friTap Documentation¶

SSL/TLS Traffic Analysis Made Simple
Real-time key extraction and traffic decryption for security research
Quick Start¶
# Install friTap
pip install fritap
# Basic usage - Desktop application
sudo fritap --pcap capture.pcap firefox
# Mobile application analysis
fritap -m -k keys.log com.example.app
What is friTap?¶
friTap is a powerful cybersecurity research tool that simplifies SSL/TLS traffic analysis by automating key extraction and traffic decryption. Built on the Frida dynamic instrumentation framework, friTap enables security researchers to analyze encrypted network communications in real-time across multiple platforms.
Key Capabilities¶
- 🔑 Real-time Key Extraction: Automatically extract TLS keys as they're generated
- 📊 Live Traffic Decryption: Decrypt and save TLS payload as PCAP files
- 🌐 Multi-Platform Support: Works on Linux, Windows, macOS, Android, and iOS
- 🔧 Extensive Library Support: Supports OpenSSL, BoringSSL, NSS, GnuTLS, WolfSSL, and more
- 🚀 Pattern-Based Hooking: Hook stripped libraries without symbols
- 🔍 Advanced Analysis: Bypass anti-analysis techniques and SSL pinning
Use Cases¶
- Malware Analysis: Decrypt C&C communications and data exfiltration
- Privacy Research: Analyze application data transmission practices
- Security Testing: Validate SSL/TLS implementations and configurations
- Digital Forensics: Recover encrypted network communications
- Application Analysis: Understand how applications handle secure communications
How It Works¶
friTap uses dynamic instrumentation to intercept SSL/TLS operations at the library level:
- Library Detection: Automatically identifies the SSL/TLS library used by the target application
- Hook Injection: Dynamically hooks key functions (read, write, key generation)
- Data Extraction: Captures plaintext data and encryption keys in real-time
- Output Generation: Saves results as PCAP files or key logs for analysis
Supported Platforms & Libraries¶
Library | Linux | Windows | macOS | Android | iOS | Key Features |
---|---|---|---|---|---|---|
OpenSSL | ✅ Full | 🔄 R/W | 🚧 TBI | ✅ Full | 🚧 TBI | Most widely used |
BoringSSL | ✅ Full | 🔄 R/W | 🔑 Keys | ✅ Full | 🔑 Keys | Google's OpenSSL fork |
NSS | ✅ Full | 🔄 R/W | 🚧 TBI | 🔑 Keys | 🚧 TBI | Mozilla's library |
GnuTLS | 🔄 R/W | 🔄 R/W | 🚧 TBI | ✅ Full | 🚧 TBI | GNU project library |
WolfSSL | 🔄 R/W | 🔄 R/W | 🚧 TBI | ✅ Full | 🚧 TBI | Embedded/IoT focused |
mbedTLS | 🔄 R/W | 🔄 R/W | 🚧 TBI | ✅ Full | 🚧 TBI | Lightweight library |
Schannel | ❌ | ✅ Full | ❌ | ❌ | ❌ | Windows native SSL/TLS |
Conscrypt | 🚧 TBA | 🚧 TBA | 🚧 TBA | ✅ Full | 🚧 TBA | Android system SSL |
S2N-TLS | ✅ Full | ❌ | 🚧 TBA | ✅ Full | ❌ | AWS library |
RustTLS | 🔑 Keys | 🚧 TBI | 🚧 TBI | 🔑 Keys | 🚧 TBI | Rust implementation |
Legend: - ✅ Full: Complete support (keys + traffic decryption) - 🔄 R/W: Read/Write hooks only (traffic without keys) - 🔑 Keys: Key extraction only - 🚧 TBI: To Be Implemented - 🚧 TBA: To Be Analyzed - ❌ N/A: Not applicable to platform
Getting Started¶
Prerequisites¶
- Python 3.7+
- Frida 16.0+ (new changes will only work on frida >=17)
- Administrative privileges (for desktop applications)
- ADB access (for Android analysis)
Installation¶
Basic Examples¶
Documentation Sections¶
📖 Getting Started¶
Installation, setup, and basic concepts to get you up and running quickly.
💡 Usage Examples¶
Comprehensive examples for different platforms and use cases with real-world scenarios.
🔧 Platform Guides¶
Detailed guides for Android, iOS, Linux, Windows, and macOS analysis.
🚀 Advanced Features¶
Pattern-based hooking, spawn gating, anti-detection techniques, and custom scripts.
📚 API Reference¶
Complete API documentation for Python integration and CLI usage.
🐛 Troubleshooting¶
Solutions for common issues, debugging techniques, and performance optimization.
Community & Support¶
- 🐙 GitHub: fkie-cad/friTap
- 📧 Email: daniel.baier@fkie.fraunhofer.de
- 📄 Research: OSDFCon Webinar
- 📝 Blog: Technical Deep Dive
License¶
friTap is released under the GPL v3 License.
Inspired by SSL_Logger and developed by Fraunhofer FKIE CAD