Bypass SSL Pinning for Flutter Apps using reFlutter Framework

Flutter

Flutter apps are not inherently hard to bypass SSL pinning. In fact, like any other app, it is possible to bypass SSL pinning in a Flutter app if the appropriate techniques are used.

SSL pinning is a security mechanism used to prevent man-in-the-middle attacks by ensuring that the app only communicates with the intended server. In a Flutter app, SSL pinning can be implemented using various third-party packages like ‘flutter_secure_storage’ and ‘flutter_ssl_pinning’.

One reason why bypassing SSL pinning in Flutter apps can be challenging is that Flutter compiles code into native machine code for multiple platforms, including Android and iOS. This makes it difficult to use traditional techniques such as method hooking or code injection, which rely on manipulating the app’s bytecode.

Another reason why it can be challenging to bypass SSL pinning in a Flutter app is that many popular tools used for this purpose, such as Frida, do not currently support Flutter. This means that developers must use more advanced techniques such as dynamic binary instrumentation (DBI) or memory analysis to bypass SSL pinning in Flutter apps.

In this article I’m gonna show you one of the method to bypass ssl pinning using reFlutter Framework.

This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis.

Requirements

During this test, i’m using :

• Nox Emulator or any other like genymotion..
• adb
• Burpsuite pro ( you can use the community edition )
• Windows or Linux

Installation

#windows #linux
pip3 install reflutter

Installing reFlutter

Demo app: https://raw.githubusercontent.com/jjogal/Android/master/flutter-test-apps/flutter_ssl_pinning_bypass_lab_android.apk

Demo App

Analysis

The app have two buttons HTTP Request and HTTPS Request.

Let's check in HTTP Request

HTTP Request intercepted

We can see that burpsuite intercept the request successfully.

Now if we try to check HTTPS Request, we will get an error like this:

Error during HTTPS Request interception

Bypass SSL Pinning

We run the following command :

reflutter apk_name.apk

Reflutting our app

The IP is the IP of the machine where burpsuite is running.

After that, twe will get an app release.RE.apk but pay attention because this apk is not signed yet. We have to sign it manually then..

I’m using Uber_apk_signer for this purpose: https://github.com/patrickfav/uber-apk-signer.

java -jar uber-apk-signer-1.3.0.jar --apk release.RE.apk

Signing apk

Now let’s install the signed apk in our device as below :

adb connect 127.0.0.1:PORT_EMULATOR
adb install release.RE-aligned-debugSigned.apk

Note that you should uninstall the old apk first!!

Installing signed release.RE.apk

Burpsuite Configuration

Next we configure burpsuite proxy (make sure you use 8083 as port, it is used by the internal proxy of our new app)

Burp config

Then in Request Handling tab, enable Support invisible proxying and click on OK.

Enabling Support invisible proxying

Now let’s open the new apk and click on HTTPS Request.

SSL Pinning bypassed !!

Now we can intercept https request with burpsuite!!

We saw together a demo for SSL Pinning bypass for Flutter Apps.

Share knowledge, help others and happy hacking!!

Thank you, untill next!!

References

• https://github.com/patrickfav/uber-apk-signer
• https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/
• https://github.com/leowilbur/reFlutter
• https://raw.githubusercontent.com/jjogal/Android/master/flutter-test-apps