This repository contains a Frida script to log session keys of TLS traffic between macOS processes and distant servers (such as Apple services).
No need for proxy interception to decrypt traffic anymore, though it might require to deactivate SIP.
Tested on a MacbookPro13,3 on Catalina, and Big Sur 11.3 beta 4.
Credits to Andy Davies for the original script that works with iOS devices.
- Turn off your Mac
- Hold down
cmd+Rduring boot - Choose Utilities, then Terminal
- Enter the command
csrutil disable
To enable again SIP, do the same steps but replace disable with enable.
Download the script and run the following command in a terminal:
frida -p <pid> -l catalina-tls-keylogger.js -o tls.keylogThe value -p <pid> can be replaced with -n <process_name>.
The log file can be used with Wireshark.
You can find details on this page by the original author.