Finally, SSL Pinning for Flutter Bypassed After Frustration..
Hello friends, it’s been a long time since I’ve written anything, but I’ve finally motivated myself to start writing and sharing again — of course, about cybersecurity. Today, I want to share my experience in mobile pentesting, specifically with Android apps built using the Flutter framework.
There are several popular ways to bypass ssl pinning
- Using Frida (Easy if you can get the right scripts, or you can make your own scripts)
- Using Objection (Personally, I rarely use this)
- Using DroidProxy (Worth to try for experience)
- reFlutter (in this case, I try to extract the apk from Play Store but its broken, I still don’t know why(?))
- Reverse the APK and modified the Smali Code (Stressful)
- etc
Of course, as a L̶a̶z̶y̶ Professional Pentester , I try the best method, which is using the mighty Frida. But, I don’t know why, the script that I usually use is not working :/
I tried a ton of scripts, but still got nothing — until I found this GitHub repository
https://github.com/NVISOsecurity/disable-flutter-tls-verification
Credits to the author. It worked!! Thanks god, finally I can continue my Pentest work more deep with my lovely Burpsuite ❤
This is the step by step bypass using frida
- Download frida server, select the latest version release, and the best fit environment of your emulator device
https://github.com/frida/frida/releases - Install adb in your PC (A lot tutorial about this, you can google it)
- Push frida-server to emulator device
$ adb push frida-server /data/local/tmp/ - Change permission of frida-server
$ adb shell “chmod 755 /data/local/tmp/frida-server” - Run frida-server
$ adb shell “/data/local/tmp/frida-server &” - Select the application package you want to bypass
$ frida-ps -U - Then try this to your flutter application
$ frida -U --codeshare TheDauntless/disable-flutter-tls-v1 -f YOUR_BINARY - Successfully bypass will look like this
Thats it…
Thank you, my friend, for reading my pentest diary about bypassing a Flutter application. I hope you’re doing well. See you in the next story, and stay ethical.
Reference:
- https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/
