Unable to log TLS keys or traffic with an android app
Opened this issue · 8 comments
I am testing the app "Rucoy Online" for http data upon character login.
Fritap spawns the app just fine, but it does not log any TLS traffic or keys relating to the log in.
It does however, log firebase TLS keys when you first install the app, but these keys are unrelated to the actual game server connection.
I assume the hooked functions correspond to this.
This app is on the playstore, feel free to give it a try!
I guess we have another game engine (LibGDX) here that , like Unity, comes with its own network stack. (https://libgdx.com/wiki/networking)
It is just not supported at this point in time .
On some Android devices the following code will return since SSL_get_fd return -1
Interceptor.attach(this.addresses["SSL_write"],
{
onEnter: function (args: any) {
if (!ObjC.available){
this.fd = OpenSSL_BoringSSL.SSL_get_fd(args[0])
if(this.fd < 0) {
return
}
var message = getPortsAndAddresses(this.fd as number, false, lib_addesses)
message["ssl_session_id"] = OpenSSL_BoringSSL.getSslSessionId(args[0])
message["function"] = "SSL_write"
message["contentType"] = "datalog"
I don't know if it is because of the lack of permission or some Android OEM quirks. The google ssl_logger just ignore this so they can log traffic without ip/port.
Hi,
On some Android devices the following code will return since SSL_get_fd return -1
Interceptor.attach(this.addresses["SSL_write"], { onEnter: function (args: any) { if (!ObjC.available){ this.fd = OpenSSL_BoringSSL.SSL_get_fd(args[0]) if(this.fd < 0) { return } var message = getPortsAndAddresses(this.fd as number, false, lib_addesses) message["ssl_session_id"] = OpenSSL_BoringSSL.getSslSessionId(args[0]) message["function"] = "SSL_write" message["contentType"] = "datalog"I don't know if it is because of the lack of permission or some Android OEM quirks. The google ssl_logger just ignore this so they can log traffic without ip/port.
Originally, friTap was designed with live forensics in mind, aiming to preserve socket information for thorough analysis. We've since introduced a new feature, --enable_default_fd, which supplies default socket information when writing to the pcap file. This enhancement ensures that users have access to essential data, even when specific socket details are unavailable, thereby maintaining the utility and effectiveness of forensic investigations.
I am testing the app "Rucoy Online" for http data upon character login. Fritap spawns the app just fine, but it does not log any TLS traffic or keys relating to the log in.
It does however, log firebase TLS keys when you first install the app, but these keys are unrelated to the actual game server connection. I assume the hooked functions correspond to this.
This app is on the playstore, feel free to give it a try!
Can you retry it with the latest friTap version (1.1.0.5). Also consider the following:
https://github.com/fkie-cad/friTap?tab=readme-ov-file#problems
Hello,
Thank you for the update, I tried using the new version of Fritap on the same app, but now I am receiving these errors:
As you can see, I have run the command for both key logging and pcap traffic, with and without the --enable_default_fd flag for each case. Do you know what these errors mean?
The device I am using is a Genymotion emulated Google Nexus 4. If anyone can somehow succesfully log the TLS keys/traffic for this app, help would be appreciated. Thanks!
Hi,
there was a bug how friTap hooked Conscrypt and other Android related libraries in the past which should be solved in the latest version of friTap (version 1.1.1.0) .
Can you try to log the keys in the latest version of friTap?
Hi, thank you for the response
This is my result after trying fritap -m -k rucoykeys.log -v -s com.mmo.android -d with current latest version of friTap (1.1.1.2):
Hi @thecoder8324 ,
you can test it again with the latest release of friTap to log the keys (1.2.2.0).
If it is still not working it would help use if you could provide us the result of Process.enumerateModules() when connected with frida itself.
All the best
Daniel