Flutter

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Flutter ni kitengo cha UI cha kuvuka-mifumo cha Google kinachowaruhusu watengenezaji kuandika msingi wa msimbo wa Dart mara moja ambao Engine (native C/C++) hubadilisha kuwa msimbo wa mashine maalum kwa platform za Android & iOS. Engine inajumuisha Dart VM, BoringSSL, Skia, n.k., na hutumwa kama maktaba iliyonaswa libflutter.so (Android) au Flutter.framework (iOS). Mifumo yote ya mtandao (DNS, sockets, TLS) hufanyika ndani ya maktaba hii, sio katika tabaka za kawaida za Java/Kotlin Swift/Obj-C. Muundo uliotengwa hivi ndio sababu hooks za Frida kwa ngazi ya Java kawaida hufeli kwenye apps za Flutter.

Kuvuruga trafiki ya HTTPS katika Flutter

Hii ni muhtasari wa blog post.

Kwa nini kuvuruga HTTPS ni ngumu katika Flutter

  • Uhakiki wa SSL/TLS uko tabaka mbili chini ndani ya BoringSSL, hivyo bypass za SSL‐pinning za Java hazigusi.
  • BoringSSL inatumia duka la CA la mwenyewe ndani ya libflutter.so; kuingiza CA yako ya Burp/ZAP kwenye duka la mfumo la Android hakubadilishi chochote.
  • Alama ndani ya libflutter.so zimekatwa na kuchanganywa (stripped & mangled), zikificha function ya certificate-verification kutoka kwa zana za dynamic.

Tambua stack ya Flutter kwa usahihi

Kujua toleo kunakuwezesha kujenga tena au kulinganisha binaries sahihi kwa kutumia pattern-match.

StepCommand / FileOutcome
Pata snapshot hashpython3 get_snapshot_hash.py libapp.soadb4292f3ec25…
Ramani hash → Engineenginehash list in reFlutterFlutter 3 · 7 · 12 + engine commit 1a65d409…
Vuta commits zinazotegemeaDEPS file in that engine commitdart_revision → Dart v2 · 19 · 6
dart_boringssl_rev → BoringSSL 87f316d7…

Find get_snapshot_hash.py here.

Target: ssl_crypto_x509_session_verify_cert_chain()

  • Iko ndani ya ssl_x509.cc ndani ya BoringSSL.
  • Inarudisha booltrue moja tu inatosha kuruka ukaguzi mzima wa mnyororo wa cheti.
  • Function ile ile ipo kwa kila CPU arch; tofauti ni katika opcodes pekee.

Option A – Binary patching with reFlutter

  1. Clone vyanzo halisi vya Engine & Dart kwa toleo la Flutter la app.
  2. Regex-patch hotspots mbili:
  • Katika ssl_x509.cc, lazimisha return 1;
  • (Optional) Katika socket_android.cc, weka proxy kwa hard-code ("10.0.2.2:8080").
  1. Re-compile libflutter.so, weka tena ndani ya APK/IPA, saini, weka.
  2. Pre-patched builds kwa matoleo yanayotarajiwa hutolewa kwenye reFlutter GitHub releases ili kuokoa masaa ya muda wa kujenga.

Option B – Live hooking with Frida (the “hard-core” path)

Kwa sababu alama imekatwa, unafanya pattern-scan kwenye module iliyopakiwa kwa ajili ya bytes zake za mwanzo, kisha unabadilisha thamani ya kurudisha kwa wakati halisi.

// attach & locate libflutter.so
var flutter = Process.getModuleByName("libflutter.so");

// x86-64 pattern of the first 16 bytes of ssl_crypto_x509_session_verify_cert_chain
var sig = "55 41 57 41 56 41 55 41 54 53 48 83 EC 38 C6 02";

Memory.scan(flutter.base, flutter.size, sig, {
onMatch: function (addr) {
console.log("[+] found verifier at " + addr);
Interceptor.attach(addr, {
onLeave: function (retval) { retval.replace(0x1); }  // always 'true'
});
},
onComplete: function () { console.log("scan done"); }
});

I don’t have access to your repository. Please paste the contents of src/mobile-pentesting/android-app-pentesting/flutter.md (or the portion you want translated). I will translate the English text to Swahili while preserving all markdown/html tags, code, links, paths and the other exceptions you specified.

frida -U -f com.example.app -l bypass.js

Vidokezo vya kuhamisha

  • Kwa arm64-v8a au armv7, chukua takriban bait 32 za kwanza za kazi kutoka Ghidra, zigeuze kuwa mfuatano wa hex uliotenganishwa kwa nafasi, kisha badilisha sig.
  • Hifadhi mfumo mmoja kwa kila toleo la Flutter, wahifadhi kwenye cheat-sheet kwa matumizi ya haraka.

Kulazimisha trafiki kupitia proxy yako

Flutter yenyewe huipuuzia mipangilio ya proxy ya kifaa. Chaguo rahisi:

  • Android Studio emulator: Settings ▶ Proxy → manual.
  • Physical device: evil Wi-Fi AP + DNS spoofing, au Magisk module kuhariri /etc/hosts.

Quick Flutter TLS bypass workflow (Frida Codeshare + system CA)

Unapohitaji tu kutazama API ya Flutter iliyo-pinned, kuunganisha rooted/writable AVD, system-trusted proxy CA, na Frida script inayoweza kuingizwa mara moja mara nyingi ni haraka kuliko reverse-engineering libflutter.so:

  1. Install your proxy CA in the system store. Fuata Install Burp Certificate ili ku-hash/ku-rename cheti cha Burp cha DER na kulisukuma ndani ya /system/etc/security/cacerts/ (inahitaji writable /system).

  2. Drop a matching frida-server binary and run it as root so it can attach to the Flutter process:

adb push frida-server-17.0.5-android-x86_64 /data/local/tmp/frida-server
adb shell "su -c 'chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server &'"
  1. Sakinisha host-side tooling na orodhesha target package.
pip3 install frida-tools --break-system-packages
adb shell pm list packages -f | grep target
  1. Zindua app ya Flutter kwa Codeshare hook inayezima BoringSSL pin checks.
frida -U -f com.example.target --codeshare TheDauntless/disable-flutter-tls-v1 --no-pause

The Codeshare script overrides the Flutter TLS verifier so every certificate (including Burp’s dynamically generated ones) is accepted, side-stepping public-key pin comparisons.

  1. Route traffic through your proxy. Configure the emulator Wi-Fi proxy GUI or enforce it via adb shell settings put global http_proxy 10.0.2.2:8080; if direct routing fails, fall back to adb reverse tcp:8080 tcp:8080 or a host-only VPN.

Once the CA is trusted at the OS layer and Frida quashes Flutter’s pinning logic, Burp/mitmproxy regains full visibility for API fuzzing (BOLA, token tampering, etc.) without repacking the APK.

Offset-based hook of BoringSSL verification (no signature scan)

When pattern-based scripts fail across architectures (e.g., x86_64 vs ARM), directly hook the BoringSSL chain verifier by absolute address within libflutter.so. Workflow:

  • Extract the right-ABI library from the APK: unzip -j app.apk "lib/*/libflutter.so" -d libs/ and pick the one matching the device (e.g., lib/x86_64/libflutter.so).
  • Analyze in Ghidra/IDA and locate the verifier:
  • Source: BoringSSL ssl_x509.cc function ssl_crypto_x509_session_verify_cert_chain (3 args, returns bool).
  • In stripped builds, use Search → For Strings → ssl_client → XREFs, then open each referenced FUN_... and pick the one with 3 pointer-like args and a boolean return.
  • Compute the runtime offset: take the function address shown by Ghidra and subtract the image base (e.g., Ghidra often shows 0x00100000 for PIE Android ELFs). Example: 0x02184644 - 0x00100000 = 0x02084644.
  • Hook at runtime by base + offset and force success:
// frida -U -f com.target.app -l bypass.js --no-pause
const base = Module.findBaseAddress('libflutter.so');
// Example offset from analysis. Recompute per build/arch.
const off  = ptr('0x02084644');
const addr = base.add(off);

// ssl_crypto_x509_session_verify_cert_chain: 3 args, bool return
Interceptor.replace(addr, new NativeCallback(function (a, b, c) {
return 1; // true
}, 'int', ['pointer', 'pointer', 'pointer']));

console.log('[+] Hooked BoringSSL verify_cert_chain at', addr);

Vidokezo

  • Signature scans zinaweza kufanikiwa kwenye ARM lakini zikakose kwenye x86_64 kwa sababu layout ya opcode hubadilika; this offset method ni architecture-agnostic mradi tu u-recalc RVA.
  • Bypass hii inasababisha BoringSSL kukubali mnyororo wowote, kuwezesha HTTPS MITM bila kuzingatia pins/CA trust ndani ya Flutter.
  • Ikiwa una-force-route traffic wakati wa debugging ili kuthibitisha kuzuia TLS, kwa mfano:
iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination <Burp_IP>:<Burp_Port>

… bado utahitaji hook hapo juu, kwa sababu uhakiki hufanyika ndani ya libflutter.so, si kwenye Android’s system trust store.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks