Skip to content

Instantly share code, notes, and snippets.

@Fatimas1997

Fatimas1997/intercept-HTTP-requests-from-Flutter-apps.md

Created October 9, 2023 21:31
Show Gist options
  • Save Fatimas1997/66f4d323d8bb029bd0c54bffe476d373 to your computer and use it in GitHub Desktop.
Save Fatimas1997/66f4d323d8bb029bd0c54bffe476d373 to your computer and use it in GitHub Desktop.
Download ZIP
How to intercept HTTP traffic from a Flutter application with Burp (Android and iOS)
Raw
intercept-HTTP-requests-from-Flutter-apps.md

Intercepting traffic on Android and iOS Flutter applications

I recently stumbled upon an application developed with Flutter, and since it was my first time seeing it, I surprisingly couldn't intercept its requests. After some digging on google, I created this tutorial with the steps that personally worked for me and I wanted to share them in hope to help someone else. Note that the applications that I tested didn't have certificate pinning implemented. I'll update this file once I get to test an application that has it (if I'll be able to bypass it 😃 ).
To simplify the explanation I refer to the machine that hosts Burp as Kali, but you can use whatever linux machine you want.

Android:

There are 2 ways to intercept HTTP connections from a Flutter application installed on an Android device (I'm sure there are more but these are the ones I know). Intercepting requests by changing the proxy settings of the device, through the classic settings of Android, doesn't work in this case, since Flutter applications don't take into consideration those settings. I take for granted that we are using a rooted device.

1. With ProxyDroid:

  • First and easiest way is using the ProxyDroid application and set up the proxy settings on it. The application can be found on Play Store.
  • In Host: insert the local IP address of the machine that hosts Burpsuite (if a VM, set it in bridge and find the IP with ifconfig -> eth0).
  • Port: 8080 (or whatever port is set up on Burp listener)
  • Proxy Type: HTTP
  • Enable Global Proxy (this setting needs root permission).
  • From Burp: enable a listener on all interfaces on port 8080, and enable invisible proxy (Proxy settings -> edit listener -> Request handling -> flag Support invisible proxying)
  • Once you enable the proxy on the application, you can intercept HTTP requests of your Flutter app.

2. With IPTABLES:

  • Open a shell with root privileges on Android (adb shell -> su)

  • You can run the command iptables -F -t nat to flush the rules so we can start with a clean scenario (only if there aren't any important rules already applied).

  • You can check if everything is ok with iptables -L -t nat

  • Then run this command on the Android shell

    sudo iptables -t nat -A OUTPUT -j DNAT --to-destination <KalilocalIPaddress>

    replace with the local IP address of your Kali machine

  • On Kali: run

    sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination <KalilocalIPaddress>

    (I set up port 443 since I had to intercept HTTPS requests)

  • Set Burp to listen on port 443 and enable invisible proxy.

  • If Burp doesn't allow you to set up a listener on port 443, you need to run Burp with root permissions.

  • iOS:

Intercepting HTTP connections on iOS is more complicated since you can't use iptables on the device. Instead, you can use OpenVPN and run a VPN server on your Kali machine, connecting the iOS device to the VPN.

  1. Run the following commands on Kali:

    wget https://git.io/vpn -O openvpn-install.sh
sed -i "$(($(grep -ni "debian is too old" openvpn-install.sh | cut  -d : -f 1)+1))d" ./openvpn-install.sh
chmod +x openvpn-install.sh 
sudo ./openvpn-install.sh
    • Options:
      • Which IPv4 address should be used? [choose your local IP address]
      • This server is behind NAT. What is the public IPv4 address or hostname? Public IPv4 address / hostname [still you local IP address]
      • Which protocol should OpenVPN use? 1 [UDP]
      • What port should OpenVPN listen to? Port [1194]: 1194
      • Select a DNS server for the clients: 3 [I personally chose 1.1.1.1]
      • Enter a name for the first client: [choose a name]

  2. Confirm the setup by running ifconfig and observing the addition of a tun0 interface.

  3. Start the OpenVPN service with sudo service openvpn start.

  4. To install the OpenVPN client on iPhone, start a Python HTTP server in the client folder (/root by default):

    sudo python3 -m http.server 8080 --directory /root/
    • Navigate to kalilocalip:8080 on your iPhone with a browser and download the .ovpn file.

  5. Open the file in the download folder with the OpenVPN app and add the configuration. Connect to the VPN.

  6. You can navigate, but to intercept requests, set rules with iptables on Kali:

    sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination <KalilocalIPaddress>
    • Intercept requests with Burp on port 443 and enable invisible proxy from the proxy settings.
@Naielik
Copy link

Naielik commented Jan 26, 2024
edited

Hi, i want to share another way for android users, i just used it with one flutter app, idk if this can work with all flutter apps but worth trying.
This only work (i think) in rooted devices

STEPS

  • Download from playstore RPoxid.
  • Open it and give root permissions.
  • Create the proxy rule add the IP from Burp's machine and specify the app (this part is important, you previously must know which port is using the app to communicate with the server, the common one is port 443).
  • Go to wifi settings on the phone and in proxy settings configure it with Burp's machine IP and the same port used in the previous step.
  • Finally go to burp proxy options, open a new listener to listen all, using the same port from previous step and enable invisible proxy listener.

I must say that using this method i dont need to use frida to bypass ssl pinning. It might take some seconds to populate http requests

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment