Bypass SSL Pinning for flutter apps using reFlutter Framework

Flutter apps are a little bit different and hard to bypass ssl pinning.There are many method to bypass ssl pinning for flutter apps and I'm gonna show you one of the method to bypass ssl pinning using reflutter flamework

This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis.

Installation

pip3 install reflutter

Demonstration apps,

https://github.com/thedarksource/Android/tree/master/flutter-test-apps

We have two options HTTP Request and HTTPS Request , First let's check in HTTP Request

The traffic through the burpsuite and we will get success response.But If we click on HTTPS Request ,we will get error like this.

So, let's bypass it using reflutter framework

reflutter flutter-apps.apk

IP is the IP of the machine which the burpsuite is running.

Now we will get release.RE.apk but this apk is not sign yet. We have to sign manually and

I'm used uber-apk-signer in here. You can use your own method.

java -jar uber-apk-signer-1.2.1.jar --apk release.RE.apk

Now install signed apk in your device.

adb install release.RE-aligned-debugSigned.apk

For the next step, we have to configure the proxy in burpsuite.

First, change port 8083 because reFlutter set it by default.

In Request handling tab, enable Support invisible proxying and click on OK.

Now open the new apk and click on HTTPS Request

NOTE: we need to turn off all the proxies because reflutter is already modifed and set the proxy settings in the patched app.

Now we can intercept the HTTPS traffic of the flutter based app by bypassing the SSL pinning usingreFlutter framework.

Reference

https://github.com/ptswarm/reFlutter

https://github.com/thedarksource/Android/tree/master/flutter-test-apps

https://github.com/patrickfav/uber-apk-signer/releases/