Flutter

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Flutter ni zana ya UI ya kuvuka-mifumo ya Google ambayo inawawezesha watengenezaji kuandika msimbo mmoja wa Dart ambao Engine (native C/C++) hubadilisha kuwa machine code maalumu kwa platform kwa Android & iOS. The Engine inabeba Dart VM, BoringSSL, Skia, n.k., na hutumwa kama maktaba ya pamoja libflutter.so (Android) au Flutter.framework (iOS). Mambo yote ya networking halisi (DNS, sockets, TLS) hufanyika ndani ya maktaba hii, sio kwenye tabaka za kawaida za Java/Kotlin Swift/Obj-C. Muundo uliotengwa huo ndio sababu Java-level Frida hooks kawaida hazifanyi kazi kwenye apps za Flutter.

Intercepting HTTPS traffic in Flutter

Hii ni muhtasari wa blog post.

Why HTTPS interception is tricky in Flutter

SSL/TLS verification lives two layers down ndani ya BoringSSL, hivyo Java SSL‐pinning bypasses hazigusi.
BoringSSL uses its own CA store ndani ya libflutter.so; kuingiza Burp/ZAP CA yako kwenye system store ya Android hakubadilisha chochote.
Symbols ndani ya libflutter.so zimekatwa & mangled, zikificha function ya certificate-verification kutoka kwa zana za dynamic.

Fingerprint the exact Flutter stack

Kujua version kunakuwezesha kujenga tena au kufanya pattern-match ya binaries sahihi.

Step	Command / File	Outcome
Get snapshot hash	`python3 get_snapshot_hash.py libapp.so`	`adb4292f3ec25…`
Map hash → Engine	enginehash list in reFlutter	Flutter 3 · 7 · 12 + engine commit `1a65d409…`
Pull dependent commits	DEPS file in that engine commit	• `dart_revision` → Dart v2 · 19 · 6 • `dart_boringssl_rev` → BoringSSL `87f316d7…`

Pata get_snapshot_hash.py here.

Target: `ssl_crypto_x509_session_verify_cert_chain()`

Iko katika ssl_x509.cc ndani ya BoringSSL.
Returns bool – true moja tu inatosha ku-bypass ukaguzi mzima wa mnyororo wa cheti.
Function ile ile ipo kwenye kila CPU arch; tofauti ni kwenye opcodes pekee.

Option A – Binary patching with reFlutter

Clone the exact Engine & Dart sources for the app’s Flutter version.
Regex-patch two hotspots:

Katika ssl_x509.cc, force return 1;
(Optional) Katika socket_android.cc, hard-code proxy ("10.0.2.2:8080").

Re-compile libflutter.so, drop it back into the APK/IPA, sign, install.
Pre-patched builds kwa version za kawaida zinapatikana kwenye reFlutter GitHub releases ili kuokoa masaa ya kujenga.

Option B – Live hooking with Frida (the “hard-core” path)

Kwa sababu symbol imekatwa, unafanya pattern-scan kwenye module iliyopakiwa kwa ajili ya bytes zake za mwanzo, kisha unabadilisha return value on the fly.

// attach & locate libflutter.so
var flutter = Process.getModuleByName("libflutter.so");

// x86-64 pattern of the first 16 bytes of ssl_crypto_x509_session_verify_cert_chain
var sig = "55 41 57 41 56 41 55 41 54 53 48 83 EC 38 C6 02";

Memory.scan(flutter.base, flutter.size, sig, {
onMatch: function (addr) {
console.log("[+] found verifier at " + addr);
Interceptor.attach(addr, {
onLeave: function (retval) { retval.replace(0x1); }  // always 'true'
});
},
onComplete: function () { console.log("scan done"); }
});

Nahitaji maudhui ya faili “src/mobile-pentesting/android-app-pentesting/flutter.md” ili niweke tafsiri. Tafadhali bandika hapa yaliyomo (au tuma sehemu unayotaka nitafsiri).

Nitatafsiri maandishi ya Kiingereza muhimu hadi Kiswahili huku nikiweka bila kubadilisha: code, majina ya mbinu za hacking, maneno ya kawaida ya hacking, majina ya cloud/SaaS, neno “leak”, “pentesting”, links, paths na tags/markdown/html.

frida -U -f com.example.app -l bypass.js

Vidokezo vya kuhamisha

Kwa arm64-v8a au armv7, chukua bajeti za kwanza za takriban ~32 za function kutoka Ghidra, zibadilishe kuwa mnyororo wa hex uliotenganishwa kwa nafasi, kisha badilisha sig.
Weka one pattern per Flutter release, zihifadhi kwenye cheat-sheet kwa matumizi ya haraka.

Kulazimisha trafiki kupitia proxy yako

Flutter yenyewe inapuuza vipimo vya proxy vya kifaa. Chaguzi rahisi:

Android Studio emulator: Settings ▶ Proxy → manual.
Physical device: evil Wi-Fi AP + DNS spoofing, au Magisk module kuhariri /etc/hosts.

Mtiririko mfupi wa Flutter TLS bypass (Frida Codeshare + system CA)

Unapohitaji tu kuangalia pinned Flutter API, kuunganisha rooted/writable AVD, system-trusted proxy CA, na Frida drop-in script mara nyingi ni haraka kuliko reverse-engineering ya libflutter.so:

Sakinisha proxy CA yako kwenye system store. Fuata Install Burp Certificate ili ku-hash/ku-rename cheti cha Burp cha DER na kulisukuma ndani ya /system/etc/security/cacerts/ (inahitaji /system inayoweza kuandikwa).
Weka binary ya frida-server inayofanana na uendeshe kama root ili iweze kuambatana na mchakato wa Flutter:

adb push frida-server-17.0.5-android-x86_64 /data/local/tmp/frida-server
adb shell "su -c 'chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server &'"

Sakinisha host-side tooling na enumerate the target package.

pip3 install frida-tools --break-system-packages
adb shell pm list packages -f | grep target

Spawn app ya Flutter na Codeshare hook inayezima BoringSSL pin checks.

frida -U -f com.example.target --codeshare TheDauntless/disable-flutter-tls-v1 --no-pause

The Codeshare script overrides the Flutter TLS verifier so every certificate (including Burp’s dynamically generated ones) is accepted, side-stepping public-key pin comparisons.

Route traffic through your proxy. Sanidi emulator Wi‑Fi proxy GUI au ilazimishe kupitia adb shell settings put global http_proxy 10.0.2.2:8080; ikiwa routing ya moja kwa moja itashindwa, rudi kwa adb reverse tcp:8080 tcp:8080 au host-only VPN.
If the app ignores OS proxy settings, redirect sockets with a Frida shim. Zana kama frida4burp zinahook dart:io/BoringSSL socket creation ili kulazimisha outbound TCP sessions kwenda kwenye proxy yako, hata pale HttpClient.findProxyFromEnvironment imehardkodishwa au Wi‑Fi bypasses zinapotumika. Weka proxy host/port kwenye script na iendeshe pamoja na TLS bypass:

frida -U -f com.example.target --no-pause \
--codeshare TheDauntless/disable-flutter-tls-v1 \
-l frida4burp.js

Inafanya kazi kwenye iOS kupitia Frida gadget au USB frida-server; kuunganisha socket redirect na TLS bypass hurudisha routing na kukubaliwa kwa vyeti kwa Burp/mitmproxy.

Mara CA imekuaminika kwenye tabaka la OS na Frida ikizima Flutter’s pinning logic (pamoja na socket redirection inapohitajika), Burp/mitmproxy inapata tena uwazi kamili kwa API fuzzing (BOLA, token tampering, n.k.) bila repacking APK.

Offset-based hook of BoringSSL verification (no signature scan)

When pattern-based scripts fail across architectures (e.g., x86_64 vs ARM), directly hook the BoringSSL chain verifier by absolute address within libflutter.so. Workflow:

Toa maktaba yenye ABI sahihi kutoka APK: unzip -j app.apk "lib/*/libflutter.so" -d libs/ na chagua ile inayolingana na kifaa (e.g., lib/x86_64/libflutter.so).
Changanua kwa Ghidra/IDA na tafuta verifier:
Chanzo: BoringSSL ssl_x509.cc function ssl_crypto_x509_session_verify_cert_chain (3 args, returns bool).
Katika stripped builds, tumia Search → For Strings → ssl_client → XREFs, kisha fungua kila referenced FUN_... na chagua ile yenye vigezo 3 vinavyoonekana kama pointer na kurudisha boolean.
Hesabu runtime offset: chukua address ya function iliyoonyeshwa na Ghidra na uondoe image base (mfano: Ghidra mara nyingi inaonyesha 0x00100000 kwa PIE Android ELFs). Mfano: 0x02184644 - 0x00100000 = 0x02084644.
Hook kwenye runtime kwa base + offset na lazimisha mafanikio:

// frida -U -f com.target.app -l bypass.js --no-pause
const base = Module.findBaseAddress('libflutter.so');
// Example offset from analysis. Recompute per build/arch.
const off  = ptr('0x02084644');
const addr = base.add(off);

// ssl_crypto_x509_session_verify_cert_chain: 3 args, bool return
Interceptor.replace(addr, new NativeCallback(function (a, b, c) {
return 1; // true
}, 'int', ['pointer', 'pointer', 'pointer']));

console.log('[+] Hooked BoringSSL verify_cert_chain at', addr);

Vidokezo

Signature scans zinaweza kufanikiwa kwenye ARM lakini zikakosa kwenye x86_64 kwa sababu mpangilio wa opcode hubadilika; mbinu hii ya offset haiathiriwi na architecture mradi tu uhesabu tena RVA.
Bypass hii inasababisha BoringSSL kukubali chain yoyote, ikiruhusu HTTPS MITM bila kuzingatia pins/CA trust ndani ya Flutter.
Ikiwa utafanya force-route ya traffic wakati wa debugging ili kuthibitisha kuzuia TLS, kwa mfano:

iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination <Burp_IP>:<Burp_Port>

…bado utahitaji hook hapo juu, kwani uthibitisho hufanyika ndani ya libflutter.so, si katika Android’s system trust store.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.