friTap – Decrypting TLS Traffic on the Fly
In recent years, obtaining decrypted network traffic for forensic purposes and analysis has become a more and more challenging task, both for forensic researchers as well as law enforcement agencies. Current techniques such as SSL pinning may render established analysis approaches like MitM proxies useless and prevent investigators and researchers from getting insights into encrypted traffic – even with full access to the device. In many cases, the time-consuming process of reverse engineering the application of interest remained the only option to obtain the keys for decrypting the network traffic, which lays the foundation for further protocol research and tool development.
In this talk, we present friTap a methodical approach to intercept the generation of encryption keys used by TLS for the purpose of decrypting the entire traffic an application sends. friTap is an open source framework built on top of FRIDA and is able to decrypt TLS traffic on all major operating systems including different CPU architectures.
Our approach enables researchers in network forensics to analyze the widely used proprietary network protocols in advance in order to gain insight into their structure, identify existing artifacts and finally develop methods and tools to aid future forensic analyses. To support this process, friTap provides an easy-to-use approach for researchers to create decrypted test data needed.
Daniel Baier is a security researcher at Fraunhofer FKIE focusing on mobile security. He is particularly interested in improving and automation the efficiency of reverse engineering for vulnerability research and mobile malware analysis. Apart from that, Daniel is also a dedicated teaching assistant at the University of Bonn. Here, he supervises students during seminars, labs, and theses.