krypted January 12th, 2016
idevicepair pairThen tap Trust on the device itself. Then we’ll grab that udid with idevice_id:
idevice_id -lNext, we’ll setup a rvi with rvictl and the -s option (here I’m just going to grab the udid since I only have one device plugged into my computer):
rvictl -s `idevice_id -l`Then we can list the connections using rvictl with the -l option:
rvictl -lNext, we’ll run a tcpdump using this newly constructed rvi0:
tcpdump -n -i rvi0Next, we’ll get a lot of logs. Let’s fire up the Nike FuelBand app and refresh our status. Watching the resultant traffic, we’ll see a line like this:
22:42:29.485691 IP 192.168.0.12.57850 > 18.104.22.168.443: Flags [S], seq 3936380112, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 706439445 ecr 0,sackOK,eol], length 0There’s an IP in there, 22.214.171.124. We can look this up and see that the servers are sitting on Amazon Web Services and verify it’s Nike. Watching the traffic with tcpdump we can then obtain GET, POST and other information sent and received. Using wireshark we could get even more detailed data. Overall though, this article is meant to focus on the iOS side of this and not on debugging and refining the approach to using tcpdump/wireshark. rvictl is a great tool in the iOS development cycle and for security researchers that are looking into how many of the apps on iOS devices exchange data. Enjoy.
krypted November 19th, 2014