 2748091512)

auth required pam_deny.so
account required pam_deny.so
password required pam_deny.so
session required pam_deny.so

Contents of /etc/pam.d/passwd (checksum 1026516346)

auth required pam_permit.so
account required pam_opendirectory.so
password required pam_opendirectory.so
session required pam_permit.so

Contents of /etc/pam.d/screensaver (checksum 3141704602)

auth optional pam_krb5.so use_first_pass use_kcminit
auth required pam_opendirectory.so use_first_pass nullok
account required pam_opendirectory.so
account sufficient pam_self.so
account required pam_group.so no_warn group=admin,wheel fail_safe
account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe

Contents of /etc/pam.d/screensaver_aks (checksum 3209544573)

auth required pam_aks.so
account required pam_opendirectory.so
account sufficient pam_self.so
account required pam_group.so no_warn group=admin,wheel fail_safe
account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe

Contents of /etc/pam.d/screensaver_ctk (checksum 367670211)

auth required pam_smartcard.so use_first_pass
account required pam_opendirectory.so
account sufficient pam_self.so
account required pam_group.so no_warn group=admin,wheel fail_safe
account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe

Contents of /etc/pam.d/screensaver_la (checksum 589164084)

auth required pam_localauthentication.so
auth required pam_aks.so
account required pam_opendirectory.so
account sufficient pam_self.so
account required pam_group.so no_warn group=admin,wheel fail_safe
account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe

Contents of /etc/pam.d/smbd (checksum 2516643123)

account required pam_sacl.so sacl_service=smb allow_trustacct
session required pam_permit.so

Contents of /etc/pam.d/sshd (checksum 2989478361)

auth optional pam_krb5.so use_kcminit
auth optional pam_ntlm.so try_first_pass
auth optional pam_mount.so try_first_pass
auth required pam_opendirectory.so try_first_pass
account required pam_nologin.so
account required pam_sacl.so sacl_service=ssh
account required pam_opendirectory.so
password required pam_opendirectory.so
session required pam_launchd.so
session optional pam_mount.so

Contents of /etc/pam.d/su (checksum 2045483434)

auth sufficient pam_rootok.so
auth required pam_opendirectory.so
account required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
account required pam_opendirectory.so no_check_shell
password required pam_opendirectory.so
session required pam_launchd.so

Contents of /etc/pam.d/sudo (checksum 1168067210)

auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so

Contents of /etc/periodic/daily/110.clean-tmps (checksum 4099837049)

if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
case "$daily_clean_tmps_enable" in
[Yy][Ee][Ss])
if [ -z "$daily_clean_tmps_days" ]
then
echo '$daily_clean_tmps_enable is set but'
'$daily_clean_tmps_days is not'
rc=2
else
echo ""
echo "Removing old temporary files:"
set -f noglob
args="-atime +$daily_clean_tmps_days -mtime +$daily_clean_tmps_days"
args="${args} -ctime +$daily_clean_tmps_days"
dargs="-empty -mtime +$daily_clean_tmps_days"
dargs="${dargs} ! -name .vfs_rsrc_streams_*"
[ -n "$daily_clean_tmps_ignore" ] && {
args="$args "echo " ${daily_clean_tmps_ignore% }" | sed 's/[ ][ ]*/ ! -name /g'
dargs="$dargs "echo " ${daily_clean_tmps_ignore% }" | sed 's/[ ][ ]*/ ! -name /g'

...and 21 more line(s)

Contents of /etc/periodic/daily/130.clean-msgs (checksum 4292599426)

if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
case "$daily_clean_msgs_enable" in
[Yy][Ee][Ss])
if [ ! -d /var/msgs ]
then
echo '$daily_clean_msgs_enable is set but /var/msgs'
"doesn't exist"
rc=2
else
echo ""
echo "Cleaning out old system announcements:"
[ -n "$daily_clean_msgs_days" ] &&
arg=-${daily_clean_msgs_days#-} || arg=
msgs -c $arg && rc=0 || rc=3
fi;;
*) rc=0;;
esac
exit $rc

Contents of /etc/periodic/daily/140.clean-rwho (checksum 659374794)

if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
case "$daily_clean_rwho_enable" in
[Yy][Ee][Ss])
if [ -z "$daily_clean_rwho_days" ]
then
echo '$daily_clean_rwho_enable is enabled but'
'$daily_clean_rwho_days is not set'
rc=2
elif [ ! -d /var/rwho ]
then
echo '$daily_clean_rwho_enable is enabled but /var/rwho'
"doesn't exist"
rc=2
else
echo ""
echo "Removing stale files from /var/rwho:"
case "$daily_clean_rwho_verbose" in
[Yy][Ee][Ss])
print=-print;;
*)
print=;;

...and 14 more line(s)

Contents of /etc/periodic/daily/199.clean-fax (checksum 1104983357)

if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
if [ -d /var/spool/fax ]; then
echo ""
echo "Removing scratch fax files"
cd /var/spool/fax &&
find . -type f -name '[0-9]*.[0-9][0-9][0-9]' -mtime +7 -delete >/dev/null 2>&1;
fi

Contents of /etc/periodic/daily/310.accounting (checksum 3208203734)

if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
case "$daily_accounting_enable" in
[Yy][Ee][Ss])
if [ ! -f /var/account/acct ]
then
echo '$daily_accounting_enable is set but /var/account/acct'
"doesn't exist"
rc=2
elif [ -z "$daily_accounting_save" ]
then
echo '$daily_accounting_enable is set but '
'$daily_accounting_save is not'
rc=2
else
echo ""
echo "Rotating accounting logs and gathering statistics:"
cd /var/account
rc=0
n=$daily_accounting_save
rm -f acct.$n.gz acct.$n || rc=3
m=$n

...and 18 more line(s)

Contents of /etc/periodic/daily/400.status-disks (checksum 1480768650)

if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
case "$daily_status_disks_enable" in
[Yy][Ee][Ss])
echo ""
echo "Disk status:"
df $daily_status_disks_df_flags && rc=1 || rc=3
;;
*) rc=0;;
esac
exit $rc

Contents of /etc/periodic/daily/420.status-network (checksum 2730873650)

if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
case "$daily_status_network_enable" in
[Yy][Ee][Ss])
echo ""
echo "Network interface status:"
case "$daily_status_network_usedns" in
[Yy][Ee][Ss])
netstat -i && rc=0 || rc=3;;
*)
netstat -in && rc=0 || rc=3;;
esac;;
*) rc=0;;
esac
exit $rc

Contents of /etc/periodic/daily/430.status-rwho (checksum 3455351261)

if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
case "$daily_status_rwho_enable" in
[Yy][Ee][Ss])
rwho=$(echo /var/rwho/*)
if [ -f "${rwho%% *}" ]
then
echo ""
echo "Local network system status:"
prog=ruptime
else
echo ""
echo "Local system status:"
prog=uptime
fi
rc=$($prog | tee /dev/stderr | wc -l)
if [ $? -eq 0 ]
then
[ $rc -gt 1 ] && rc=1
else
rc=3
fi;;

...and 3 more line(s)

Contents of /etc/periodic/daily/999.local (checksum 2319755381)

if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
rc=0
for script in $daily_local
do
echo ''
case "$script" in
/*)
if [ -f "$script" ]
then
echo "Running $script:"
sh $script || rc=3
else
echo "$script: No such file"
[ $rc -lt 2 ] && rc=2
fi;;
*)
echo "$script: Not an absolute path"
[ $rc -lt 2 ] && rc=2;;
esac
done
exit $rc

Contents of /etc/periodic/monthly/199.rotate-fax (checksum 3437454680)

if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
echo ""
printf %s "Rotating fax log files:"
cd /var/log/fax
for i in *.log; do
if [ -f "${i}" ]; then
echo -n " $i"
if [ -x /usr/bin/gzip ]; then gzext=".gz"; else gzext=""; fi
if [ -f "${i}.3${gzext}" ]; then mv -f "${i}.3${gzext}" "${i}.4${gzext}"; fi
if [ -f "${i}.2${gzext}" ]; then mv -f "${i}.2${gzext}" "${i}.3${gzext}"; fi
if [ -f "${i}.1${gzext}" ]; then mv -f "${i}.1${gzext}" "${i}.2${gzext}"; fi
if [ -f "${i}.0${gzext}" ]; then mv -f "${i}.0${gzext}" "${i}.1${gzext}"; fi
if [ -f "${i}" ]; then mv -f "${i}" "${i}.0" && if [ -x /usr/bin/gzip ]; then gzip -9 "${i}.0"; fi; fi
touch "${i}" && chmod 640 "${i}" && chown root:admin "${i}"
fi
done
echo ""

Contents of /etc/periodic/monthly/200.accounting (checksum 3541581936)

if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
oldmask=$(umask)
umask 066
case "$monthly_accounting_enable" in
[Yy][Ee][Ss])
W=/var/log/wtmp
rc=0
remove=NO
if [ $rc -eq 0 ]
then
echo ""
echo "Doing login accounting:"
rc=$(ac -p | sort -nr -k 2 | tee /dev/stderr | wc -l)
[ $rc -gt 0 ] && rc=1
fi
[ $remove = YES ] && rm -f $W.0;;
*) rc=0;;
esac
umask $oldmask
exit $rc

Contents of /etc/periodic/monthly/999.local (checksum 2355967272)

if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
rc=0
for script in $monthly_local
do
echo ''
case "$script" in
/*)
if [ -f "$script" ]
then
echo "Running $script:"
sh $script || rc=3
else
echo "$script: No such file"
[ $rc -lt 2 ] && rc=2
fi;;
*)
echo "$script: Not an absolute path"
[ $rc -lt 2 ] && rc=2;;
esac
done
exit $rc

Contents of /etc/periodic/weekly/320.whatis (checksum 922328658)

if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
case "$weekly_whatis_enable" in
[Yy][Ee][Ss])
echo ""
echo "Rebuilding whatis database:"
MANPATH=/usr/bin/manpath -q
if [ $? = 0 ]
then
if [ -z "${MANPATH}" ]
then
echo "manpath failed to find any manpage directories"
rc=3
else
rc=0
/usr/libexec/makewhatis.local "${MANPATH}" || rc=3
if [ X"${man_locales}" != X ]
then
for i in ${man_locales}
do
LC_ALL=$i /usr/libexec/makewhatis.local -a
-L "${MANPATH}" || rc=3

...and 9 more line(s)

Contents of /etc/periodic/weekly/999.local (checksum 3078968429)

if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
rc=0
for script in $weekly_local
do
echo ''
case "$script" in
/*)
if [ -f "$script" ]
then
echo "Running $script:"
sh $script || rc=3
else
echo "$script: No such file"
[ $rc -lt 2 ] && rc=2
fi;;
*)
echo "$script: Not an absolute path"
[ $rc -lt 2 ] && rc=2;;
esac
done
exit $rc

Contents of /Library/Preferences/com.apple.security.appsandbox.plist (checksum 2599182411)

Contents of /Library/Preferences/SystemConfiguration/com.apple.Boot.plist (checksum 1199119104)

Bad plists

/Library/Preferences/com.apple.TimeMachine.plist
Library/Preferences/com.apple.mail-shared.plist
Library/Preferences/com.apple.homed.notbackedup.plist
Library/Preferences/com.apple.homed.plist

Firewall: On

DNS: 75.75.76.76 (static)

User login items

SpeechSynthesisServer

• /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/SpeechSynthesis.framework/Versions/A/SpeechSynthesisServer.app

Restricted files: 9

Elapsed time (s): 140

The tweak is unfortunately not working with the App Store.

Any hint?

i am try download a app,then i input my apple id.it finally failed at the step:connect to gsa.apple.com

itunesstored is restarted and the log show that ssl-kill-switch2 is successful inject to itunesstored
at:iphone 5s/ios 9.0.1

Hi,

I'm working with the IOS Simulator (10.3.x) rather than a physical device; so I'm not actually utilising ssl kill switch 2 as the sim is a little looser on signing.

I've patched libsystem_coretls.dylib: tls_helper_create_peer_trust to return 0 as per your blog post - and for the most part this is working.

I'm trying to investigate icloud related services which unfortunately don't.
Authkit was returning "Server cert validity check failed!" - I've patched this check too.

However now I'm getting:

akd[33399]: [core] Failed to check circle status: Error Domain=com.apple.security.sos.error Code=2 "Public Key not available - failed to register before call" UserInfo={NSDescription=Public Key not available - failed to register before call}
akd[33399]: [core] Nil account cannot possibly have a continuation-key token!
akd[33399]: [core] Nil account cannot possibly have a password-reset-token token!
akd[33399]: [core] Invalid/missing value for key alias: (null)
akd[33399]: [core] Invalid/missing value for key acname: (null)
akd[33399]: [core] Invalid value for key ut: (null)
akd[33399]: [core] Authentication with server failed! Error: Error Domain=com.apple.AppleIDAuthSupport Code=2 "selected protocol key missing" UserInfo={NSDescription=selected protocol key missing, Status=<CFBasicHash 0x7fe9d24293e0 [0x1074fbe40]>{type = mutable dict, count = 5,
akd[33399]: [core] Request to show server UI came back with error: Error Domain=AKAuthenticationError Code=-7003 "(null)"
akd[33399]: [core] Server UI did not complete auth successfully! Error: Error Domain=AKAuthenticationError Code=-7003 "(null)"

I'm now not sure which direction to head next - any suggestions appreciated!
(fyi with MITM disabled everything still works correctly)

Cheers,

Hi Alban,
Am still having same problem that the app crashes immediately after seeing the "SecTrustEvaluate [leaf AnchorTrusted]" message. But only on jb devices. On non-JB devices works no problem. KillSwitch2 (0.7) has no effect on these symptoms. With killswitch2 removed, I used your Introspy tool and it shows that the app loads the certificates (from within the bundle) then gives the "SecTrustEvaluate [leaf AnchorTrusted]" message, then crashes. It does nothing else. It does not crash on non-jb. I have tried it on 4 different jb devices (including one that is ios8.1) - all show same symptoms. I do not want to hook or modify this app. I do not want to MITM for this app. I just want to run it (exactly as is) on JB device... Any assistance would be greatly appreciated :)

App Store Link: https://geo.itunes.apple.com/au/app/opal-travel/id941006607?mt=8

Not working on iOS 8.4 or 9.3.3

No luck with the Europcar App it seems. Thanks for the good work btw.

Hi, i've some trouble with hooking tls_helper_create_peer_trust in a my project via fishhook

I would intercept this call to know the state of SSL pinning and also i use fishhook to reach this goal.

Unfortunately in my project fishhookdoesn't seem to work. I'm testing on this app, where with a Xcode Symbolic Breakpoint on tls_helper_create_peer_trust, i'm sure that it is called.

The code i've wrote is this

#include <substrate.h>
#import <Security/SecureTransport.h>

#import <fishhook.h>

#import "SSLPinning.h"

static OSStatus (*original_tls_helper_create_peer_trust)(void *hdsk, bool server, SecTrustRef *trustRef);

static OSStatus replaced_tls_helper_create_peer_trust(void *hdsk, bool server, SecTrustRef *trustRef)
{

    NSLog(@"Hooking SSLPinning");
    return original_tls_helper_create_peer_trust(hdsk, server, trustRef);
}

@implementation SSLPinning

+(void)enableHooks {
    
    rebind_symbols((struct rebinding[1]){{"tls_helper_create_peer_trust", replaced_tls_helper_create_peer_trust, (void *)&original_tls_helper_create_peer_trust}},1);
}

@end

My question is if, in your knowledge, this way is still working.
I know that this isn't strictly related to your project and if this issue is a problem, sorry.

i test this project in ios and everything worked like charm , but when tried it in macOS i have problem with inject binary to process :

(lldb) file /Applications/Sketch.app/
Current executable set to '/Applications/Sketch.app/' (x86_64).
(lldb) p (void*)dlopen("/Users/*****/Projects/Debug/SSLKillSwitch.framework/Versions/Current/SSLKillSwitch", 1)
error: Can't run the expression locally: Interpreter doesn't handle one of the expression's opcodes
(lldb) 

what should i tried ?

An iOS version of Charles Proxy was released a few months ago. I tested it out on my iPad with 10.0.1 and iPhone with 11.3.1, and on both devices, it fails to process https requests when this tweak is enabled. Without this tweak installed, Charles Proxy works normally. I'm happy to provide Console logs if those would be helpful. I'd appreciate any help you can offer, and thank you for your work on this tweak.

It appears Instagram has changed how they handle cert pinning, as it no longer works with Instagram.

Can't get the preference to appear in iOS settings.

I tried the default Cydia PreferenceLoader and then the newish PreferenceLoader (2.24alpha1) from http://rpetri.ch/repo . I've seen references to PreferenceLoader 2.24alpha14 but 2.24~alpha1 seems to be the only version hosted on rpetri's repo

Did a kill switch re-install after each change and have restarted iOS and springboard many times.

Any ideas?

Alternatively, anyway to turn this on from the shell? Could also just look into modifying the code to turn this on by default (and very be insecure) if I can't get PreferenceLoader to work at all.

For context I'm running iOS 11.3 (not 11.3.1) and am using the unc0ver jailbreak.

https://su.itunes.apple.com
https://init.itunes.apple.com

#17

Your patch is really dirty :) , apps like Remote Desktop , discord stop working because of the patch.

Looks like I can't see any ssl communication from Spotify. I tried patching the ipa using @karek314 his hexbytescanner but without luck

thanks.

Apple TV App Store app specifically.

Thanks for making this awesome tweak!

I'm using Burp, iOS 9.0.2, when accessing Safari any website with https say that:

After installing custom certificate SSL, everything works well
BUT
When downloading from Appstore have that error:

Is any system protection in iOS 9 for checking the trusted ssl? because on iOS 8.4 everything works as it should.
With iOS 9.0.2 many apps not working if using ssl-kill-switch, like Facebook, Appstore

How to avoid that situation? Maybe I'm doing something not correctly?

Each process logs that SSL Kill Switch has been enabled, but nothing more happens.

First of all, very cool project!

I was trying out the latest release with the Facebook app and it's not working for me. Tried a reboot. Works fine in Safari. Console notifies of it being loaded. Screenshot from Charles Proxy included. Tried with Burp also, same error. Apple App Store gets intercepted just fine.

v0.10 version in ios 7.1.2

I have killed itunesstored process , but there is an error in system log:

Apr 22 14:50:13 com.apple.launchd[1] : (com.apple.itunesstored) Exited: Killed: 9
Apr 22 14:50:13 itunesstored[1361] : MS:Notice: Injecting: com.apple.itunesstored itunesstored
Apr 22 14:50:14 itunesstored[1361] : MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SSLKillSwitch2.dylib
Apr 22 14:50:14 itunesstored[1361] : === SSL Kill Switch 2: Preference file not found.
Apr 22 14:50:14 itunesstored[1361] : === SSL Kill Switch 2: Subtrate hook disabled.

I am trying out this repo with RPetrich's theos but encountering this build error which is weird.

Undefined symbols for architecture armv7:
    "_MSHookFunction", referenced
         _init in SSLKillSwitch.m.45a1eea5.o

That function should be pretty basic in tweaks so I guess I have my build environment misconfigured or something. What tools are you using right now to build this project successfully?

This is my environment:

• OS X 10.9.5
• XCode 6.2 + CLI Tools
• RPetrich's theos
• env SDKVERSION=8.2
• I forgot already where I got my theos/includes. Might be outdated? Where do you guys get yours?

Might help to note that the current build environment I have works fine with Introspy and builds successfully.

Any chance on adding support for linkedin?

Will it work on iOS 9 ?
jb ios9 is out http://pangu.io

I follow the README OS X usage, and everything seems right, but it still does't work...
Is it not support macOS Mojave?

I want to report that this stopped working on macOS Sierra.
Can you please investigate the problem?

Tested with macOS 10.12.4 and lldb-370.0.37.
There is no error, but it can't disable certificate pinning.

iOS SSL Kill Switch v0.7 for iOS 8.4
Download from here: https://github.com/nabla-c0d3/ssl-kill-switch2/releases/tag/0.7

Thanks for this release ! Works fine!

Doesn't disable any of the HTTPS calls.
Everything still happens with HTTPS and no SSL is disabled.

Downloaded your release from 25 days ago, installed it resprung my device, and nothing.
Tried restarting didn't help.

Thought it may have something do with appslicing, tried downloading apps from iTunes didn't help.

I'm trying to inject sslkillswitch into mac's AppStore app but I'm still getting error on sign-in while proxying.

Dylib is injected to process successfully:

Is there any other process that should be injected, or that's a bug?

Cannot capture itune/apple id login https packets.
I also cannot capture app store packets in iOS11 with ssl-kill-switch2 enabled.

It seems doesn't rely on "tls_helper_create_peer_trust" in iOS11.

Here's AuthKit log:

20:00:49.842788 +0800	akd	Requesting clearance to begin auth with context <private>...
20:00:49.843602 +0800	akd	Cleared to begin auth with context <private>!
20:00:49.843736 +0800	akd	Current context does not permit non-interactive auth.
20:00:49.843890 +0800	akd	Context did not provide a username and/or password.
20:00:49.846842 +0800	akd	Reachability Flag Status: -R ------- networkStatusForFlags
20:00:49.847012 +0800	akd	Collecting user credentials...
20:00:49.847148 +0800	akd	No altDSID on context. Nothing to validate.
20:00:56.745619 +0800	akd	Successfully obtained password. Time for SRP auth.
20:00:56.751974 +0800	akd	altDSID is available for auth: <private>
20:00:56.755511 +0800	akd	Context eligibility for piggybacking: NO
20:00:56.755646 +0800	akd	Client is eligible for piggybacking: NO
20:00:56.757915 +0800	akd	Password available. Will ask for bootstrap password-based auth.
20:00:56.758035 +0800	akd	Sending prkgen: YES
20:00:56.758181 +0800	akd	The client indicated support for ckgen: YES
20:00:56.758453 +0800	akd	ckgen supported: YES
20:00:56.818729 +0800	akd	SendRequestAndCreateResponse: submissing a request to: <private>
20:00:56.818867 +0800	akd	TIC Enabling TLS [11:0x100962340]
20:00:56.818934 +0800	akd	TIC TCP Conn Start [11:0x100962340]
20:00:56.819292 +0800	akd	Task <321FB545-6485-4805-A8EC-C4E14FB71D65>.<23> setting up Connection 11
20:00:56.823567 +0800	akd	TIC TCP Conn Connected [11:0x100962340]: Err(16)
20:00:56.823770 +0800	akd	TIC TCP Conn Event [11:0x100962340]: 1
20:00:57.031003 +0800	akd	TIC Enabling TLS [11:0x100962340]
20:00:57.043570 +0800	akd	TIC TLS Event [11:0x100962340]: 1, Pending(0)
20:00:57.554276 +0800	akd	TIC TLS Event [11:0x100962340]: 2, Pending(0)
20:00:57.555108 +0800	akd	TIC TLS Event [11:0x100962340]: 11, Pending(0)
20:00:57.555446 +0800	akd	TIC TLS Event [11:0x100962340]: 12, Pending(0)
20:00:57.555779 +0800	akd	TIC TLS Event [11:0x100962340]: 14, Pending(0)
20:00:57.556124 +0800	akd	-[AIASSession URLSession:task:didReceiveChallenge:completionHandler:]: checking pinning
20:00:57.557437 +0800	akd	could not disable pinning: not an internal release
20:00:57.575677 +0800	akd	 [leaf AnchorApple CheckIntermediateMarkerOid CheckLeafMarkerOid]
20:00:57.576008 +0800	akd	-[AIASSession URLSession:task:didReceiveChallenge:completionHandler:]: pinning failed
20:00:57.590835 +0800	akd	-[AIASSession URLSession:task:didCompleteWithError:]: <private>: <private>
20:00:57.590936 +0800	akd	SendRequestAndCreateResponse: failed to fetch request <private>: <private>
20:00:57.591020 +0800	akd	AppleIDAuthSupport: setError: <private>
20:00:57.591107 +0800	akd	Invalid/missing value for key alias: (null)
20:00:57.591191 +0800	akd	Invalid/missing value for key acname: (null)
20:00:57.591274 +0800	akd	Invalid value for key ut: (null)
20:00:57.591356 +0800	akd	Authentication with server failed! Error: <private>
20:00:57.591440 +0800	akd	TIC TCP Conn Cancel [11:0x100962340]
20:00:57.591605 +0800	akd	Task <321FB545-6485-4805-A8EC-C4E14FB71D65>.<23> HTTP load failed (error code: -999 [1:89])
20:00:57.591687 +0800	akd	Failing auth due to verification error: <private>
20:00:57.592065 +0800	akd	Attempting to show login error: <private>
20:00:57.592449 +0800	akd	Task <321FB545-6485-4805-A8EC-C4E14FB71D65>.<23> finished with error - code: -999

I've been looking through this patch and trying to get my head around CFNetwork (but I'm pretty bad at reversing things so please excuse my ignorance here!)

I am still getting in the event log TIC SSL Trust Errors, which tells me there's probably another implementation of the Certificate Pinning process somewhere. Again this all seems to be happening in TCPIOConnection (perhaps by obtaining a tlsProcessTrustPolicyResult?).

A way to get these errors seems to be just trying to activate iMessage with the Kill Switch enabled. You also cannot log into iCloud even with the kill switch, so I can only assume that either:

1. imagent / aks / apns use their own statically compiled certificate checking algorithm, or
2. There is another implementation of the certificate pinning checks.

This header looks kind of interesting, but it looks like it sets up certificate chain verification; I can't seem to find where this is actually retrieved.

I know for sure that the patch is loading, however, as I'm able to browse to SSL Pinned sites in Safari.

Hey man what's the difference between this and the original one on the iSec page?
Will this one work with iOS8? The other version didn't seem to work with all my apps.

I'm trying it on macOS 10.13.1 with lldb-900.0.61:

1. lldb app path
2. break set -n NSApplicationMain
3. run
4. expr (void*)dlopen("/Users/an0/Library/Developer/Xcode/DerivedData/SSLKillSwitch-xxxj/Build/Products/Debug/SSLKillSwitch.framework/SSLKillSwitch", 1)

But I got (void *) $1 = 0x0000000000000000. What did I do wrong?

IOS 10.2 (iPhone 6s)

Mail.app,
youtube.app,
instagram.app,
facebook.app

didn't work. (no connection to server)

Hi,
the last relatese 0.11 does not bypass ssl pinning on iOS 10.3.2 !
Does any one test it on this iOS version? do you have any idea/suggestion?

Thanks!
MAL

I tried the tool on iPhone6 iOS 9.1. I followed the installation guide copied it to the device and installed. New menu appeared in the device's settings and I rebooted iPhone. Now the phone DOES NOT BOOT it just stuck displaying Apple logo.

Why didn't you mention in the readme that this tool CAN BRICK the device ?
Do you have any suggestion how to recover the device ?

Hi

Firstly thanks for your efforts on this app, its extremely helpful!

I'm using Theos-Jailed to inject your DYLIB into the "Damn Vulnerable iOS App" to bypass the Certificate pinning check within the transport security section.

I have the DYLIB loading and I could initially see that hooking was disabled due to the lack of preference file being present. Within SSLKillSwitch.m I changed line 42 from NO to YES and according to the console the module is loading:

DamnVulnerableIOSApp(SSLKillSwitch2.dylib)[1937] : === SSL Kill Switch 2: Subtrate hook enabled.

However the certificate pinning still seems to be in place, I am running all the traffic through Burp suite and I have the CA loaded and trusted on the device.

Thanks for any insight you can give!

iOS: 10.3.1
iPhone 7+

Please help to add support for iOS11, current version doesn't work under ios11. Thanks!

HI
I know iOS10 has not show the NSlog info.
I want to know how can you print the NSLog information
Mar 3 18:01:04 iPhone XXXXX(SSLKillSwitch2.dylib)[2781] : === SSL Kill Switch 2: Preference set to 1.
Mar 3 18:01:04 iPhone XXXXX(SSLKillSwitch2.dylib)[2781] : === SSL Kill Switch 2: Subtrate hook enabled.

I compile the dylib
Both print and NSlog are not show to idevicesyslog

thinks

I understand some users have SKS working on iOS11 but it causes TLS connections to fail even in a very basic app I've created. Testing on iPhone 6 Plus, iOS 11.1.2 running Electra 1.0.4. (moving this info from a pull request)

I've created a pretty simple test app to validate using NSURLConnection (https://samy.pl/o/nsurl.tgz). I'm performing a TLS MITMA through a proxy and have a custom CA installed on the phone. I get very strange results.

If I enable SSL Kill Switch, and install my TLS MITMA cert, regardless of whether the cert is trusted or not, the TLS connection always fails.

However, if I disable SSL Kill Switch, the connection works as long as the MITMA cert is trusted (in Settings->General->About->Certificate Trust Settings) - as expected. It fails if I untrust the cert as well, as expected.

I've loaded Frida up and can confirm nw_tls_create_peer_trust is getting called. Oddly, though, if I adjust the Frida handler for nw_tls_create_peer_trust to return 0 (errSecSuccess) and have SSL Kill Switch disabled the cert untrusted, it also fails. But perhaps I'm setting that up incorrectly.

__handlers__/libnetwork.dylib/nw_tls_create_peer_trust.js:

{ onLeave: function (log, retval, state) { retval.replace(0); } }

SKS is definitely running (see logs), and it is affecting TLS sessions, just not in the right way. Seems to be causing them to not complete even when I do have a cert supporting the MITMA.

It seems to fail here:
Jul 1 21:40:07 the-titanic nsurl-request(libboringssl.dylib)[897] <Error>: Function boringssl_session_finish_handshake: line 2643 The peer was not authenticated. Disconnecting the connection.

Oddly using Frida does not capture that function, likely because it's not exported:
frida-trace -U -i "*boringssl_*" nsurl-request

Plenty of other functions are captured and hooked by Frida but not boringssl_session_finish_handshake. I've confirmed the function is in the .dylib in IDA

The error message is also only ever called from the function:

That function also isn't in Google's boringssl, so clearly they have their own fork and I haven't found it available online. I'll have to see if the license requires them to open it up or not.

I've pulled logs while running my test app (and added some minor logs to SKS), and do see Substrate hook enabled (logs below matching /nsurl|ssl|substrate/i):

1288   :        SBLayoutRolePrimary = <SBDeviceApplicationSceneEntity: 0x1c0284fb0; ID: pl.samy.nsurl-request; layoutRole: primary>;
1304   :Jul  1 21:40:06 the-titanic assertiond[442] <Notice>: Submitting new job for "pl.samy.nsurl-request" on behalf of <BKProcess: 0x10123bbf0; SpringBoard; com.apple.springboard; pid: 879; agency: SystemShell; visibility: foreground; task: running>
1305   :Jul  1 21:40:06 the-titanic assertiond[442] <Notice>: Submitted job with label: UIKitApplication:pl.samy.nsurl-request[0xe9d3][442]
1307   :Jul  1 21:40:06 the-titanic assertiond[442] <Notice>: [nsurl-request:897] Adding client: <BKProcessInfoServerClient: 0x101222800; pid: 879>
1308   :Jul  1 21:40:06 the-titanic assertiond[442] <Notice>: [nsurl-request:897] Setting jetsam priority to 10 [0x10000]
1310   :Jul  1 21:40:06 the-titanic assertiond[442] <Notice>: Now tracking process <BKProcess: 0x1011487b0; nsurl-request; pl.samy.nsurl-request; pid: 897; agency: SystemApp; visibility: none; task: running; hostpid: 879> with host <BKProcess: 0x10123bbf0; SpringBoard; com.apple.springboard; pid: 879; agency: SystemShell; visibility: foreground; task: running>
1311   :Jul  1 21:40:06 the-titanic assertiond[442] <Notice>: [SpringBoard:879] Attempting to acquire assertion for nsurl-request:897: <BKProcessAssertion: 0x10113f170; "UIApplicationLaunch" (activation:inf); id:\M-b\M^@\M-&0D1C43BA3D81>
1312   :Jul  1 21:40:06 the-titanic assertiond[442] <Notice>: [nsurl-request:897] Add assertion: <BKProcessAssertion: 0x10113f170; id: 879-1F4968EB-1992-46A8-8F81-0D1C43BA3D81; name: UIApplicationLaunch; state: active; reason: activation; duration: infs> {
1315   :Jul  1 21:40:06 the-titanic assertiond[442] <Notice>: [nsurl-request:897] Activate assertion: <BKProcessAssertion: 0x10113f170; "UIApplicationLaunch" (activation:inf); id:\M-b\M^@\M-&0D1C43BA3D81>
1316   :Jul  1 21:40:06 the-titanic assertiond[442] <Notice>: [nsurl-request:897] New process assertion state; preventSuspend, preventThrottleDownUI, preventThrottleDownCPU, wantsForegroundResourcePriority, preventSuspendOnSleep (assertion 0x10113f170 added: preventSuspend, preventThrottleDownUI, preventThrottleDownCPU, wantsForegroundResourcePriority, preventSuspendOnSleep; removed: (none))
1317   :Jul  1 21:40:06 the-titanic assertiond[442] <Notice>: [nsurl-request:897] Setting jetsam priority to 10 [0x10100]
1318   :Jul  1 21:40:06 the-titanic assertiond[442] <Notice>: [nsurl-request:897] setpriority success for resource GPU to PRIO_DARWIN_GPU_ALLOW
1319   :Jul  1 21:40:06 the-titanic assertiond[442] <Notice>: [nsurl-request:897] setpriority success for resource CPU to default (0)
1320   :Jul  1 21:40:06 the-titanic SpringBoard(WiFiPicker)[879] <Notice>: WIFI PICKER [pl.samy.nsurl-request]: isProcessLaunch: 1,    isForegroundActivation: 1,     isForegroundDeactivation: 0
1321   :Jul  1 21:40:06 the-titanic SpringBoard(AssertionServices)[879] <Notice>: [pl.samy.nsurl-request] Bootstrap complete with label: UIKitApplication:pl.samy.nsurl-request[0xe9d3][442]
1322   :Jul  1 21:40:06 the-titanic SpringBoard(FrontBoard)[879] <Notice>: [FBProcessManager] Adding: <FBApplicationProcess: 0x10a24e1e0; nsurl-request (pl.samy.nsurl-request); pid: 897>
1323   :Jul  1 21:40:06 the-titanic SpringBoard(FrontBoard)[879] <Notice>: [pl.samy.nsurl-request] Setting deactivation reasons to: 'systemAnimation' for reason: scene settings update - settings are eligible for deactivation reasons.
1325   :Jul  1 21:40:06 the-titanic SpringBoard[879] <Notice>: Application process state changed for pl.samy.nsurl-request: <SBApplicationProcessState: 0x1c5027ca0; pid: 897; taskState: Running; visibility: Unknown>
1326   :Jul  1 21:40:06 the-titanic mediaserverd(CoreMedia)[521] <Notice>: -CMSessionMgr- CMSessionMgrHandleApplicationStateChange: CMSession: Client pl.samy.nsurl-request with pid '897' is now Foreground Running. Background entitlement: NO
1332   :    SBApplicationStateDisplayIDKey = "pl.samy.nsurl-request";
1336   :Jul  1 21:40:06 the-titanic symptomsd(SymptomEvaluator)[481] <Notice>: 897 pl.samy.nsurl-request: ForegroundRunning (most elevated: ForegroundRunning)
1337   :Jul  1 21:40:06 the-titanic symptomsd(SymptomEvaluator)[481] <Notice>: Entry, display name pl.samy.nsurl-request uuid AEA017C5-75E0-3012-B972-F13775CF8F47 pid 897 isFront 1
1338   :Jul  1 21:40:06 the-titanic symptomsd(SymptomEvaluator)[481] <Notice>: Continue with bundle name pl.samy.nsurl-request, is front 1
1339   :Jul  1 21:40:06 the-titanic symptomsd(SymptomEvaluator)[481] <Notice>: pl.samy.nsurl-request: Foreground: true
1343   :Jul  1 21:40:06 the-titanic nsurl-request(TweakInject.dylib)[897] <Notice>: Injecting /Library/TweakInject/SSLKillSwitch2.dylib into pl.samy.nsurl-request
1344   :Jul  1 21:40:06 the-titanic nsurl-request(SSLKillSwitch2.dylib)[897] <Notice>: === SSL Kill Switch 2: SSLKS1
1345   :Jul  1 21:40:06 the-titanic nsurl-request(SSLKillSwitch2.dylib)[897] <Notice>: === SSL Kill Switch 2: SSLKS2
1346   :Jul  1 21:40:06 the-titanic nsurl-request(SSLKillSwitch2.dylib)[897] <Notice>: === SSL Kill Switch 2: Preference set to 1.
1347   :Jul  1 21:40:06 the-titanic nsurl-request(SSLKillSwitch2.dylib)[897] <Notice>: === SSL Kill Switch 2: Substrate hook enabled.
1348   :Jul  1 21:40:07 the-titanic assertiond[442] <Notice>: [nsurl-request:897] workspaceConnectedWithTaskPortRight: received task port
1349   :Jul  1 21:40:07 the-titanic nsurl-request(libAccessibility.dylib)[897] <Notice>: Retrieving resting unlock: 0
1463   :Jul  1 21:40:07 the-titanic SpringBoard(FrontBoard)[879] <Notice>: [pl.samy.nsurl-request] Setting deactivation reasons to: '(none)' for reason: updateAllScenesForBand - Assertion removed.
1491   :Jul  1 21:40:07 the-titanic SpringBoard(FrontBoard)[879] <Notice>: [pl.samy.nsurl-request] Sending scene action [Logical Activate] through WorkspaceServer: 0x1c4480370
1492   :Jul  1 21:40:07 the-titanic assertiond[442] <Notice>: [SpringBoard:879] Attempting to acquire assertion for nsurl-request:897: <BKProcessAssertion: 0x10114a640; "Resume" (activation:inf); id:\M-b\M^@\M-&6DEDE9E7ABFB>
1493   :Jul  1 21:40:07 the-titanic SpringBoard(FrontBoard)[879] <Notice>: [pl.samy.nsurl-request] Sending scene action [SceneLifecycleEventOnly] through WorkspaceServer: 0x1c4480370
1494   :Jul  1 21:40:07 the-titanic SpringBoard(FrontBoard)[879] <Notice>: [pl.samy.nsurl-request] Sending scene action [SceneLifecycleEventOnly] through WorkspaceServer: 0x1c4480370
1495   :Jul  1 21:40:07 the-titanic assertiond[442] <Notice>: [nsurl-request:897] Add assertion: <BKProcessAssertion: 0x10114a640; id: 879-1E0FFF88-2BC6-4BB8-86EA-6DEDE9E7ABFB; name: Resume; state: active; reason: activation; duration: infs> {
1498   :Jul  1 21:40:07 the-titanic SpringBoard[879] <Notice>: Application process state changed for pl.samy.nsurl-request: <SBApplicationProcessState: 0x1c4433a60; pid: 897; taskState: Running; visibility: Foreground>
1499   :Jul  1 21:40:07 the-titanic SpringBoard[879] <Notice>: Application process state changed for pl.samy.nsurl-request: <SBApplicationProcessState: 0x1c5027ca0; pid: 897; taskState: Running; visibility: Foreground>
1500   :Jul  1 21:40:07 the-titanic assertiond[442] <Notice>: [nsurl-request:897] Activate assertion: <BKProcessAssertion: 0x10114a640; "Resume" (activation:inf); id:\M-b\M^@\M-&6DEDE9E7ABFB>
1501   :Jul  1 21:40:07 the-titanic assertiond[442] <Notice>: [SpringBoard:879] Attempting to acquire assertion for nsurl-request:897: <BKProcessAssertion: 0x101240090; "Deliver Message" (suspend:10s); id:\M-b\M^@\M-&972A8C1209F4>
1502   :Jul  1 21:40:07 the-titanic assertiond[442] <Notice>: [nsurl-request:897] Add assertion: <BKProcessAssertion: 0x101240090; id: 879-4C684D3A-2568-453A-B10A-972A8C1209F4; name: "Deliver Message"; state: active; reason: suspend; duration: 10.0s> {
1506   :Jul  1 21:40:07 the-titanic assertiond[442] <Notice>: [nsurl-request:897] Activate assertion: <BKProcessAssertion: 0x101240090; "Deliver Message" (suspend:10s); id:\M-b\M^@\M-&972A8C1209F4>
1507   :Jul  1 21:40:07 the-titanic assertiond[442] <Notice>: [nsurl-request:897] Setting jetsam priority to 10 [0x10300]
1509   :Jul  1 21:40:07 the-titanic assertiond[442] <Notice>: [nsurl-request:897] Deactivate assertion: <BKProcessAssertion: 0x10113f170; "UIApplicationLaunch" (activation:inf); id:\M-b\M^@\M-&0D1C43BA3D81>
1510   :Jul  1 21:40:07 the-titanic assertiond[442] <Notice>: [nsurl-request:897] dump all assertions HWM:3 (deactivateAssertion): {
1513   :Jul  1 21:40:07 the-titanic assertiond[442] <Notice>: [nsurl-request:897] Scheduling allow-idle-sleep timer with interval: 180.0
1514   :Jul  1 21:40:07 the-titanic assertiond[442] <Notice>: [nsurl-request:897] New process assertion state; preventSuspend, preventThrottleDownUI, preventThrottleDownCPU, preventSuspendOnSleep (assertion 0x10113f170 added: (none); removed: wantsForegroundResourcePriority)
1515   :Jul  1 21:40:07 the-titanic assertiond[442] <Notice>: [nsurl-request:897] Remove assertion: <BKProcessAssertion: 0x10113f170; "UIApplicationLaunch" (activation:inf); id:\M-b\M^@\M-&0D1C43BA3D81>
1533   :Jul  1 21:40:07 the-titanic nsurl-request(HangTracer)[897] <Notice>: refreshPreferences: HangTracerEnabled: 0
1534   :Jul  1 21:40:07 the-titanic nsurl-request(HangTracer)[897] <Notice>: refreshPreferences: HangTracerDuration: 500
1535   :Jul  1 21:40:07 the-titanic nsurl-request(HangTracer)[897] <Notice>: refreshPreferences: ActivationLoggingEnabled: 0 ActivationLoggingTaskedOffByDA:0
1536   :Jul  1 21:40:07 the-titanic nsurl-request[897] <Notice>: === nsurl-request: Requesting URL.
1538   :Jul  1 21:40:07 the-titanic SpringBoard[879] <Notice>: Front display did change: <SBApplication: 0x1c41db030; pl.samy.nsurl-request>
1540   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Notice>: Faulting in NSHTTPCookieStorage singleton
1541   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Notice>: Faulting in CFHTTPCookieStorage singleton
1542   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Notice>: Creating default cookie storage with default identifier
1543   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Notice>: TIC Enabling TLS [1:0x1c416ef40]
1544   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Notice>: TIC TCP Conn Start [1:0x1c416ef40]
1545   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Notice>: Task <BC2BDAE5-3589-418A-AD35-CD108FB728F2>.<0> setting up Connection 1
1550   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Notice>: TIC TCP Conn Connected [1:0x1c416ef40]: Err(16)
1551   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Notice>: TIC TCP Conn Event [1:0x1c416ef40]: 1
1552   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Notice>: TIC Enabling TLS [1:0x1c416ef40]
1553   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Notice>: TIC TLS Event [1:0x1c416ef40]: 1, Pending(0)
1554   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Notice>: TIC TLS Event [1:0x1c416ef40]: 2, Pending(0)
1555   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Notice>: TIC TLS Event [1:0x1c416ef40]: 11, Pending(0)
1556   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Notice>: TIC TLS Event [1:0x1c416ef40]: 12, Pending(0)
1557   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Notice>: TIC TLS Event [1:0x1c416ef40]: 14, Pending(0)
1558   :Jul  1 21:40:07 the-titanic nsurl-request(libboringssl.dylib)[897] <Error>: Function boringssl_session_finish_handshake: line 2643 The peer was not authenticated. Disconnecting the connection.
1559   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Notice>: TIC TCP Conn Event [1:0x1c416ef40]: 3
1560   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Notice>: TIC TCP Conn Cancel [1:0x1c416ef40]
1561   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Notice>: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9810)
1562   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Error>: Task <BC2BDAE5-3589-418A-AD35-CD108FB728F2>.<0> HTTP load failed (error code: -1200 [3:-9810])
1563   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Notice>: TIC TCP Conn Destroyed [1:0x1c416ef40]
1564   :Jul  1 21:40:07 the-titanic nsurl-request(CFNetwork)[897] <Error>: NSURLConnection finished with error - code -1200
1565   :Jul  1 21:40:07 the-titanic nsurl-request(AccessibilitySettingsLoader)[897] <Notice>: Sending initial safe area update
1567   :Jul  1 21:40:07 the-titanic assertiond[442] <Notice>: [nsurl-request:897] Deactivate assertion: <BKProcessAssertion: 0x101240090; "Deliver Message" (suspend:10s); id:\M-b\M^@\M-&972A8C1209F4>
1568   :Jul  1 21:40:07 the-titanic assertiond[442] <Notice>: [nsurl-request:897] dump all assertions HWM:3 (deactivateAssertion): {
1570   :Jul  1 21:40:07 the-titanic assertiond[442] <Notice>: [nsurl-request:897] Setting jetsam priority to 10 [0x10100]
1571   :Jul  1 21:40:07 the-titanic assertiond[442] <Notice>: [nsurl-request:897] Remove assertion: <BKProcessAssertion: 0x101240090; "Deliver Message" (suspend:10s); id:\M-b\M^@\M-&972A8C1209F4>

Any suggestions on investigating further? Thanks!

Hi, I am unable to successfully pin certificates to the push daemon (apsd). I tried adding com.apple.apsd to SSLKillSwitch2.plist and re-building, which made a deb package I could install, but iOS is still rejecting the certificates for the push proxy. These same certificates and setup work great on iOS 7 and 8. iOS 9 is doing something else, presumably with App Transport Security. Here is some log data:

Jan 16 21:06:57 x-iPhone apsd[265]: MS:Notice: Injecting: com.apple.apsd [apsd] (1240.10)
Jan 16 21:06:57 x-iPhone apsd[265]: MS:Notice: Loading:     /Library/MobileSubstrate/DynamicLibraries/SSLKillSwitch2.dylib
Jan 16 21:06:57 x-iPhone apsd[265]: === SSL Kill Switch 2: Preference set to 1.
Jan 16 21:06:57 x-iPhone apsd[265]: === SSL Kill Switch 2: Subtrate hook enabled.

and then when it tries to connect to push server:

Jan 16 21:07:33 x-iPhone apsd[265]: CFNetwork SSLHandshake failed (-9801)

I've tried fiddler and charles proxy to sniff the download process of an app from the appstore on iOS (8.1.3). Used KillSwitch 0.8 for that. Everything works perfectly fine (Awesome job!) except downloading an app.

Clicking on "GET" and "INSTALL", the request is rejected, and the button goes back to "GET".

Any ideas?

Hello,
When I use SSL Kill Switch 2 on most apps it works. However, with some apps I get "Removed invalid header: Proxy-Connection: keep-alive" on some apps.

Possibly, one too many bypasses which cause the apps to fail connection?

Thanks :)

I'm trying to man-in-the-middle iMessage's communications using ssl-kill-switch2, Mitmproxy, and an iPad mini 1st gen running iOS 8.1.3.
I can confirm it works on the App Store after following your instructions to kill the App Store daemon so this project can hook into the certificate pinning calls.
However, when iMessage is opened, it does not trust the proxy. Instead, apsd (Apple Push Service Daemon) reports the following in idevicesyslog:

May 24 10:14:27 myiPad apsd[618] <Error>: SecTrustEvaluate [leaf NonEmptySubject] May 24 10:14:27 myiPad apsd[618] <Warning>: CFNetwork SSLHandshake failed (-9807)

mitmproxy reports that there was an issue with the SSL Handshake with the client, and this can be seen in Wireshark, where I can see the client iPad receive the certificate, then send a FIN to close the connection.

My first thought was to kill imagent itself so it could be hooked into, but that didn't help.
Is it possible that another system daemon is perform the cert validation on behalf of apsd, and returning the result to it, thus the error looks like it originates from apsd?
Or do I need to modify the hooks in some way to also pass this NonEmptySubject check, in case it's not handled in some subtle way by kill-switch?
Thanks in advance for any help!