This really helped me with my self-signed certificate. All the answers I found suggested I should accept all certs, which I didn't want. Thanks for the video!
I was wondering if i can tunnel the whole device into a certain proxy with port number so i can make the mobile connects to my wifi , without manually set the proxy in the Network Settings
Hey, technically yes, but the bulk of the logic is normally handled by the framework. In Flutter the pub.dev/packages/web_socket_channel package does that for you. Server side you will need to define the logic that will upgrade a request. And this will be dependent on the server language that you are using, but again most of that logic will be wrapped in whatever package you are using or whatever libraries are available for that language. In this video I used GoLang for the server and used the github.com/gorilla/websocket library.
I am still confused if its only for debug mode or also works for production apps. we are a payment gateway service providing company and developing our apps in flutter, now very much confused on if using proxy is same as ssl pinning? If its so then do we have to buy trusted self assigned certificate or is it okay to use from burfsuite , like you used them.
I strongly recommend you read the companion article, or take a look at the other links that I posted that explains HTTPS (some make it much easier to understand). As you seem to have misunderstood the difference between SSL pinning, HTTPS and a proxy. I also strongly recommend that you seek professional guidance from a security company if you are a payment gateway service provider. I do not want to be held liable for what I say in a UA-cam comment :) But to clear up some confusion. Burp is a tool used my "hackers" to intercept the traffic between a application and the end network it is communicating with. Burp is a proxy tool, to intercept the traffic. SSL pinning is a security technique where you hardcode your app to only accept certain SSL certificates (your endpoint or API's cert, for example). If SSL pinning is done correctly then Burp will not be able to intercept the traffic, as the application will not recognise the certificate that burp presents. The only reason I generated certificates using Burp in the video was in order to Proxy the application (not to provide SSL pinning), and to show how to proxy. Note that I typed this on a phone, so excuse any mistakes. But I suggest read up more on SSL/HTTPS and then SSL pinning. Or seek professional advice. Good luck
I just recently found different issues on ssl pinning for flutter based on self signed and trusted CA certificate. Although we can use self certificate for development test. I was suggested to use trusted CA, and also I learned through your articles which has reflected clear concepts of CA. You will probably want to create video on this If i once implement this and share you my study. Right now there is an issue with badCertificateCallBack returning only root CA certificate of trusted CA issuer rather than the whole chain (parent, leaf, intermediate) of my server certificate provided to my server, this was already issued in flutter github.
Thanks, but couldn't make it. Then tried this one that you dont suggest. But Can you implement your method to this one as well ? Thanks a lot. class MyHttpOverrides extends HttpOverrides { @override HttpClient createHttpClient(SecurityContext context) { return super.createHttpClient(context) ..badCertificateCallback = (X509Certificate cert, String host, int port) => true; } }
Thanks for the question. I don't remember if I mention it in the video, but this is basically the exact opposite of what you want. This is telling your app to trust ALL certificates. It's basically removing the "identity" security that SSL certificates provide, meaning anyone can Man-in-the-Middle the app's traffic, by presenting ANY certificate. A no-no. Check out the blog post, at the end of the post there's a section called "Considering Security" - there I go into more detail. Blog post: blog.funwith.app/posts/proxy-flutter-apps/
@@FunwithFlutter Thank you for your answer. Actually I implemented what you have written in that section, but it didn't work out. Then I tried to implement that code to HttpOverride that I mentioned above. I couldn't make it run. Maybe I missed something. Because this HttpOverride method is not async and you use " await rootBundle ". Then It has to return HttpClient which I couldn't handle. Because of I couldn't implement your code to this HttpOverride, I have asked you to can you extend this HttpOverride method with yours. Thanks again.
Hi! UA-cam should do this automatically. In the video screen at the bottom right (toolbar) there is a button call CC. Make sure that is highlighted and it should give subtitles in English. If you want a different language you can hit the settings button (the one next to CC) and you will now see an option for subtitles, click that and from there you can select a language. UA-cam will automatically translate it. I cannot promise how good that will be but you can give it a shot :)
This really helped me with my self-signed certificate. All the answers I found suggested I should accept all certs, which I didn't want. Thanks for the video!
yes, we want more flutter security related videos.
Will do! Thanks for watching.
I was wondering if i can tunnel the whole device into a certain proxy with port number so i can make the mobile connects to my wifi , without manually set the proxy in the Network Settings
Hello ,can i connect brup suite with a local database and the database dose not has an internet connection
Please can you answer
How about mistakes like this ??, what's wrong?
SecurityContext.setTrustedCertificatesBytes fails with BAD_PKCS12_DATA
SSL Pinning is not the default behavior. So you don't need to disable it if it had not already been enabled. Is this statement correct or not?
Correct. I also don't recommend doing SSL pinning at all in 2022
FYI: The link to the companion blog seems to no longer work.
can you also post video explaining certificate pinning or public key pinning in flutter app ?
Yes ill second that, also plz cover oauth 2.0 authentication point
Nice one. One question: Does that mean if we use websocket in the project, we should implement the handshake(what https does) ourselves?
Hey, technically yes, but the bulk of the logic is normally handled by the framework. In Flutter the pub.dev/packages/web_socket_channel package does that for you. Server side you will need to define the logic that will upgrade a request. And this will be dependent on the server language that you are using, but again most of that logic will be wrapped in whatever package you are using or whatever libraries are available for that language. In this video I used GoLang for the server and used the github.com/gorilla/websocket library.
I am still confused if its only for debug mode or also works for production apps. we are a payment gateway service providing company and developing our apps in flutter, now very much confused on if using proxy is same as ssl pinning? If its so then do we have to buy trusted self assigned certificate or is it okay to use from burfsuite , like you used them.
I strongly recommend you read the companion article, or take a look at the other links that I posted that explains HTTPS (some make it much easier to understand). As you seem to have misunderstood the difference between SSL pinning, HTTPS and a proxy. I also strongly recommend that you seek professional guidance from a security company if you are a payment gateway service provider. I do not want to be held liable for what I say in a UA-cam comment :) But to clear up some confusion. Burp is a tool used my "hackers" to intercept the traffic between a application and the end network it is communicating with. Burp is a proxy tool, to intercept the traffic. SSL pinning is a security technique where you hardcode your app to only accept certain SSL certificates (your endpoint or API's cert, for example). If SSL pinning is done correctly then Burp will not be able to intercept the traffic, as the application will not recognise the certificate that burp presents. The only reason I generated certificates using Burp in the video was in order to Proxy the application (not to provide SSL pinning), and to show how to proxy. Note that I typed this on a phone, so excuse any mistakes. But I suggest read up more on SSL/HTTPS and then SSL pinning. Or seek professional advice. Good luck
@@FunwithFlutter Thank You so much for this valuable suggestion.
I just recently found different issues on ssl pinning for flutter based on self signed and trusted CA certificate. Although we can use self certificate for development test. I was suggested to use trusted CA, and also I learned through your articles which has reflected clear concepts of CA. You will probably want to create video on this If i once implement this and share you my study. Right now there is an issue with badCertificateCallBack returning only root CA certificate of trusted CA issuer rather than the whole chain (parent, leaf, intermediate) of my server certificate provided to my server, this was already issued in flutter github.
Thank you for the quality content.
This is charles proxy?
Could we use crt file or not. Please let me know.
stackoverflow.com/questions/54104685/flutter-add-self-signed-certificate-from-asset-folder
But self-signed certificates should only be used for testing purposes.
@Fun with Flutter Hi can u plz share your code .
Also can u explain how to make web socket ?
Thanks, but couldn't make it. Then tried this one that you dont suggest. But Can you implement your method to this one as well ? Thanks a lot.
class MyHttpOverrides extends HttpOverrides {
@override
HttpClient createHttpClient(SecurityContext context) {
return super.createHttpClient(context)
..badCertificateCallback =
(X509Certificate cert, String host, int port) => true;
}
}
Thanks for the question. I don't remember if I mention it in the video, but this is basically the exact opposite of what you want. This is telling your app to trust ALL certificates. It's basically removing the "identity" security that SSL certificates provide, meaning anyone can Man-in-the-Middle the app's traffic, by presenting ANY certificate. A no-no. Check out the blog post, at the end of the post there's a section called "Considering Security" - there I go into more detail. Blog post: blog.funwith.app/posts/proxy-flutter-apps/
@@FunwithFlutter Thank you for your answer. Actually I implemented what you have written in that section, but it didn't work out. Then I tried to implement that code to HttpOverride that I mentioned above. I couldn't make it run. Maybe I missed something. Because this HttpOverride method is not async and you use " await rootBundle ". Then It has to return HttpClient which I couldn't handle. Because of I couldn't implement your code to this HttpOverride, I have asked you to can you extend this HttpOverride method with yours. Thanks again.
Please, Add subtitles for all your followers from different countries =)
Hi! UA-cam should do this automatically. In the video screen at the bottom right (toolbar) there is a button call CC. Make sure that is highlighted and it should give subtitles in English. If you want a different language you can hit the settings button (the one next to CC) and you will now see an option for subtitles, click that and from there you can select a language. UA-cam will automatically translate it. I cannot promise how good that will be but you can give it a shot :)