fkie-cad / fritap Goto Github PK
View Code? Open in Web Editor NEWThe goal of this project is to help researchers to analyze traffic encapsulated in SSL or TLS.
License: GNU General Public License v3.0
The goal of this project is to help researchers to analyze traffic encapsulated in SSL or TLS.
License: GNU General Public License v3.0
I was just browsing through the code to see what is being hooked. The following stood out a bit:
I'm thinking maybe ObjC.available
should become Java.available
since this is for Android? If this is not the case, then we can probably hardcode the NativeFunction directly? I'm missing some context, so not sure what is exactly going on here.
I was using FriTap to perform full capture using '-f' and I receive a message such as 'tcpdump: pcap_loop: invalid packet capture length 1698917240, bigger than snaplen of 262144'.
Following is the command used to execute FriTap: python3 friTap.py -m -s -f --pcap mycapture.pcap --keylog=mykeylog.keylog <package_name> -v
Additionally, the full capture pcap when opened in Wireshark indicates that the "_mycapture.pcap" is corrupted. For instance, both src and dst IP address is corrupted and points to localhost. Additionally, in HTTP header field I see messages such as these:
[truncated]l\001\001\001�\000\000\000d\000\000\000�\000\000\000\001\001o\000;\000\000\000/re/frida/AgentMessageSink/137ac7aa76164367af65aff5df041619\000\000\000\000\000\002\001s\000\033\000\000\000re.frida.AgentMessageSink16\000\000\
This makes me wonder if it is because tcpdump is also capturing the communication between frida server and the app? Is the packet size higher and corrupted because friTap is rewriting packets multiple times somewhere?
Finally, one more question: What is the difference between --socket_trace and --full_capture options?
I have attached an example screenshot of the corrupted pcaps that friTap returns. If we can pinpoint the exact problem here, I'm happy to submit patches if required. Thanks.
With Frida 16.0.11 already installed, running pip3 install fritap
results in Frida 15.x installing over my existing Frida, causing breakage to my other stuff.
Apps crash with error Failed to install provider as highest priority provider. Provider was installed at position 8
.
Tested under Linux and Windows, with different python versions with: python friTap.py -m -s com.package
.
Output:
Start logging
spawning com.package
Press Ctrl+C to stop logging.
[*] Running Script
[*] libssl.so found & will be hooked on Linux!
Loader error: Linux Dynamic loader not found!
[*] No dynamic loader present for hooking.
Thx for using friTap
Have a nice day
Mobile test setup:
Tested with different apps, same behavior for all.
Logcat:
03-01 13:46:55.758 16788 16788 D AndroidRuntime: Shutting down VM
03-01 13:46:55.759 16788 16788 E AndroidRuntime: FATAL EXCEPTION: main
03-01 13:46:55.759 16788 16788 E AndroidRuntime: Process: com.package, PID: 16788
03-01 13:46:55.759 16788 16788 E AndroidRuntime: java.lang.RuntimeException: Failed to install provider as highest priority provider. Provider was installed at position 8
03-01 13:46:55.759 16788 16788 E AndroidRuntime: at android.security.net.config.NetworkSecurityConfigProvider.install(NetworkSecurityConfigProvider.java:40)
03-01 13:46:55.759 16788 16788 E AndroidRuntime: at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5798)
03-01 13:46:55.759 16788 16788 E AndroidRuntime: at android.app.ActivityThread.handleBindApplication(Native Method)
03-01 13:46:55.759 16788 16788 E AndroidRuntime: at android.app.ActivityThread.-wrap3(ActivityThread.java)
03-01 13:46:55.759 16788 16788 E AndroidRuntime: at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1699)
03-01 13:46:55.759 16788 16788 E AndroidRuntime: at android.os.Handler.dispatchMessage(Handler.java:102)
03-01 13:46:55.759 16788 16788 E AndroidRuntime: at android.os.Looper.loop(Looper.java:154)
03-01 13:46:55.759 16788 16788 E AndroidRuntime: at android.app.ActivityThread.main(ActivityThread.java:6682)
03-01 13:46:55.759 16788 16788 E AndroidRuntime: at java.lang.reflect.Method.invoke(Native Method)
03-01 13:46:55.759 16788 16788 E AndroidRuntime: at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:1520)
03-01 13:46:55.759 16788 16788 E AndroidRuntime: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1410)
Hello, I have already seen an issue like this, but none of the soultions worked for me. I am on IOS 16.0, and I am also using Windows. I have tested it with more than 10 applications, and all the packets were empty. I will leave some screenshots below.
All the packets as in the below screenshot were 24 bytes or empty. I dont knw if the issue is specific to me or not, bt I will try and find a solution.
Hi,
first of all thank you for providing this very useful repo! I'm using it for privacy analysis of apps.
I'm happy to see that you published a new version and wanted to try it out.
Unfortunately I'm getting the following error when testing:
[*] Error in hooking ProviderInstallerImpl
Error: java.lang.ClassNotFoundException: Didn't find class "com.google.android.gms.security.ProviderInstaller" on path: DexPathList[[directory "."],nativeLibraryDirectories=[/system/lib64, /system/lib64]]
[*] Error in hooking ProviderInstallerImpl
Error: java.lang.ClassNotFoundException: Didn't find class "com.google.android.gms.security.ProviderInstaller" on path: DexPathList[[zip file "/data/app/com.nbb.app-HC732FCk9l7MvZ5IVB1HYg==/base.apk"],nativeLibraryDirectories=[/data/app/com.nbb.app-HC732FCk9l7MvZ5IVB1HYg==/lib/x86_64, /data/app/com.nbb.app-HC732FCk9l7MvZ5IVB1HYg==/base.apk!/lib/x86_64, /system/lib64]]
[*] Error in hooking ProviderInstallerImpl
Error: java.lang.ClassNotFoundException: Didn't find class "com.google.android.gms.security.ProviderInstaller" on path: DexPathList[[zip file "/data/app/com.nbb.app-HC732FCk9l7MvZ5IVB1HYg==/base.apk"],nativeLibraryDirectories=[/data/app/com.nbb.app-HC732FCk9l7MvZ5IVB1HYg==/lib/x86_64, /data/app/com.nbb.app-HC732FCk9l7MvZ5IVB1HYg==/base.apk!/lib/x86_64, /system/lib64]]
Command used: friTap -m --spawn --keylog keylog.log com.nbb.app
Devices tested:
Currently friTap is not working when using Python 3.12.
When running it I get the following error ModuleNotFoundError: No module named 'distutils'
This seems to be due to removal of the former, but now deprecated standard module distutils
in python 3.12 (See relase-notes).
For now a workaround that worked for me, is to manually install setuptools
, which also provides 'distutils'. Following the suggestion on Stackoverflow:
$ pip3 install setuptools
Any plans on porting friTap to Python 3.12?
If you try to record data for
The only request that is intercepted are GRPC calls to firebaseinstallations.googleapis.com
which can't be all of it.
They are using native Unity libraries that have their own SSL if desired.
I have an instance of nox rooted with usb debugging enabled and connected to a frida-server. However, when I attempt to run the command fritap -m -k keys.log -v -s , I get this error:
[-] Unknown error: device not found
I've also tried running it with the command fritap -H 127.0.0.1:62027 -k keys.log -v -s as this appears to be the ip and port of my connected device, but I get:
[-] Unknown error: connection closed
Any advice on how to configure fritap to work with nox (or any emulator) apps would be appreciated. Thanks!
Hi friTap devs. I'm analyzing QUIC traffic in Android apps for an university project. To do so, I developed a simple app that makes HTTP requests to an URL in order to have a controlled environment, and to do so I need to get the keys to decrypt to those packets, and I found this tool for that purpose, so I tried it.
The app uses the Cronet library (since it is the only one in Android that supports QUIC | HTTP/3) for the full HTTP client (I tried using OkHttp with a Cronet interceptor, but didn´t manage to get QUIC packets), using the latest version available (119.6045.31) as well as the GMS Play services for Cronet (version 18.0.1).
I was wondering if you know if the script has support of those protocols and library (underneath I think it uses OpenSSL or BoringSSL), or you know it's a bit problematic to get the keys.
This is the console traces when using it:
$ friTap -m -k keys.log -v -s <app_id> -do
Start logging
Press Ctrl+C to stop logging
spawning <app_id>
[*] Running Script on Android
[*] libssl.so found & will be hooked on Android!
[***] Found SSL_read 0x76d9856190
[***] Found SSL_write 0x76d98565bc
[***] Found SSL_get_fd 0x76d9856f60
[***] Found SSL_get_session 0x76d985ce70
[***] Found SSL_SESSION_get_id 0x76d985caf8
[***] Found SSL_new 0x76d98553c8
[***] Found SSL_CTX_set_keylog_callback 0x76d985895c
[***] Found getpeername 0x7770237910
[***] Found getsockname 0x7770237a30
[***] Found ntohs 0x7770232cd8
[***] Found ntohl 0x7770232cd0
[*] Android dynamic loader hooked.
[*] Logging keylog file to keys.log
[***] Remaining: AndroidNSSP version 1.0,AndroidOpenSSL version 1.0,CertPathProvider version 1.0,AndroidKeyStoreBCWorkaround version 1.0,BC version 1.61,HarmonyJSSE version 1.0,AndroidKeyStore version 1.0
My testing device is this one:
Make: Xiaomi
Model: Redmi 8
OS version: MIUI 12 (Android 10)
To give you further info, I have tested it with Chrome and Cromite (a Chrome fork) with no luck too, BUT with the Ebay app i had luck:
$ friTap -m -p ebay.pcap -k ebay.log -v -s com.ebay.mobile -do
Start logging
Press Ctrl+C to stop logging
spawning com.ebay.mobile
[*] capturing only plaintext data
[*] Running Script on Android
[*] libssl.so found & will be hooked on Android!
[***] Found SSL_read 0x76d9856190
[***] Found SSL_write 0x76d98565bc
[***] Found SSL_get_fd 0x76d9856f60
[***] Found SSL_get_session 0x76d985ce70
[***] Found SSL_SESSION_get_id 0x76d985caf8
[***] Found SSL_new 0x76d98553c8
[***] Found SSL_CTX_set_keylog_callback 0x76d985895c
[***] Found getpeername 0x7770237910
[***] Found getsockname 0x7770237a30
[***] Found ntohs 0x7770232cd8
[***] Found ntohl 0x7770232cd0
[*] Android dynamic loader hooked.
[*] Logging TLS plaintext as pcap to ebay.pcap
[*] Logging keylog file to ebay.log
[*] Error in hooking ProviderInstallerImpl
Error: java.lang.ClassNotFoundException: Didn't find class "com.google.android.gms.security.ProviderInstaller" on path: DexPathList[[directory "."],nativeLibraryDirectories=[/system/lib64, /system/product/lib64, /system/lib64, /system/product/lib64]]
[*] Error in hooking ProviderInstallerImpl
Error: java.lang.ClassNotFoundException: Didn't find class "com.google.android.gms.security.ProviderInstaller" on path: DexPathList[[],nativeLibraryDirectories=[/data/app/com.google.android.gms-biuqhOyhJLWqL6scwcq_3Q==/lib/arm64, /data/app/com.google.android.gms-biuqhOyhJLWqL6scwcq_3Q==/base.apk!/lib/arm64-v8a, /data/app/com.google.android.gms-biuqhOyhJLWqL6scwcq_3Q==/split_config.en.apk!/lib/arm64-v8a, /data/app/com.google.android.gms-biuqhOyhJLWqL6scwcq_3Q==/split_config.xhdpi.apk!/lib/arm64-v8a, /system/lib64, /system/product/lib64]]
[*] Error in hooking ProviderInstallerImpl
Error: java.lang.ClassNotFoundException: Didn't find class "com.google.android.gms.security.ProviderInstaller" on path: DexPathList[[zip file "/system/framework/tcmclient.jar"],nativeLibraryDirectories=[/system/lib64, /system/product/lib64]]
[*] Error in hooking ProviderInstallerImpl
Error: java.lang.ClassNotFoundException: Didn't find class "com.google.android.gms.security.ProviderInstaller" on path: DexPathList[[zip file "/system/framework/tcmiface.jar"],nativeLibraryDirectories=[/system/lib64, /system/product/lib64]]
[***] Remaining: AndroidNSSP version 1.0,AndroidOpenSSL version 1.0,CertPathProvider version 1.0,AndroidKeyStoreBCWorkaround version 1.0,BC version 1.61,HarmonyJSSE version 1.0,AndroidKeyStore version 1.0
[***] invoking keylog_callback from OpenSSL_BoringSSL
...
(keys and traffic extracted)
Looking at the captured traffic I've seen that my app, Chrome and Cromite trades QUIC traffic (with TLS1.3), while Ebay seems to use TLS1.2, so that could be a reason (and, as you can see the script detects the same library in my app and in Ebay's).
Do you need any other info you may need?
Thanks in advance!
I am trying to use the friTap.py tool for monitoring SSL/TLS traffic on my Android device. I've executed the script with the following command:
./friTap.py -m -k keys.log -v -s com.google.android.youtube
Upon running the script, I observed the following output:
Start logging
Press Ctrl+C to stop logging
spawning com.google.android.youtube
[*] Running Script on Android
[*] libssl.so found & will be hooked on Android!
[*] Android dynamic loader hooked.
[*] Logging keylog file to keys.log
[*] Blocking provider registration of Ssl_Guard
No Logging: Even though the script indicates that logging has started, I am not seeing any entries in the keys.log file.
Blocking Ssl_Guard: The output mentions "Blocking provider registration of Ssl_Guard," but there is no additional information or log entries related to this action.
Could you please assist me in understanding what might be going wrong, and how to resolve these issues?
Hi team,
Thank you for your greate repo.
I think we need to add options to load custom scripts before logging TLS. Because some applications have protection, it terminated before running. Loading custom script to bypass it, it's nice feature.
Traceback (most recent call last):
File "d:\python\python_original\lib\runpy.py", line 194, in _run_module_as_main
return _run_code(code, main_globals, None,
File "d:\python\python_original\lib\runpy.py", line 87, in run_code
exec(code, run_globals)
File "D:\python\python_original\Scripts\friTap.exe_main.py", line 4, in
File "d:\python\python_original\lib\site-packages\friTap\friTap.py", line 16, in
import friTap.pcap as pcap
File "d:\python\python_original\lib\site-packages\friTap\pcap.py", line 16, in
import friTap.android as android
File "d:\python\python_original\lib\site-packages\friTap\android.py", line 14, in
from importlib_resources import files
ModuleNotFoundError: No module named 'importlib_resources'
Hi,
I've found two issues when trying to extract keys of iOS apps. I've used iOS 14 devices for all my tests.
It seems that the tls_lib is not yet loaded when Frida tries to hook it. A simple workaround could be a while loop:
Thanks!
Hi, I am trying to capture traffic and logs showing that tool is working fine but I am getting empty pcap file (24 bit size). I have tried 4-5 different mobile apps and none of them worked.
Tried latest friTap via pypi as well as cloned repo.
Tried two different frida-tool/server versions. Frida is working fine
Hi,
I have been testing friTap on Pixel 6a with Android 13. The device is rooted using magisk. Although I'm able to capture "full_capture" as it is done via tcpdump, none of the plaintext traffic is being captured for some reason.
Initial investigation made me realise that it is due to the fact that none of the "datalog" entries are being forwarded. message["contentType"] = "datalog"
. Could this mean that the hooks on native SSL libraries does not work for Android 13?
您好,我认为该项目帮助我们分析app流量非常有帮助,我简单上手测试了在ubuntu上抓取安卓手机中的app流量和密钥并成功解密
我有几个问题:
1.项目介绍中支持所有操作系统,但很不幸我在windows上利用测试该项目失败了,相同的步骤在ubuntu上成功了,请问是windows上有什么操作步骤不一样吗?
2.因为我目前只有安卓机可供测试,我想知道对于鸿蒙系统和苹果手机上的app,该项目能否成功解密
3.目前我的专业知识较少,对此解密的理解就是找到ssl调用的各种函数入口然后hook出密钥来,如果我想进一步改进该项目,我是不是可以添加更多的ssl函数以解密更多的流量包,我应该阅读并修改哪个源文件呢?
如果可以赐教,十分感激!
Hi,
I tried using friTap and conscrypt hooking on an Android 13 device running latest Lineage with MicroG. When spawning the app through friTap, I get a segfault / "Process terminated" error. I do not get the same error when attaching to a running app.
I managed to trace it back to this line and commenting it does solve the issue.
This is reproducible with both the microG implementation and the GMS one.
I can provide further informations and steps to reproduce privately if this might be useful for debugging.
Best
When spawn and full capture are enabled, pcap.PCAP is called twice, starting tcpdump twice.
Example:
./friTap.py -m -f -k keylog -p 12.pcap -s com.package
[*] capturing whole traffic of target app
[*] doing full capture on Android
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
[*] capturing whole traffic of target app
[*] doing full capture on Android
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
[*] Running Script on Android
I fixed it like this, but not sure if this is the right logic:
diff --git a/friTap/friTap.py b/friTap/friTap.py
index 24f36d5..893892c 100644
--- a/friTap/friTap.py
+++ b/friTap/friTap.py
@@ -379,7 +379,7 @@ def ssl_log(app, pcap_name=None, verbose=False, spawn=False, keylog=False, enabl
print(f'[*] friTap will continue after the named pipe is ready....\n')
pcap_obj = pcap.PCAP(fifo_file,SSL_READ,SSL_WRITE,full_capture, mobile,debug_mode)
- elif pcap_name:
+ elif pcap_name and (not(spawn) or not(full_capture)):
pcap_obj = pcap.PCAP(pcap_name,SSL_READ,SSL_WRITE,full_capture, mobile,debug_mode)
what is the reason?
friTap -m -s --pcap mycapture.pcap com.example.app
Start logging
Press Ctrl+C to stop logging
spawning com.example.app
[*] capturing only plaintext data
[*] Running Script on Android
[*] libssl.so found & will be hooked on Android!
[*] Android dynamic loader hooked.
[*] Logging TLS plaintext as pcap to mycapture.pcap
[*] Process is loading ProviderInstallerImpl
Error: java.lang.ClassNotFoundException: Didn't find class "com.google.android.gms.common.security.ProviderInstallerImpl" on path: DexPathList[[directory "."],nativeLibraryDirectories=[/system/lib64, /system_ext/lib64, /system/lib64, /system_ext/lib64]]
Error: java.lang.ClassNotFoundException: Didn't find class "com.google.android.gms.common.security.ProviderInstallerImpl" on path: DexPathList[[zip file "/data/app/~~DjnQg25Wu1oNLJQJ3Tmjjw==/com.example.app-X1iquwhb9WnWin5pKS7-qg==/base.apk"],nativeLibraryDirectories=[/data/app/~~DjnQg25Wu1oNLJQJ3Tmjjw==/com.example.app-X1iquwhb9WnWin5pKS7-qg==/lib/arm64, /data/app/~~DjnQg25Wu1oNLJQJ3Tmjjw==/com.example.app-X1iquwhb9WnWin5pKS7-qg==/base.apk!/lib/arm64-v8a, /system/lib64, /system_ext/lib64]]
Error: java.lang.ClassNotFoundException: Didn't find class "com.google.android.gms.common.security.ProviderInstallerImpl" on path: DexPathList[[zip file "/data/app/~~DjnQg25Wu1oNLJQJ3Tmjjw==/com.example.app-X1iquwhb9WnWin5pKS7-qg==/base.apk"],nativeLibraryDirectories=[/data/app/~~DjnQg25Wu1oNLJQJ3Tmjjw==/com.example.app-X1iquwhb9WnWin5pKS7-qg==/lib/arm64, /data/app/~~DjnQg25Wu1oNLJQJ3Tmjjw==/com.example.app-X1iquwhb9WnWin5pKS7-qg==/base.apk!/lib/arm64-v8a, /system/lib64, /system_ext/lib64]]
[*] is here the error
[*] number
[*] Target process stopped: process-terminated
Thx for using friTap
Have a nice day
Hello. Thanks for this great project. I'm interesting in helping to add support for Flutter based apps. Is there any info/insights you can provide me to help get started? Thanks!
I am testing the app "Rucoy Online" for http data upon character login.
Fritap spawns the app just fine, but it does not log any TLS traffic or keys relating to the log in.
It does however, log firebase TLS keys when you first install the app, but these keys are unrelated to the actual game server connection.
I assume the hooked functions correspond to this.
This app is on the playstore, feel free to give it a try!
Some applications run LIBCEF, aka Chromium Embedded Framework which in turn is using tls somewhere. Probably boringtls
I tried to attach fritrap on every spawned sub-process (It would be nice if fritap would automatically cover processes that are spawned from the main process as well), including those that seem to connect to the outside world.
The pcap stays empty. So i was wondering if this supposed to work or i am not doing anything wrong?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.