Bypass SSL Pinning for Flutter apps using Frida
Вставка
- Опубліковано 30 вер 2024
- Hello everyone,
In this video we're diving deep into the world of SSL traffic interception in Flutter Android applications. Flutter handles SSL/TLS differently from your typical Android apps, and in this video, we're going to explore the inner workings. By the end of this tutorial, you'll not only be able to extract the functions responsible for SSL certificate verification, but you'll also gain the skills to bypass SSL Pinning and unlock the secrets of intercepting HTTPS traffic in plain text. Stay tuned, because we're about to uncover some serious Flutter app magic!"
At the end of this video, you will be able to bypass SSL pinning and intercept network traffic from a flutter application using frida and burp suite.
Link to the sample application used in this video: github.com/fat...
If you find this video helpful, please show your support by hitting the like button and sharing it with your friends. Don't forget to subscribe to the channel because we regularly release new videos, and your support keeps us motivated.
Join us on:
Twitter: @SecFatal
Telegram: t.me/SecFatal
yes sir, i want know that how to read .so file , please make dedicated video on that topic.
+1
Wonderful video brother. Would appreciate if you let us know how to make a universal frida script to bypass all flutter based android apps as you said in the end of the video. Thank you once again.
Brother can you please brief the main steps only, actually I was looking for the same content for 1 year.
Please share the script code in the video description so we can copy paste easily, thank you
TypeError: cannot read property 'readCString' of undefined help me out bro
This error means that the string that you are trying to read is not defined. Make sure that the address is valid.
Please bypass app ssl for me...will do for me...only one app ??
very detail!!! thank you!
If you don't mind, please make videos about intercepting xamarin apps
very good one! i wonder if you are planning to make more videos on reverse engineering approaches for flutter. i'm currently focused on this, but unfortunately there isn't much content or tools available to learn from, so i just keep struggling with the low level operations and reading source code of dart sdk
Thanks! Yes I am planning to make more videos on flutter so stay tuned.
Excellent video and gained valuable insights. Please continue making these videos. Could you create a video on how to initiate the analysis of a Flutter APK before testing? In the case of Java and Kotlin, we can easily decompile and examine the code, but for Flutter, it's not as straightforward. How should we conduct reconnaissance on Flutter apps?
Thanks. Sure I am already planning to make a video on this topic soon.
@@fatalsec Thanks a lot waiting for it.
I wish this concept can be true on my case
I went through all registers(sp, rcx, rbx,rsp,rbp,rsi,rdi,r9...15,rip) and libflutter.so is not called in any of these registers. Do you know what should I try now?
You want to figure out the base address of libflutter.so? Based on the register names you mentioned it seems you are working with armv7 architecture so the linker64 which I used will not work. You can use linker instead of linker64 if this is the case.
Excellent video. There seems to have been some code changes with boringssl, are you able to bypass with the new library?
Appreciate the response.
Thanks
No haven’t looked into the new one. But I guess you can apply the same logic until unless they have modified the whole structure of the function.
Thank you for the video. I suggest to put the links and resources that you used to understand and put this together. Maybe there are those who want to go further...
const pattern = "55 41 57 41 56 41 55 41 54 53 48 83 ec 38 c6 02 50 48 8b af a8 00 00 00"
var module = Process.findModuleByName("libflutter.so");
var results = Memory.scanSync(module.base, module.size, pattern);
console.log(`[+] libflutter is loaded at ${module.base}`);
session_verify_cert_chain(ptr(results[0].address).add(0x1));
function session_verify_cert_chain(address){
console.log("ssl add: "+address);
Interceptor.attach(address, {
onLeave: function(retval){
retval.replace(0x0);
console.log(`[+] session_verify_cert_chain retval: ${retval}`);
}
});
}
onleav not work
You are the best keep going 💪❤️
Thanks bro
We enjoyed it ❤
Keep it up and make more advanced tutorials ❤
How to know which boringsll version is used for the app I am trying to reversing ?
Based on the dart version application is using you can figure out
Very informative video. It would be great if you could speak a little slower as it was a little difficult to track. Frida gadget would also be a great topic to touch on
Thanks for the suggestion.
Внатуре хакер
Can you bypass and reroute to your own server with another certificate?
With android app
Not sure about the certificate but redirecting the traffic to another server is possible.
@fatalsec redirecting to android chrome web app and setting up entire architecture behind it is possible.
Methods of redirecting , css, webhook, restful apis. ,weblisteners and automated push requests?
What method would be most common and allowed by chrome browsers?
Excellent
perfect! im looking forward for your next videos!
Thanks
Application is developed using flutter but while I'm extract apk the lib folder is not there and code is obfuscate what to do I'm stuck 🥺
This could happen if the application is obfuscated.Is there any other native library present?
@@fatalsec yes kotlin is there
@@fatalsec is there any way to read code ?
awesome video once again keep it up. There is also an easy way of doing all this through reflutter but understanding the internals is always better.
Yes, but with new dart snapshots sometimes reflutter fails to parse it properly. So the goal of this video is to show how to do it manually.
@@fatalsec it is pleasure to learn complex topics in such a simple way. Please also consider too create a crash course on Frida and JS.
cfbr!!
I'd be willing to pay for more
Hi, thanks for showing the interest. You can contribute here: www.buymeacoffee.com/secfatalz
What's the flutter sdk version used in the demo app?
Bro can you bypass Play Integrity API
what version android do you use?
Currently using Android 13.
Thanks for the detailed video. Usage of Ghidra to calculating the offset. Writing own frida script.
Thank you man
Great video!
Can't we do this using http canary ??🤔
Yes you can try. But if there is certificate pinning applied then it won’t work.
@@fatalsec okay
thank, it is exactly what I needed. Great content.
We want to know about those snapshots
Noted
Thanks for this video, as a newbie, I have some questions, is it essential to have a rooted device to use proxy apps ? if this is the case, what if I'm using a rooted device detection package in my app.
would it be helpful to prevent app installation on those devices?
Thanks a lot for sharing valuable information
Yes rooted device is required to run frida server or other such tools like a debugger. In case your app is detecting that the device is rooted then you have to first bypass root detections. There are various ways to detect root. I have made some videos about it as well you can check to get some idea.
superb video bro.. thanks alot.
well done and perfect explanation, but can you please the other way in which we can change the library and compiling again? also will this work for ios devices? thanks!
Sure, I will make a video on this
So, currently i have an flutter based apk which does not has the lib/amd64/libapp.so file in it, now what can i do. The apk uses the firebase as the storage of api, in this scenario what are the other techniques i can perform.
Is there libflutter.so present in the applications lib directory? If not then this is not a flutter based app.
For second question I don’t understand. You want to intercept storage api from firebase library or you are trying to intercept HTTPS requests made by firebase apis?
Awesome content bro. , next video should on dart ♥️😃 and bro. explain about your setup also.
Thanks, Sure I will plan to create a dedicated video to explain about the setup.
Advanced and great
Thanks
While running the script I got the below mentioned error:
TypeError: cannot read property 'enumerateSymbols' of null
# I am running frida 16.1.4
You are trying to enumerate linker64 symbols? It might be possible that your device is armv7 based and not armv8. Try changing linker64 to linker.
@@fatalsec thanks for replying, I changed that value to linker and it worked but now I'm having trouble in getting offset value as in ghidra the vulnerable function is undefined and if I use the value(value looks like the address) just after the word undefined, I didn't get success. Please help me or is there any other way to contact you to get this problem solved.
And second thing, I'm running android 11 on my device and not able to install/run proxy droid on my phone, that application keeps closing when I run. So is there any other way to use proxy droid on android 11 or any other application which is an alternative to proxy droid.
how to bypass sign. no kill
Great video, keep it up, there are very less videos on pentesting flutter apps, So, we have to reverse each app binary files for ssl bypass, it that right?
Yes but the concept is more or less the same for every flutter app and if your app is using the same dart versions then same script can be used.
Bro amazing job 👌
Thank you very much for this content. I had some issues with the script but i found a way around and I was finally able to bypass ssl pinning.
Glad to know that
i found that function but it doesn't return 0x0 but 0xbde22301. I also have a hard time understanding :((
There are chances that the function you are hooking is not correct. If you are sure it’s the right function then it would be interesting to see. If you can share the apk with me I can have a look!
In my case also doesn't return 0x0 but some random number. I use you apk brother with x86_64 lib. It also just loading even though i don't pass it through proxy. Any Idea what's going on? please help with this. Thank you brother!
Useing only Android device
Hello brother, when I'm trying to load the js script file I'm getting the following error " cannot read property enumerateSymbols of null" , please help with this
Are you using the same script I have used in the video?
@@fatalsec yes, I'm using the same script. Does it need any specific library to be included through import keyword?
@@deepamsinha3933 no, there are chances that you are using a device which is having ARMv7 architecture. Confirm this and if so then replace “linker64” with “linker”.
Make a dedicated video on .so dart library file.
Noted
request next tutorial how to bypass emulator detection in flutter
I can if you can share any sample app having emulator detection in flutter
@@fatalsechow can i contact you?
Really needed this
hey brother Can you please help me to intercept flutter app with burp in some easiest way ?
@@piyushnigam4916 the easiest way is to setup HTTP Toolkit
Hello bro how can I contact to you
You can join our telegram group: t.me/SecFatal