friTap Documentation¶

SSL/TLS Traffic Analysis Made Simple

Real-time key extraction and traffic decryption for security research

Quick Start¶

# Install friTap
pip install fritap

# Basic usage - Desktop application
sudo fritap --pcap capture.pcap firefox

# Mobile application analysis
fritap -m -k keys.log com.example.app

What is friTap?¶

friTap is a powerful cybersecurity research tool that simplifies SSL/TLS traffic analysis by automating key extraction and traffic decryption. Built on the Frida dynamic instrumentation framework, friTap enables security researchers to analyze encrypted network communications in real-time across multiple platforms.

Key Capabilities¶

• 🔑 Real-time Key Extraction: Automatically extract TLS keys as they're generated
• 📊 Live Traffic Decryption: Decrypt and save TLS payload as PCAP files
• 🌐 Multi-Platform Support: Works on Linux, Windows, macOS, Android, and iOS
• 🔧 Extensive Library Support: Supports OpenSSL, BoringSSL, NSS, GnuTLS, WolfSSL, and more
• 🚀 Pattern-Based Hooking: Hook stripped libraries without symbols
• 🔍 Advanced Analysis: Bypass anti-analysis techniques and SSL pinning

Use Cases¶

• Malware Analysis: Decrypt C&C communications and data exfiltration
• Privacy Research: Analyze application data transmission practices
• Security Testing: Validate SSL/TLS implementations and configurations
• Digital Forensics: Recover encrypted network communications
• Application Analysis: Understand how applications handle secure communications

How It Works¶

friTap uses dynamic instrumentation to intercept SSL/TLS operations at the library level:

1. Library Detection: Automatically identifies the SSL/TLS library used by the target application
2. Hook Injection: Dynamically hooks key functions (read, write, key generation)
3. Data Extraction: Captures plaintext data and encryption keys in real-time
4. Output Generation: Saves results as PCAP files or key logs for analysis

Supported Platforms & Libraries¶

Legend: - ✅ Full: Complete support (keys + traffic decryption) - 🔄 R/W: Read/Write hooks only (traffic without keys) - 🔑 Keys: Key extraction only - 🚧 TBI: To Be Implemented - 🚧 TBA: To Be Analyzed - ❌ N/A: Not applicable to platform

Getting Started¶

Prerequisites¶

• Python 3.7+
• Frida 16.0+ (new changes will only work on frida >=17)
• Administrative privileges (for desktop applications)
• ADB access (for Android analysis)

Installation¶

# Install from PyPI
pip install fritap

# Verify installation
fritap --help

Basic Examples¶

# Capture Firefox traffic
sudo fritap --pcap firefox_traffic.pcap firefox

# Extract keys from Thunderbird
sudo fritap -k thunderbird_keys.log thunderbird

# Analyze mobile app with key extraction
fritap -m -k keys.log com.example.app

# Full packet capture with decryption
fritap -m --pcap decrypted.pcap com.example.app

# Hook libraries without symbols when the default patterns not working
fritap --patterns patterns.json -k keys.log target_app

# Debug pattern matching
fritap -do -v --patterns patterns.json target_app

Documentation Sections¶

📖 Getting Started¶

Installation, setup, and basic concepts to get you up and running quickly.

💡 Usage Examples¶

Comprehensive examples for different platforms and use cases with real-world scenarios.

🔧 Platform Guides¶

Detailed guides for Android, iOS, Linux, Windows, and macOS analysis.

🚀 Advanced Features¶

Pattern-based hooking, spawn gating, anti-detection techniques, and custom scripts.

📚 API Reference¶

Complete API documentation for Python integration and CLI usage.

🐛 Troubleshooting¶

Solutions for common issues, debugging techniques, and performance optimization.

Community & Support¶

• 🐙 GitHub: fkie-cad/friTap
• 📧 Email: daniel.baier@fkie.fraunhofer.de
• 📄 Research: OSDFCon Webinar
• 📝 Blog: Technical Deep Dive

License¶

friTap is released under the GPL v3 License.

Inspired by SSL_Logger and developed by Fraunhofer FKIE CAD