Bypass SSL Pinning for Flutter Apps using reFlutter Framework
Flutter apps are not inherently hard to bypass SSL pinning. In fact, like any other app, it is possible to bypass SSL pinning in a Flutter app if the appropriate techniques are used.
SSL pinning is a security mechanism used to prevent man-in-the-middle attacks by ensuring that the app only communicates with the intended server. In a Flutter app, SSL pinning can be implemented using various third-party packages like ‘flutter_secure_storage’ and ‘flutter_ssl_pinning’.
One reason why bypassing SSL pinning in Flutter apps can be challenging is that Flutter compiles code into native machine code for multiple platforms, including Android and iOS. This makes it difficult to use traditional techniques such as method hooking or code injection, which rely on manipulating the app’s bytecode.
Another reason why it can be challenging to bypass SSL pinning in a Flutter app is that many popular tools used for this purpose, such as Frida, do not currently support Flutter. This means that developers must use more advanced techniques such as dynamic binary instrumentation (DBI) or memory analysis to bypass SSL pinning in Flutter apps.
In this article I’m gonna show you one of the method to bypass ssl pinning using reFlutter Framework.
This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis.
During this test, i’m using :
- Nox Emulator or any other like genymotion..
- Burpsuite pro ( you can use the community edition )
- Windows or Linux
pip3 install reflutter
The app have two buttons HTTP Request and HTTPS Request.
Let's check in HTTP Request
We can see that burpsuite intercept the request successfully.
Now if we try to check HTTPS Request, we will get an error like this:
Bypass SSL Pinning
We run the following command :
The IP is the IP of the machine where burpsuite is running.
After that, twe will get an app release.RE.apk but pay attention because this apk is not signed yet. We have to sign it manually then..
I’m using Uber_apk_signer for this purpose: https://github.com/patrickfav/uber-apk-signer.
java -jar uber-apk-signer-1.3.0.jar --apk release.RE.apk
Now let’s install the signed apk in our device as below :
adb connect 127.0.0.1:PORT_EMULATOR
adb install release.RE-aligned-debugSigned.apk
Note that you should uninstall the old apk first!!
Next we configure burpsuite proxy (make sure you use 8083 as port, it is used by the internal proxy of our new app)
Then in Request Handling tab, enable Support invisible proxying and click on OK.
Now let’s open the new apk and click on HTTPS Request.
Now we can intercept https request with burpsuite!!
We saw together a demo for SSL Pinning bypass for Flutter Apps.
Share knowledge, help others and happy hacking!!
Thank you, untill next!!