SSL Pinning Bypass Adventures in Flutter Mobile Apps

Are you ready to dive into the fascinating world of Flutter and take control of your Android app’s traffic? Look no further! In this blog, we’ll embark on an exciting journey as I walk you through the simple yet powerful steps to capture the heartbeat of your Flutter-based Android application installed on the Android Studio emulator.

The entire thing devided in 3 parts

• Configure the Proxy in Your Android Studio Emulator
• Capture the Sequence Bytes of “ssl_verify_peer_cert” Function
• Change the Return Value of “ssl_verify_peer_cert” to True Using Frida
  

Configure the Proxy in Your Android Studio Emulator

To set up the proxy in the Android Studio emulator, the initial step involves installing the Burp certificate directly into the emulator. This process is straightforward and can be effortlessly accomplished by following the steps outlined in my previous blog.

To capture the traffic of a Flutter-based application, it’s necessary to set up a device-wide proxy configuration. I accomplished this by installing the “Super Proxy” application, where I configured the IP and port corresponding to the Burp Suite’s listening parameters, as illustrated in the accompanying figure:

Capture the Sequence Bytes of “ssl_verify_peer_cert” Function

To capture the sequence of bytes for the “ssl_verify_peer_cert” function, we need to interact with the “libflutter.so” file utilized in the application. To kickstart this process, the initial step is to identify and extract the “libflutter.so” file from the application.

This crucial file holds the key to understanding and manipulating the SSL verification process within the Flutter-based application. Once we have access to this file, we can delve deeper into analyzing and modifying the necessary byte sequences for our targeted function.

Given that the “libflutter.so” is a pre-built binary, you can leverage the git repo to access the sequence of bytes specific to various platforms. This repository likely provides insights into the byte sequences for different architectures.

To determine the existence of the desired sequence of bytes, a handy tool at your disposal is “binwalk.” By utilizing binwalk, you can efficiently scan the binary file and identify any predefined byte sequences. This straightforward approach allows you to check for the presence of the required byte sequence within the “libflutter.so” file without extensive manual inspection.

In the event that binwalk does not yield the desired results, it’s time to employ more advanced reverse engineering tools, such as Ghidra or similar alternatives. These tools offer a deeper level of analysis, allowing you to play with the “libflutter.so” binary. There is a interesting blog written around it.

Change the Return Value of “ssl_verify_peer_cert” to True Using Frida

List of existing scripts

• Frida-Multiple-Bypass
• flutter-ssl-pinning-bypass
• disable-flutter-tls-v1

I’ve encountered an issue with the existing scripts. So Initially, I have identified the sequence of bytes for the “ssl_verify_peer_cert” function using binwalk, as demonstrated in the preceding step. Subsequently, I have customized and wrote the script below, which resolved the problem for me.

Java.perform(function() {
    function hook_ssl_verify_result(address)
    {
        Interceptor.attach(address, {
            onEnter: function(args) {
                console.log("Disabling SSL validation")
            },
            onLeave: function(retval)
            {
                console.log("Retval: " + retval)
                retval.replace(0x1);
            }
        });
    }
    function disablePinning()
    {
        var m = Process.findModuleByName("libflutter.so"); 
        var pattern = "55 41 57 41 56 41 55 41 54 53 48 83 EC 38 C6 02 50 48 8B AF A8 00 00 00 48 85 ED 74 70 48 83 7D 00 00 74"
        var res = Memory.scan(m.base, m.size, pattern, {
            onMatch: function(address, size){
                console.log('[+] ssl_verify_result found at: ' + address.toString());
                hook_ssl_verify_result(address); 
            }
        });
    }
    setTimeout(disablePinning, 1000);
});

Woah! I’ve successfully overcome the challenges and can now capture the traffic of the Android application developed in Flutter.

References:

• https://notsosecure.com/flutter-based-mac-osx-thick-client-ssl-pinning-bypass
• https://github.com/horangi-cyops/flutter-ssl-pinning-bypass/blob/main/flutter-bypass-sslpinning.js
• https://id.horangi.com/blog/bypass-ssl-pinning-di-flutter-library/
• https://codeshare.frida.re/@TheDauntless/disable-flutter-tls-v1/
• https://l33t-en0ugh.gitbook.io/infosec/android-pentesting/bypass-ssl-pinning-for-flutter-apps-using-reflutter-framework
• https://github.com/fdciabdul/Frida-Multiple-Bypass/blob/main/flutter-bypass.js
• https://medium.com/dazzine/intercept-android-ssl-pinning-on-flutter-based-android-application-393a48797463