Flutter

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Flutter ni Google’s cross-platform UI toolkit inayowawezesha watengenezaji kuandika msimbo mmoja wa Dart ambao Engine (native C/C++) hubadilisha kuwa msimbo maalum wa mashine kwa Android & iOS. The Engine inajumuisha Dart VM, BoringSSL, Skia, n.k., na hutumwa kama shared library libflutter.so (Android) au Flutter.framework (iOS). Vifanyaji vyote vya networking (DNS, sockets, TLS) hufanyika ndani ya maktaba hii, si katika tabaka za kawaida za Java/Kotlin au Swift/Obj-C. Muundo uliotengwa huo ndicho kilichofanya hooks za Frida kwa kiwango cha Java zisifanye kazi kwenye apps za Flutter.

Kuingilia trafiki ya HTTPS katika Flutter

Huu ni muhtasari wa blog post.

Kwa nini kuingilia trafiki ya HTTPS ni ngumu katika Flutter

  • SSL/TLS verification lives two layers down ndani ya BoringSSL, hivyo bypass za Java SSL‐pinning hazifiki hapo.
  • BoringSSL uses its own CA store ndani ya libflutter.so; kuingiza CA yako ya Burp/ZAP kwenye store ya system ya Android haibadilishi chochote.
  • Symbols katika libflutter.so zime stripped & mangled, zikificha function ya certificate-verification kutoka kwa zana za dynamic.

Tambua fingerprint ya stack halisi ya Flutter

Kujua toleo kunakuwezesha kujenga tena au kulinganisha binaries sahihi kwa kutumia pattern-match.

StepCommand / FileOutcome
Pata snapshot hashpython3 get_snapshot_hash.py libapp.soadb4292f3ec25…
Ramani ya hash → Engineenginehash list in reFlutterFlutter 3 · 7 · 12 + engine commit 1a65d409…
Pakia commits tegemeziDEPS file in that engine commitdart_revision → Dart v2 · 19 · 6
dart_boringssl_rev → BoringSSL 87f316d7…

Find get_snapshot_hash.py here.

Lengo: ssl_crypto_x509_session_verify_cert_chain()

  • Iko katika ssl_x509.cc ndani ya BoringSSL.
  • Inarudisha booltrue moja inatosha kuvuka ukaguzi wote wa mnyororo wa cheti.
  • Function ile ile ipo kwenye kila CPU arch; tofauti ni opcodes pekee.

Chaguo A – Binary patching with reFlutter

  1. Clone vyanzo halisi vya Engine na Dart kwa toleo la Flutter la app.
  2. Regex-patch maeneo mawili muhimu:
  • Katika ssl_x509.cc, walazimisha return 1;
  • (Hiari) Katika socket_android.cc, hard-code proxy ("10.0.2.2:8080").
  1. Re-compile libflutter.so, ielekezwe tena ndani ya APK/IPA, saini, install.
  2. Pre-patched builds kwa matoleo yanayotumika kawaida hutolewa katika releases za reFlutter kwenye GitHub ili kuokoa masaa ya muda wa kujenga.

Chaguo B – Live hooking with Frida (njia “hard-core”)

Kwa sababu symbol imeondolewa, unafanya pattern-scan kwenye module iliyopakiwa kwa bytes zake za mwanzo, kisha ubadilishe return value wakati wa utekelezaji.

// attach & locate libflutter.so
var flutter = Process.getModuleByName("libflutter.so");

// x86-64 pattern of the first 16 bytes of ssl_crypto_x509_session_verify_cert_chain
var sig = "55 41 57 41 56 41 55 41 54 53 48 83 EC 38 C6 02";

Memory.scan(flutter.base, flutter.size, sig, {
onMatch: function (addr) {
console.log("[+] found verifier at " + addr);
Interceptor.attach(addr, {
onLeave: function (retval) { retval.replace(0x1); }  // always 'true'
});
},
onComplete: function () { console.log("scan done"); }
});

I don’t have the file content. Please paste the markdown from src/mobile-pentesting/android-app-pentesting/flutter.md that you want translated to Swahili.

frida -U -f com.example.app -l bypass.js

Porting tips

  • Kwa arm64-v8a au armv7, chukua takriban byte ~32 za kwanza za function kutoka Ghidra, ubadilishe kuwa space-separated hex string, kisha badilisha sig.
  • Hifadhi one pattern per Flutter release, ziweke kwenye cheat-sheet kwa matumizi ya haraka.

Forcing traffic through your proxy

Flutter yenyewe inapuuzia device proxy settings. Chaguo rahisi:

  • Android Studio emulator: Settings ▶ Proxy → manual.
  • Physical device: evil Wi-Fi AP + DNS spoofing, au Magisk module kuhariri /etc/hosts.

Mtiririko mfupi wa TLS bypass wa Flutter (Frida Codeshare + system CA)

Unapotakiwa tu kuangalia API ya Flutter iliyo-pinned, kuunganisha rooted/writable AVD, system-trusted proxy CA, na drop-in Frida script mara nyingi ni haraka kuliko kufanya reverse-engineering ya libflutter.so:

  1. Install your proxy CA in the system store. Fuata Install Burp Certificate ili ku-hash/kubadilisha jina la cheti cha Burp cha DER na kui-push kwenye /system/etc/security/cacerts/ (inahitaji writable /system).

  2. Drop a matching frida-server binary and run it as root ili iweze kuambatana na mchakato wa Flutter:

adb push frida-server-17.0.5-android-x86_64 /data/local/tmp/frida-server
adb shell "su -c 'chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server &'"
  1. Sakinisha tooling za upande wa mwenyeji na orodhesha kifurushi lengwa.
pip3 install frida-tools --break-system-packages
adb shell pm list packages -f | grep target
  1. Anzisha app ya Flutter na Codeshare hook inayezima BoringSSL pin checks.
frida -U -f com.example.target --codeshare TheDauntless/disable-flutter-tls-v1 --no-pause

Skripti ya Codeshare inabadilisha Flutter TLS verifier hivyo kila certificate (ikiwa ni pamoja na zile zinazozalishwa kwa wakati na Burp) zinakubaliwa, ikiepuka public-key pin comparisons.

  1. Panga trafiki kupitia proxy yako. Sanidi GUI ya proxy ya Wi‑Fi kwenye emulator au taasisha kupitia adb shell settings put global http_proxy 10.0.2.2:8080; ikiwa routing ya moja kwa moja itashindwa, tumia adb reverse tcp:8080 tcp:8080 au host-only VPN.

Mara tu CA ikitambuliwa kwenye safu ya OS na Frida ikifuta pinning logic ya Flutter, Burp/mitmproxy inapata tena uonekano kamili kwa API fuzzing (BOLA, token tampering, etc.) bila repacking the APK.

Offset-based hook of BoringSSL verification (no signature scan)

Wakati pattern-based scripts zinashindwa kati ya architectures tofauti (mfano, x86_64 vs ARM), hook moja kwa moja BoringSSL chain verifier kwa anwani kamili ndani ya libflutter.so. Workflow:

  • Chota library yenye ABI sahihi kutoka APK: unzip -j app.apk "lib/*/libflutter.so" -d libs/ na chagua ile inayolingana na kifaa (mfano, lib/x86_64/libflutter.so).
  • Changanua katika Ghidra/IDA na tafuta verifier:
  • Chanzo: BoringSSL ssl_x509.cc function ssl_crypto_x509_session_verify_cert_chain (3 args, returns bool).
  • Katika stripped builds, tafuta string "ssl_client" na angalia XREFs; bainisha function inayochukua arg tatu zinazofanana na pointer na kurudisha boolean.
  • Hesabu runtime offset: chukua anwani ya function iliyoonyeshwa na Ghidra na toa image base iliyotumika wakati wa uchambuzi kupata relative offset (RVA). Mfano: 0x02184644 - 0x00100000 = 0x02084644.
  • Hook wakati wa runtime kwa base + offset na lazimisha mafanikio:
// frida -U -f com.target.app -l bypass.js --no-pause
const base = Module.findBaseAddress('libflutter.so');
// Example offset from analysis. Recompute per build/arch.
const off  = ptr('0x02084644');
const addr = base.add(off);

// ssl_crypto_x509_session_verify_cert_chain: 3 args, bool return
Interceptor.replace(addr, new NativeCallback(function (a, b, c) {
return 1; // true
}, 'int', ['pointer', 'pointer', 'pointer']));

console.log('[+] Hooked BoringSSL verify_cert_chain at', addr);

Vidokezo

  • Hesabu upya offset kwa kila target build na CPU architecture; tofauti za compiler/codegen zinavunja hardcoded signatures.
  • Bypass hii inasababisha BoringSSL kukubali chain yoyote, ikiwawezesha HTTPS MITM bila kujali pins/CA trust ndani ya Flutter.
  • Ikiwa un-force-route traffic during debugging ili kuthibitisha TLS blocking, kwa mfano:
iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination <Burp_IP>:<Burp_Port>

…utahitaji bado hook hapo juu, kwa sababu uthibitishaji hufanyika ndani ya libflutter.so, sio Android’s system trust store.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks