Understanding Flutter Framework
Before diving into the SSL pinning bypass, let’s briefly understand what Flutter is. Flutter is a framework for developing mobile applications that allows developers to create apps for both Android and iOS platforms using a single codebase. The framework simplifies the development process by enabling developers to use a drag-and-drop interface for designing the app’s user interface, eliminating the need for writing native code.
The SSL Pinning Challenge in Flutter
SSL pinning is a security measure implemented by app developers to ensure that the app only communicates with trusted servers, preventing man-in-the-middle attacks. However, bypassing SSL pinning in Flutter-based apps can be particularly challenging due to the framework’s abstraction of native code and the lack of clear information in the Android manifest file.
Exploring Failed Attempts
When tasked with auditing a Flutter-based Android app, the initial attempts to bypass SSL pinning proved unsuccessful. Traditional methods, such as capturing app traffic using system certificates, Frida scripts, objection, and reflutter, did not yield the desired results. The absence of information in the Android manifest file regarding user-based or system-based certificate acceptance added an extra layer of complexity.
Discovering Proxy Droid
In the quest for a successful SSL pinning bypass, a breakthrough came with the discovery of Proxy Droid. Unlike traditional methods that attempt to intercept app traffic directly, Proxy Droid takes a different approach by capturing device traffic. This distinction allows it to circumvent SSL pinning implemented within the app itself.
Steps to Bypass SSL Pinning with Proxy Droid
Download Proxy Droid: Proxy Droid can be easily found on the Play Store, but it’s important to note that the app requires a rooted Android device to function.
Configuration: After installing Proxy Droid, configure it by providing the Burp Suite IP address and enabling the proxy.
Capture Traffic: With Proxy Droid active, the app’s traffic is successfully redirected through the configured proxy, allowing for the interception and analysis of data using tools like Burp Suite.
Thanks For Reading
