Skip to content

Flutter SSL Bypass How to Intercept HTTPS Traffic When all o... #1570

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 12, 2025
Merged

Flutter SSL Bypass How to Intercept HTTPS Traffic When all o... #1570

merged 1 commit into from
Nov 12, 2025
+43 −4

Conversation

@carlospolop
Copy link
Collaborator

@carlospolop carlospolop commented Nov 12, 2025

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

Context: Flutter apps use Dart’s networking stack and bundle BoringSSL inside libflutter.so, so they typically do not rely on Android’s system CA store. As a result, common Android TLS pinning bypasses (which hook platform APIs) miss the real verification path. The post documents a practical method to intercept HTTPS by directly patching BoringSSL’s certificate verification routine inside libflutter.so.


Problem observed🔧 Technical Details

Hook BoringSSL’s chain verification in Flutter: In Flutter apps, TLS verification occurs inside BoringSSL within libflutter.so, not the Android system store. Extract the app’s libflutter.so, locate ssl_crypto_x509_session_verify_cert_chain (via a string search for ssl_client and XREFs), confirm it takes 3 args and returns a boolean, compute the relative offset from the binary’s base, then Frida-hook that address to always return success. This universally bypasses certificate checks, enabling HTTPS interception regardless of pins or CA trust.


Account for architecture differences: Pattern-based hooks often fail cross-arch. Recompute the exact function and offset for the target build and architecture (ARM vs x86_64), and hook by address at runtime rather than relying on static byte patterns.


Proxy redirection is not enough: Even with iptables redirecting traffic ...

🤖 Agent Actions

I analyzed the blog and the existing HackTricks Android/Flutter coverage. The repo already had a Flutter page explaining BoringSSL-based TLS verification and a pattern-scan Frida approach. However, it did not include the offset-based hooking technique to directly replace BoringSSL’s ssl_crypto_x509_session_verify_cert_chain using a base+offset computed from Ghidra, nor the practical workflow to find the function via “ssl_client” string/XREFs, compute the RVA, and hook it with Interceptor.replace. Those details are important when signature scans fail across architectures (e.g., x86_64), which is exactly the blog’s contribution.

What I updated

  • File modified: src/mobile-pentesting/android-app-pentesting/flutter.md
  • Added a concise new section: “Offset-based hook of BoringSSL verification (no signature scan)” with:
    • Steps to extract the correct libflutter.so per ABI
    • Ghidra workflow to locate ssl_crypto_x509_session_verify_cert_chain via “ssl_client” string and XREFs, verify 3-arg + bool return, and compute RVA (example subtraction from image base)
    • Minimal Frida script that uses Module.findBaseAddress('libflutter.so') + offset and Interceptor.replace(... NativeCallback returning 1)
    • Architecture caveats and the need to recompute offsets per build/arch
    • A diagnostic iptables DNAT rule illustrating that proxy forcing alone is blocked by BoringSSL verification
  • Extended the References section with:
    • The provided blog URL (m4kr0x)
    • BoringSSL ssl_x509.cc source link
    • Kept the existing SensePost reference

Why this is the right place

  • The Flutter page is the dedicated spot for Flutter/BoringSSL TLS bypass content. It already covers pattern scanning; adding the offset-based hook is complementary and directly addresses cases where patterns fail on non-ARM architectures.

No new files were created, and only one file was modified, preserving existing content and style.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

  • MD files processed: 907
  • MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

@carlospolop
Copy link
Collaborator Author

carlospolop commented Nov 12, 2025

🔗 Additional Context

Original Blog Post: https://m4kr0x.medium.com/flutter-tls-bypass-how-to-intercept-https-traffic-when-all-other-frida-scripts-fail-bd3d04489088

Content Categories: Based on the analysis, this content was categorized under "Pentesting Mobile -> Android -> SSL/TLS Pinning Bypass -> Flutter/BoringSSL (Frida hook on ssl_crypto_x509_session_verify_cert_chain)".

Repository Maintenance:

  • MD Files Formatting: 907 files processed (1 files fixed)

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

@carlospolop
Copy link
Collaborator Author

carlospolop commented Nov 12, 2025

merge

@carlospolop carlospolop merged commit 7aa035e into master Nov 12, 2025
@carlospolop carlospolop deleted the update_Flutter_SSL_Bypass__How_to_Intercept_HTTPS_Traffic_20251112_012204 branch November 12, 2025 09:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlospolop