diff --git a/src/mobile-pentesting/android-app-pentesting/flutter.md b/src/mobile-pentesting/android-app-pentesting/flutter.md index 8a5ccf11b12..f16ef465dc7 100644 --- a/src/mobile-pentesting/android-app-pentesting/flutter.md +++ b/src/mobile-pentesting/android-app-pentesting/flutter.md @@ -74,6 +74,37 @@ Flutter itself **ignores device proxy settings**. Easiest options: * **Android Studio emulator:** Settings ▶ Proxy → manual. * **Physical device:** evil Wi-Fi AP + DNS spoofing, or Magisk module editing `/etc/hosts`. +### Quick Flutter TLS bypass workflow (Frida Codeshare + system CA) +When you only need to observe a pinned Flutter API, combining a rooted/writable AVD, a system-trusted proxy CA, and a drop-in Frida script is often faster than reverse-engineering libflutter.so: + +1. **Install your proxy CA in the system store.** Follow [Install Burp Certificate](install-burp-certificate.md) to hash/rename Burp's DER certificate and push it into `/system/etc/security/cacerts/` (writable `/system` required). + +2. **Drop a matching `frida-server` binary and run it as root** so it can attach to the Flutter process: + +```bash +adb push frida-server-17.0.5-android-x86_64 /data/local/tmp/frida-server +adb shell "su -c 'chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server &'" +``` + +3. **Install the host-side tooling and enumerate the target package.** + +```bash +pip3 install frida-tools --break-system-packages +adb shell pm list packages -f | grep target +``` + +4. **Spawn the Flutter app with the Codeshare hook that neuters BoringSSL pin checks.** + +```bash +frida -U -f com.example.target --codeshare TheDauntless/disable-flutter-tls-v1 --no-pause +``` + +The Codeshare script overrides the Flutter TLS verifier so every certificate (including Burp's dynamically generated ones) is accepted, side-stepping public-key pin comparisons. + +5. **Route traffic through your proxy.** Configure the emulator Wi-Fi proxy GUI or enforce it via `adb shell settings put global http_proxy 10.0.2.2:8080`; if direct routing fails, fall back to `adb reverse tcp:8080 tcp:8080` or a host-only VPN. + +Once the CA is trusted at the OS layer and Frida quashes Flutter's pinning logic, Burp/mitmproxy regains full visibility for API fuzzing (BOLA, token tampering, etc.) without repacking the APK. + ### Offset-based hook of BoringSSL verification (no signature scan) When pattern-based scripts fail across architectures (e.g., x86_64 vs ARM), directly hook the BoringSSL chain verifier by absolute address within libflutter.so. Workflow: @@ -114,6 +145,7 @@ iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination : - [https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/](https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/) - [Flutter SSL Bypass: How to Intercept HTTPS Traffic When all other Frida Scripts Fail](https://m4kr0x.medium.com/flutter-tls-bypass-how-to-intercept-https-traffic-when-all-other-frida-scripts-fail-bd3d04489088) - [BoringSSL ssl_x509.cc (ssl_crypto_x509_session_verify_cert_chain)](https://github.com/google/boringssl/blob/main/ssl/ssl_x509.cc#L238) +- [SSL Pinning Bypass – Android](https://hardsoftsecurity.es/index.php/2025/11/26/ssl-pinning-bypass-android/) {{#include ../../banners/hacktricks-training.md}}