Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add instagram app support #82

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 24 additions & 3 deletions native-tls-hook.js
Original file line number Diff line number Diff line change
Expand Up @@ -37,11 +37,16 @@ const TARGET_LIBS = [
{ name: 'libsscronet.so', hooked: false }, // Cronet on Android
{ name: 'boringssl', hooked: false }, // Bundled by some apps e.g. TikTok on iOS
{ name: 'libssl.so', hooked: false }, // Native OpenSSL in Android
{ name: 'libliger.so', hooked: false }, // Facebook proxygen
];

TARGET_LIBS.forEach((targetLib) => {
waitForModule(targetLib.name, (moduleName) => {
patchTargetLib(moduleName);
if(moduleName === 'libliger.so'){
hook_proxygen_SSLVerification(moduleName);
}else{
patchTargetLib(moduleName);
}
targetLib.hooked = true;
});

Expand All @@ -56,6 +61,23 @@ TARGET_LIBS.forEach((targetLib) => {
}
});

function hook_proxygen_SSLVerification(library) {
const functionName = "_ZN8proxygen15SSLVerification17verifyWithMetricsEbP17x509_store_ctx_stRKNSt6__ndk112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEPNS0_31SSLFailureVerificationCallbacksEPNS0_31SSLSuccessVerificationCallbacksERKNS_15TimeUtilGenericINS3_6chrono12steady_clockEEERNS_10TraceEventE";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any idea how consistent this name is? It looks like the kind of thing that might change frequently between releases.

Can we match against this instead, with something like *proxygen*SSLVerification*verifyWithMetrics*FailureVerificationCallbacks*? That seems likely to be sufficiently specific but much less likely to change in future.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know, this method name is taken from libliger.so. It works.


try {
const f = Module.getExportByName(library, functionName);

Interceptor.attach(f, {
onLeave: function (retvalue) {
retvalue.replace(1);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is definitely interesting, but it's tricky - right now all the existing scripts allow TLS interception just by the one extra MitM CA, but this line disables TLS validation completely for this code 😬

That creates some potential security problems. Even if you're intercepting Instagram traffic yourself, you probably don't want the risk that anybody on your local network could intercept you and steal your Instagram account.

All the other hooks handle this by using related APIs to actually validate the certificate, and just trust the one extra cert that's configured. That doesn't have this problem, but I think that's impractically difficult here since there's no public code & docs available for libliger anywhere I can see. We can't easily tell what certificate this function is handling.

I think there's probably a route through here. What do you think about adding a ENABLE_INSECURE_HOOKS variable in config.js, defaulting to false, and then:

  • This hook checks that variable, inside this function here.
  • If false, the first time the hook runs, it prints a "Insecure hook required" message with instructions: set ENABLE_INSECURE_HOOKS=true in config.js, but be aware that this is insecure and you could be intercepted by others on your network.
  • If true, run this line as here and disable TLS.

}
});
console.log(`[+] Hooked function: ${functionName}`);
} catch (err) {
console.log(`[-] Failed to hook function: ${functionName}: ${err.toString()}`);
}
}

function patchTargetLib(targetLib) {
// Get the peer certificates from an SSL pointer. Returns a pointer to a STACK_OF(CRYPTO_BUFFER)
// which requires use of the next few methods below to actually access.
Expand Down Expand Up @@ -190,5 +212,4 @@ function patchTargetLib(targetLib) {
} else if (customVerifyAddrs.length) {
console.log(`Patched ${customVerifyAddrs.length} custom_verify methods, but couldn't find get_psk_identity`);
}
}

}
Loading