I recently stumbled upon an application developed with Flutter, and since it was my first time seeing it, I surprisingly couldn't intercept its requests. After some digging on google, I created this tutorial with the steps that personally worked for me and I wanted to share them in hope to help someone else.
Note that the applications that I tested didn't have certificate pinning implemented. I'll update this file once I get to test an application that has it (if I'll be able to bypass it 😃 ).
To simplify the explanation I refer to the machine that hosts Burp as Kali, but you can use whatever linux machine you want.
There are 2 ways to intercept HTTP connections from a Flutter application installed on an Android device (I'm sure there are more but these are the ones I know). Intercepting requests by changing the proxy settings of the device, through the classic settings of Android, doesn't work in this case, since Flutter applications don't take into consideration those settings. I take for granted that we are using a rooted device.
1. With ProxyDroid:
- First and easiest way is using the ProxyDroid application and set up the proxy settings on it. The application can be found on Play Store.
- In Host: insert the local IP address of the machine that hosts Burpsuite (if a VM, set it in bridge and find the IP with
ifconfig
-> eth0). - Port:
8080
(or whatever port is set up on Burp listener) - Proxy Type:
HTTP
- Enable Global Proxy (this setting needs root permission).
- From Burp: enable a listener on all interfaces on port 8080, and enable invisible proxy (Proxy settings -> edit listener -> Request handling -> flag Support invisible proxying)
- Once you enable the proxy on the application, you can intercept HTTP requests of your Flutter app.
2. With IPTABLES:
-
Open a shell with root privileges on Android (
adb shell
->su
) -
You can run the command
iptables -F -t nat
to flush the rules so we can start with a clean scenario (only if there aren't any important rules already applied). -
You can check if everything is ok with
iptables -L -t nat
-
Then run this command on the Android shell
sudo iptables -t nat -A OUTPUT -j DNAT --to-destination <KalilocalIPaddress>
replace with the local IP address of your Kali machine
-
On Kali: run
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination <KalilocalIPaddress>
(I set up port 443 since I had to intercept HTTPS requests)
-
Set Burp to listen on port 443 and enable invisible proxy.
-
If Burp doesn't allow you to set up a listener on port 443, you need to run Burp with root permissions.
Intercepting HTTP connections on iOS is more complicated since you can't use iptables on the device. Instead, you can use OpenVPN and run a VPN server on your Kali machine, connecting the iOS device to the VPN.
-
Run the following commands on Kali:
wget https://git.io/vpn -O openvpn-install.sh sed -i "$(($(grep -ni "debian is too old" openvpn-install.sh | cut -d : -f 1)+1))d" ./openvpn-install.sh chmod +x openvpn-install.sh sudo ./openvpn-install.sh
- Options:
- Which IPv4 address should be used? [choose your local IP address]
- This server is behind NAT. What is the public IPv4 address or hostname? Public IPv4 address / hostname [still you local IP address]
- Which protocol should OpenVPN use? 1 [UDP]
- What port should OpenVPN listen to? Port [1194]: 1194
- Select a DNS server for the clients: 3 [I personally chose 1.1.1.1]
- Enter a name for the first client: [choose a name]
- Options:
-
Confirm the setup by running
ifconfig
and observing the addition of atun0
interface. -
Start the OpenVPN service with
sudo service openvpn start
. -
To install the OpenVPN client on iPhone, start a Python HTTP server in the client folder (/root by default):
sudo python3 -m http.server 8080 --directory /root/
- Navigate to kalilocalip:8080 on your iPhone with a browser and download the
.ovpn
file.
- Navigate to kalilocalip:8080 on your iPhone with a browser and download the
-
Open the file in the download folder with the OpenVPN app and add the configuration. Connect to the VPN.
-
You can navigate, but to intercept requests, set rules with iptables on Kali:
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination <KalilocalIPaddress>
- Intercept requests with Burp on port 443 and enable invisible proxy from the proxy settings.
Hi, i want to share another way for android users, i just used it with one flutter app, idk if this can work with all flutter apps but worth trying.
This only work (i think) in rooted devices
STEPS
I must say that using this method i dont need to use frida to bypass ssl pinning. It might take some seconds to populate http requests