Flutter

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Check the subscription plans!

Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.

Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Flutter is Google’s cross-platform UI toolkit that lets developers write a single Dart code-base which the Engine (native C/C++) turns into platform-specific machine code for Android & iOS.
The Engine bundles a Dart VM, BoringSSL, Skia, etc., and ships as the shared library libflutter.so (Android) or Flutter.framework (iOS). All actual networking (DNS, sockets, TLS) happens inside this library, not in the usual Java/Kotlin Swift/Obj-C layers. That siloed design is why the usual Java-level Frida hooks fail on Flutter apps.

Intercepting HTTPS traffic in Flutter

This is a summary of this blog post.

Why HTTPS interception is tricky in Flutter

SSL/TLS verification lives two layers down in BoringSSL, so Java SSL‐pinning bypasses don’t touch it.
BoringSSL uses its own CA store inside libflutter.so; importing your Burp/ZAP CA into Android’s system store changes nothing.
Symbols in libflutter.so are stripped & mangled, hiding the certificate-verification function from dynamic tools.

Fingerprint the exact Flutter stack

Knowing the version lets you re-build or pattern-match the right binaries.

Step	Command / File	Outcome
Get snapshot hash	`python3 get_snapshot_hash.py libapp.so`	`adb4292f3ec25…`
Map hash → Engine	enginehash list in reFlutter	Flutter 3 · 7 · 12 + engine commit `1a65d409…`
Pull dependent commits	DEPS file in that engine commit	• `dart_revision` → Dart v2 · 19 · 6 • `dart_boringssl_rev` → BoringSSL `87f316d7…`

Find get_snapshot_hash.py here.

Target: `ssl_crypto_x509_session_verify_cert_chain()`

Located in ssl_x509.cc inside BoringSSL.
Returns bool – a single true is enough to bypass the whole certificate chain check.
Same function exists on every CPU arch; only the opcodes differ.

Option A – Binary patching with reFlutter

Clone the exact Engine & Dart sources for the app’s Flutter version.
Regex-patch two hotspots:
- In ssl_x509.cc, force return 1;
- (Optional) In socket_android.cc, hard-code a proxy ("10.0.2.2:8080").
Re-compile libflutter.so, drop it back into the APK/IPA, sign, install.
Pre-patched builds for common versions are shipped in the reFlutter GitHub releases to save hours of build time.

### Option B – Live hooking with Frida (the “hard-core” path)
Because the symbol is stripped, you pattern-scan the loaded module for its first bytes, then change the return value on the fly.

// attach & locate libflutter.so
var flutter = Process.getModuleByName("libflutter.so");

// x86-64 pattern of the first 16 bytes of ssl_crypto_x509_session_verify_cert_chain
var sig = "55 41 57 41 56 41 55 41 54 53 48 83 EC 38 C6 02";

Memory.scan(flutter.base, flutter.size, sig, {
  onMatch: function (addr) {
    console.log("[+] found verifier at " + addr);
    Interceptor.attach(addr, {
      onLeave: function (retval) { retval.replace(0x1); }  // always 'true'
    });
  },
  onComplete: function () { console.log("scan done"); }
});

Run it:

frida -U -f com.example.app -l bypass.js

Porting tips

For arm64-v8a or armv7, grab the first ~32 bytes of the function from Ghidra, convert to a space-separated hex string, and replace sig.
Keep one pattern per Flutter release, store them in a cheat-sheet for fast reuse.

Forcing traffic through your proxy

Flutter itself ignores device proxy settings. Easiest options:

Android Studio emulator: Settings ▶ Proxy → manual.
Physical device: evil Wi-Fi AP + DNS spoofing, or Magisk module editing /etc/hosts.

Quick Flutter TLS bypass workflow (Frida Codeshare + system CA)

When you only need to observe a pinned Flutter API, combining a rooted/writable AVD, a system-trusted proxy CA, and a drop-in Frida script is often faster than reverse-engineering libflutter.so:

Install your proxy CA in the system store. Follow Install Burp Certificate to hash/rename Burp’s DER certificate and push it into /system/etc/security/cacerts/ (writable /system required).
Drop a matching frida-server binary and run it as root so it can attach to the Flutter process:

adb push frida-server-17.0.5-android-x86_64 /data/local/tmp/frida-server
adb shell "su -c 'chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server &'"

Install the host-side tooling and enumerate the target package.

pip3 install frida-tools --break-system-packages
adb shell pm list packages -f | grep target

Spawn the Flutter app with the Codeshare hook that neuters BoringSSL pin checks.

frida -U -f com.example.target --codeshare TheDauntless/disable-flutter-tls-v1 --no-pause

The Codeshare script overrides the Flutter TLS verifier so every certificate (including Burp’s dynamically generated ones) is accepted, side-stepping public-key pin comparisons.

Route traffic through your proxy. Configure the emulator Wi-Fi proxy GUI or enforce it via adb shell settings put global http_proxy 10.0.2.2:8080; if direct routing fails, fall back to adb reverse tcp:8080 tcp:8080 or a host-only VPN.

Once the CA is trusted at the OS layer and Frida quashes Flutter’s pinning logic, Burp/mitmproxy regains full visibility for API fuzzing (BOLA, token tampering, etc.) without repacking the APK.

Offset-based hook of BoringSSL verification (no signature scan)

When pattern-based scripts fail across architectures (e.g., x86_64 vs ARM), directly hook the BoringSSL chain verifier by absolute address within libflutter.so. Workflow:

Extract the right-ABI library from the APK: unzip -j app.apk "lib/*/libflutter.so" -d libs/ and pick the one matching the device (e.g., lib/x86_64/libflutter.so).
Analyze in Ghidra/IDA and locate the verifier:
- Source: BoringSSL ssl_x509.cc function ssl_crypto_x509_session_verify_cert_chain (3 args, returns bool).
- In stripped builds, search for the string "ssl_client" and inspect XREFs; identify the function taking three pointer-like args and returning a boolean.
Compute the runtime offset: take the function address shown by Ghidra and subtract the image base used during analysis to get the relative offset (RVA). Example: 0x02184644 - 0x00100000 = 0x02084644.
Hook at runtime by base + offset and force success:

// frida -U -f com.target.app -l bypass.js --no-pause
const base = Module.findBaseAddress('libflutter.so');
// Example offset from analysis. Recompute per build/arch.
const off  = ptr('0x02084644');
const addr = base.add(off);

// ssl_crypto_x509_session_verify_cert_chain: 3 args, bool return
Interceptor.replace(addr, new NativeCallback(function (a, b, c) {
  return 1; // true
}, 'int', ['pointer', 'pointer', 'pointer']));

console.log('[+] Hooked BoringSSL verify_cert_chain at', addr);

Notes

Recompute the offset for every target build and CPU architecture; compiler/codegen differences break hardcoded signatures.
This bypass causes BoringSSL to accept any chain, enabling HTTPS MITM regardless of pins/CA trust inside Flutter.
If you force-route traffic during debugging to confirm TLS blocking, e.g.:

iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination <Burp_IP>:<Burp_Port>

…you will still need the hook above, since verification happens inside libflutter.so, not Android’s system trust store.

References

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Check the subscription plans!

Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.

Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.