TLS keys and decrypted QUIC|HTTP/3 packets extraction with Cronet library

[josemariafr-upm]

Hi friTap devs. I'm analyzing QUIC traffic in Android apps for an university project. To do so, I developed a simple app that makes HTTP requests to an URL in order to have a controlled environment, and to do so I need to get the keys to decrypt to those packets, and I found this tool for that purpose, so I tried it.
The app uses the Cronet library (since it is the only one in Android that supports QUIC | HTTP/3) for the full HTTP client (I tried using OkHttp with a Cronet interceptor, but didn´t manage to get QUIC packets), using the latest version available (119.6045.31) as well as the GMS Play services for Cronet (version 18.0.1).
I was wondering if you know if the script has support of those protocols and library (underneath I think it uses OpenSSL or BoringSSL), or you know it's a bit problematic to get the keys.

This is the console traces when using it:

$ friTap -m -k keys.log -v -s <app_id> -do
Start logging
Press Ctrl+C to stop logging
spawning <app_id>
[*] Running Script on Android
[*] libssl.so found & will be hooked on Android!
[***] Found SSL_read 0x76d9856190
[***] Found SSL_write 0x76d98565bc
[***] Found SSL_get_fd 0x76d9856f60
[***] Found SSL_get_session 0x76d985ce70
[***] Found SSL_SESSION_get_id 0x76d985caf8
[***] Found SSL_new 0x76d98553c8
[***] Found SSL_CTX_set_keylog_callback 0x76d985895c
[***] Found getpeername 0x7770237910
[***] Found getsockname 0x7770237a30
[***] Found ntohs 0x7770232cd8
[***] Found ntohl 0x7770232cd0
[*] Android dynamic loader hooked.
[*] Logging keylog file to keys.log
[***] Remaining: AndroidNSSP version 1.0,AndroidOpenSSL version 1.0,CertPathProvider version 1.0,AndroidKeyStoreBCWorkaround version 1.0,BC version 1.61,HarmonyJSSE version 1.0,AndroidKeyStore version 1.0

My testing device is this one:
Make: Xiaomi
Model: Redmi 8
OS version: MIUI 12 (Android 10)

To give you further info, I have tested it with Chrome and Cromite (a Chrome fork) with no luck too, BUT with the Ebay app i had luck:

$ friTap -m -p ebay.pcap -k ebay.log -v -s com.ebay.mobile -do
Start logging
Press Ctrl+C to stop logging
spawning com.ebay.mobile
[*] capturing only plaintext data
[*] Running Script on Android
[*] libssl.so found & will be hooked on Android!
[***] Found SSL_read 0x76d9856190
[***] Found SSL_write 0x76d98565bc
[***] Found SSL_get_fd 0x76d9856f60
[***] Found SSL_get_session 0x76d985ce70
[***] Found SSL_SESSION_get_id 0x76d985caf8
[***] Found SSL_new 0x76d98553c8
[***] Found SSL_CTX_set_keylog_callback 0x76d985895c
[***] Found getpeername 0x7770237910
[***] Found getsockname 0x7770237a30
[***] Found ntohs 0x7770232cd8
[***] Found ntohl 0x7770232cd0
[*] Android dynamic loader hooked.
[*] Logging TLS plaintext as pcap to ebay.pcap
[*] Logging keylog file to ebay.log
[*] Error in hooking ProviderInstallerImpl
Error: java.lang.ClassNotFoundException: Didn't find class "com.google.android.gms.security.ProviderInstaller" on path: DexPathList[[directory "."],nativeLibraryDirectories=[/system/lib64, /system/product/lib64, /system/lib64, /system/product/lib64]]
[*] Error in hooking ProviderInstallerImpl
Error: java.lang.ClassNotFoundException: Didn't find class "com.google.android.gms.security.ProviderInstaller" on path: DexPathList[[],nativeLibraryDirectories=[/data/app/com.google.android.gms-biuqhOyhJLWqL6scwcq_3Q==/lib/arm64, /data/app/com.google.android.gms-biuqhOyhJLWqL6scwcq_3Q==/base.apk!/lib/arm64-v8a, /data/app/com.google.android.gms-biuqhOyhJLWqL6scwcq_3Q==/split_config.en.apk!/lib/arm64-v8a, /data/app/com.google.android.gms-biuqhOyhJLWqL6scwcq_3Q==/split_config.xhdpi.apk!/lib/arm64-v8a, /system/lib64, /system/product/lib64]]
[*] Error in hooking ProviderInstallerImpl
Error: java.lang.ClassNotFoundException: Didn't find class "com.google.android.gms.security.ProviderInstaller" on path: DexPathList[[zip file "/system/framework/tcmclient.jar"],nativeLibraryDirectories=[/system/lib64, /system/product/lib64]]
[*] Error in hooking ProviderInstallerImpl
Error: java.lang.ClassNotFoundException: Didn't find class "com.google.android.gms.security.ProviderInstaller" on path: DexPathList[[zip file "/system/framework/tcmiface.jar"],nativeLibraryDirectories=[/system/lib64, /system/product/lib64]]
[***] Remaining: AndroidNSSP version 1.0,AndroidOpenSSL version 1.0,CertPathProvider version 1.0,AndroidKeyStoreBCWorkaround version 1.0,BC version 1.61,HarmonyJSSE version 1.0,AndroidKeyStore version 1.0
[***] invoking keylog_callback from OpenSSL_BoringSSL 
...
(keys and traffic extracted)

Looking at the captured traffic I've seen that my app, Chrome and Cromite trades QUIC traffic (with TLS1.3), while Ebay seems to use TLS1.2, so that could be a reason (and, as you can see the script detects the same library in my app and in Ebay's).

Do you need any other info you may need?

Thanks in advance!

[monkeywave]

Hi,

thx for this detailed issue. This helps in order to solve this :-)

Currently we are working on other issues related to Android. It might that they have the same origin but for now we aren't sure about that. As soon as we fixed it or have further information about this issue we will note it here.

[josemariafr-upm]

Hi,

thx for this detailed issue. This helps in order to solve this :-)

Currently we are working on other issues related to Android. It might that they have the same origin but for now we aren't sure about that. As soon as we fixed it or have further information about this issue we will note it here.

Hi @monkeywave, sorry for the late reply.

Thank you! We'll wait for you. Hopefully you find something soon. If you want me to try experimental versions or other apps don't hesitate to write me.

[josemariafr-upm]

Hi again @monkeywave, any news on this front? :D

[monkeywave]

Hi,

thx for reporting this issue - I started looking into it and it might that I discovered a solution for that. Is it possible for you to share your test Android application in order to test the working approach against it?

Thx for your help :-)

All the best

Daniel

[josemariafr-upm]

Hi,

thx for reporting this issue - I started looking into it and it might that I discovered a solution for that. Is it possible for you to share your test Android application in order to test the working approach against it?

Thx for your help :-)

All the best

Daniel

Hey Daniel! Sure thing. I have uploaded just now the app and its source code here: https://github.com/STRAST-UPM/HTTP3URLGetter (just tested the apk on my personal phone; works as expected apart from the security warning).

Just remember, I'm not an app developer, so structure and the code itself is very simple and not up to a proper standard :'D.

Anything else you need, just tell me

[josemariafr-upm]

Hi,

thx for reporting this issue - I started looking into it and it might that I discovered a solution for that. Is it possible for you to share your test Android application in order to test the working approach against it?

Thx for your help :-)

All the best

Daniel

Hi again @monkeywave, just wanted to know how is it going. Have the app been helpful? Did the solution worked?

Cheers,
Jose

[monkeywave]

Hi Jose,

thank you for your App—it has been instrumental in helping us identify the root cause of the issue. Our current challenge is identifying the relevant functions for hooking, especially without symbols. When working with QUIC, we need to hook into the OpenSSL library, which is statically linked against Cronet. This requires us to pinpoint and hook the appropriate functions. So right now we don't have a working solution :-/

We appreciate your patience as we work through this, and we will update this thread with any progress as soon as possible.

All the best

Daniel

[monkeywave]

Hi @josemariafr-upm

at least on Android it should be possible right now to hook even cronet.
Could you test it if its working in your cases?

All the best

Daniel