TLS keys and decrypted QUIC|HTTP/3 packets extraction with Cronet library
josemariafr-upm opened this issue · comments
Hi friTap devs. I'm analyzing QUIC traffic in Android apps for an university project. To do so, I developed a simple app that makes HTTP requests to an URL in order to have a controlled environment, and to do so I need to get the keys to decrypt to those packets, and I found this tool for that purpose, so I tried it.
The app uses the Cronet library (since it is the only one in Android that supports QUIC | HTTP/3) for the full HTTP client (I tried using OkHttp with a Cronet interceptor, but didn´t manage to get QUIC packets), using the latest version available (119.6045.31) as well as the GMS Play services for Cronet (version 18.0.1).
I was wondering if you know if the script has support of those protocols and library (underneath I think it uses OpenSSL or BoringSSL), or you know it's a bit problematic to get the keys.
This is the console traces when using it:
$ friTap -m -k keys.log -v -s <app_id> -do
Start logging
Press Ctrl+C to stop logging
spawning <app_id>
[*] Running Script on Android
[*] libssl.so found & will be hooked on Android!
[***] Found SSL_read 0x76d9856190
[***] Found SSL_write 0x76d98565bc
[***] Found SSL_get_fd 0x76d9856f60
[***] Found SSL_get_session 0x76d985ce70
[***] Found SSL_SESSION_get_id 0x76d985caf8
[***] Found SSL_new 0x76d98553c8
[***] Found SSL_CTX_set_keylog_callback 0x76d985895c
[***] Found getpeername 0x7770237910
[***] Found getsockname 0x7770237a30
[***] Found ntohs 0x7770232cd8
[***] Found ntohl 0x7770232cd0
[*] Android dynamic loader hooked.
[*] Logging keylog file to keys.log
[***] Remaining: AndroidNSSP version 1.0,AndroidOpenSSL version 1.0,CertPathProvider version 1.0,AndroidKeyStoreBCWorkaround version 1.0,BC version 1.61,HarmonyJSSE version 1.0,AndroidKeyStore version 1.0
My testing device is this one:
Make: Xiaomi
Model: Redmi 8
OS version: MIUI 12 (Android 10)
To give you further info, I have tested it with Chrome and Cromite (a Chrome fork) with no luck too, BUT with the Ebay app i had luck:
$ friTap -m -p ebay.pcap -k ebay.log -v -s com.ebay.mobile -do
Start logging
Press Ctrl+C to stop logging
spawning com.ebay.mobile
[*] capturing only plaintext data
[*] Running Script on Android
[*] libssl.so found & will be hooked on Android!
[***] Found SSL_read 0x76d9856190
[***] Found SSL_write 0x76d98565bc
[***] Found SSL_get_fd 0x76d9856f60
[***] Found SSL_get_session 0x76d985ce70
[***] Found SSL_SESSION_get_id 0x76d985caf8
[***] Found SSL_new 0x76d98553c8
[***] Found SSL_CTX_set_keylog_callback 0x76d985895c
[***] Found getpeername 0x7770237910
[***] Found getsockname 0x7770237a30
[***] Found ntohs 0x7770232cd8
[***] Found ntohl 0x7770232cd0
[*] Android dynamic loader hooked.
[*] Logging TLS plaintext as pcap to ebay.pcap
[*] Logging keylog file to ebay.log
[*] Error in hooking ProviderInstallerImpl
Error: java.lang.ClassNotFoundException: Didn't find class "com.google.android.gms.security.ProviderInstaller" on path: DexPathList[[directory "."],nativeLibraryDirectories=[/system/lib64, /system/product/lib64, /system/lib64, /system/product/lib64]]
[*] Error in hooking ProviderInstallerImpl
Error: java.lang.ClassNotFoundException: Didn't find class "com.google.android.gms.security.ProviderInstaller" on path: DexPathList[[],nativeLibraryDirectories=[/data/app/com.google.android.gms-biuqhOyhJLWqL6scwcq_3Q==/lib/arm64, /data/app/com.google.android.gms-biuqhOyhJLWqL6scwcq_3Q==/base.apk!/lib/arm64-v8a, /data/app/com.google.android.gms-biuqhOyhJLWqL6scwcq_3Q==/split_config.en.apk!/lib/arm64-v8a, /data/app/com.google.android.gms-biuqhOyhJLWqL6scwcq_3Q==/split_config.xhdpi.apk!/lib/arm64-v8a, /system/lib64, /system/product/lib64]]
[*] Error in hooking ProviderInstallerImpl
Error: java.lang.ClassNotFoundException: Didn't find class "com.google.android.gms.security.ProviderInstaller" on path: DexPathList[[zip file "/system/framework/tcmclient.jar"],nativeLibraryDirectories=[/system/lib64, /system/product/lib64]]
[*] Error in hooking ProviderInstallerImpl
Error: java.lang.ClassNotFoundException: Didn't find class "com.google.android.gms.security.ProviderInstaller" on path: DexPathList[[zip file "/system/framework/tcmiface.jar"],nativeLibraryDirectories=[/system/lib64, /system/product/lib64]]
[***] Remaining: AndroidNSSP version 1.0,AndroidOpenSSL version 1.0,CertPathProvider version 1.0,AndroidKeyStoreBCWorkaround version 1.0,BC version 1.61,HarmonyJSSE version 1.0,AndroidKeyStore version 1.0
[***] invoking keylog_callback from OpenSSL_BoringSSL
...
(keys and traffic extracted)
Looking at the captured traffic I've seen that my app, Chrome and Cromite trades QUIC traffic (with TLS1.3), while Ebay seems to use TLS1.2, so that could be a reason (and, as you can see the script detects the same library in my app and in Ebay's).
Do you need any other info you may need?
Thanks in advance!
Hi,
thx for this detailed issue. This helps in order to solve this :-)
Currently we are working on other issues related to Android. It might that they have the same origin but for now we aren't sure about that. As soon as we fixed it or have further information about this issue we will note it here.
Hi,
thx for this detailed issue. This helps in order to solve this :-)
Currently we are working on other issues related to Android. It might that they have the same origin but for now we aren't sure about that. As soon as we fixed it or have further information about this issue we will note it here.
Hi @monkeywave, sorry for the late reply.
Thank you! We'll wait for you. Hopefully you find something soon. If you want me to try experimental versions or other apps don't hesitate to write me.
Hi again @monkeywave, any news on this front? :D