HackTricksFlutter
Reading time: 6 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Flutter ni cross-platform UI toolkit ya Google inayomruhusu developer kuandika single Dart code-base ambayo Engine (native C/C++) inageuza kuwa platform-specific machine code kwa Android & iOS. The Engine inabundle Dart VM, BoringSSL, Skia, n.k., na inasafirishwa kama shared library libflutter.so (Android) au Flutter.framework (iOS). Mipangilio yote ya networking halisi (DNS, sockets, TLS) hufanyika ndani ya library hii, sio katika tabaka za kawaida za Java/Kotlin Swift/Obj-C. Muundo huo wa silo ndio sababu Frida hooks za kawaida za ngazi ya Java haziendi kwenye Flutter apps.
Intercepting HTTPS traffic in Flutter
Hii ni muhtasari wa blog post.
Why HTTPS interception is tricky in Flutter
- SSL/TLS verification iko tabaka mbili chini katika BoringSSL, hivyo Java SSL‐pinning bypasses hazigusi hiyo.
- BoringSSL inatumia store yake ya CA ndani ya libflutter.so; kuingiza Burp/ZAP CA yako kwenye Android’s system store hakuathiri chochote.
- Symbols katika libflutter.so zime stripped & mangled, zikificha function ya certificate-verification kutoka kwa tools za dynamic.
Fingerprint the exact Flutter stack
Kujua version kunakuwezesha kujenga tena au kulinganisha pattern binaries sahihi.
| Step | Command / File | Outcome |
|---|---|---|
| Get snapshot hash | python3 get_snapshot_hash.py libapp.so | adb4292f3ec25… |
| Map hash → Engine | enginehash list in reFlutter | Flutter 3 · 7 · 12 + engine commit 1a65d409… |
| Pull dependent commits | DEPS file in that engine commit | • dart_revision → Dart v2 · 19 · 6• dart_boringssl_rev → BoringSSL 87f316d7… |
Find get_snapshot_hash.py here.
Target: ssl_crypto_x509_session_verify_cert_chain()
- Iko ndani ya
ssl_x509.cckatika BoringSSL. - Returns
bool– singletrueinatosha kupitisha ukaguzi mzima wa certificate chain. - Function ile ile ipo kwenye CPU arch zote; tofauti ni opcodes.
Option A – Binary patching with reFlutter
- Clone vyanzo sahihi vya Engine & Dart kwa toleo la Flutter la app.
- Regex-patch hotspots mbili:
- In
ssl_x509.cc, forcereturn 1; - (Optional) In
socket_android.cc, hard-code proxy ("10.0.2.2:8080").
- Re-compile libflutter.so, rudisha ndani ya APK/IPA, sign, install.
- Pre-patched builds kwa matoleo ya kawaida zinatolewa kwenye reFlutter GitHub releases ili kuokoa saa za kujenga.
Option B – Live hooking with Frida (the “hard-core” path)
Kwa sababu symbol imekatwa, unafanya pattern-scan kwenye module iliyopakiwa kwa bytes zake za mwanzo, kisha ubadilishe return value kwa wakati huo.
// attach & locate libflutter.so
var flutter = Process.getModuleByName("libflutter.so");
// x86-64 pattern of the first 16 bytes of ssl_crypto_x509_session_verify_cert_chain
var sig = "55 41 57 41 56 41 55 41 54 53 48 83 EC 38 C6 02";
Memory.scan(flutter.base, flutter.size, sig, {
onMatch: function (addr) {
console.log("[+] found verifier at " + addr);
Interceptor.attach(addr, {
onLeave: function (retval) { retval.replace(0x1); } // always 'true'
});
},
onComplete: function () { console.log("scan done"); }
});
I don't have the file content. Please paste the markdown from src/mobile-pentesting/android-app-pentesting/flutter.md (or upload it) and I will translate the relevant English text to Swahili, preserving all markdown/html/tags and code as requested.
frida -U -f com.example.app -l bypass.js
Vidokezo vya porting
- Kwa arm64-v8a au armv7, chukua takriban ~32 bytes za kwanza za function kutoka Ghidra, badilisha kuwa space-separated hex string, na badilisha
sig. - Weka one pattern per Flutter release, zihifadhi kwenye cheat-sheet kwa matumizi ya haraka.
Kupeleka trafiki kupitia proxy yako
Flutter yenyewe huipuuzia mipangilio ya proxy ya kifaa. Chaguzi rahisi:
- Android Studio emulator: Settings ▶ Proxy → manual.
- Kifaa cha kimwili: evil Wi-Fi AP + DNS spoofing, au Magisk module kuhariri
/etc/hosts.
Hook ya msingi kwa offset ya uthibitishaji wa BoringSSL (hakuna signature scan)
Iwapo script zinazotegemea pattern zitashindwa kwa architectures tofauti (mfano, x86_64 vs ARM), hook moja kwa moja BoringSSL chain verifier kwa anwani ya absolute ndani ya libflutter.so. Mwendo wa kazi:
- Toa library yenye ABI sahihi kutoka APK:
unzip -j app.apk "lib/*/libflutter.so" -d libs/na chagua ile inayolingana na kifaa (mfano,lib/x86_64/libflutter.so). - Changanua kwa Ghidra/IDA na tafuta verifier:
- Chanzo: BoringSSL ssl_x509.cc function
ssl_crypto_x509_session_verify_cert_chain(3 args, returns bool). - Katika builds zilizo stripped, tafuta string
"ssl_client"na angalia XREFs; tambua function inayochukua three pointer-like args na kurudisha boolean. - Hesabu runtime offset: chukua function address iliyoonyeshwa na Ghidra na toa image base iliyotumika wakati wa uchambuzi ili kupata relative offset (RVA). Mfano:
0x02184644 - 0x00100000 = 0x02084644. - Hook wakati wa runtime kwa base + offset na kulazimisha mafanikio:
// frida -U -f com.target.app -l bypass.js --no-pause
const base = Module.findBaseAddress('libflutter.so');
// Example offset from analysis. Recompute per build/arch.
const off = ptr('0x02084644');
const addr = base.add(off);
// ssl_crypto_x509_session_verify_cert_chain: 3 args, bool return
Interceptor.replace(addr, new NativeCallback(function (a, b, c) {
return 1; // true
}, 'int', ['pointer', 'pointer', 'pointer']));
console.log('[+] Hooked BoringSSL verify_cert_chain at', addr);
Notes
- Hesabu tena offset kwa kila target build na CPU architecture; tofauti za compiler/codegen zinaweza kuvunja hardcoded signatures.
- Bypass hii inasababisha BoringSSL kukubali chain yoyote, ikiruhusu HTTPS MITM bila kujali pins/CA trust ndani ya Flutter.
- Ikiwa unalazimisha force-route trafiki wakati wa debugging ili kuthibitisha kuzuia TLS, kwa mfano:
iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination <Burp_IP>:<Burp_Port>
…bado utahitaji hook hapo juu, kwani uthibitisho hufanyika ndani ya libflutter.so, si kwenye Android’s system trust store.
Marejeo
- https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/
- Flutter SSL Bypass: How to Intercept HTTPS Traffic When all other Frida Scripts Fail
- BoringSSL ssl_x509.cc (ssl_crypto_x509_session_verify_cert_chain)
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.