Flutter App Penetration Testing: Bypass SSL and Find Vulnerabilities in Dart Apps

mhl

Flutter apps are built differently from standard Android apps — they use the Dart runtime with a custom rendering engine and bypass most standard Android security testing tools. This guide covers the complete Flutter app penetration testing workflow: traffic interception (which requires patching the binary), Dart code analysis, and finding the same OWASP Mobile vulnerabilities through Flutter-specific attack surfaces.

Identifying Flutter Apps

bash — identify flutter
$ unzip -l target.apk | grep flutter
2,456,892 lib/arm64-v8a/libflutter.so
134,208 lib/arm64-v8a/libapp.so
45,056 assets/flutter_assets/kernel_blob.bin
[+] Confirmed: this is a Flutter app

Why Standard Proxy Setup Fails

Flutter’s HTTP client is implemented entirely in Dart and uses the dart:io HttpClient, which does not use Android’s system proxy settings or the system certificate store. This breaks every standard Android proxy setup silently. There are three working approaches:

  1. reFlutter — patches libapp.so to hardcode a proxy address (recommended)
  2. Frida hook — hooks ssl_verify_result in libflutter.so at runtime
  3. iptables redirect — forces all TCP traffic to the proxy at the network level (root required)

Traffic Interception with reFlutter

bash — reFlutter
$ pip3 install reflutter
$ reflutter target.apk
Enter your BurpSuite IP: 192.168.1.100
[+] Patching libapp.so…
[+] Proxy hardcoded to 192.168.1.100:8083
[+] release.RE.apk generated — install and intercept

Frida-Based SSL Bypass

// flutter_ssl_bypass.js
function hook_ssl_verify_result(address) {
    Interceptor.attach(address, {
        onLeave: function(retval) {
            retval.replace(1); // Force "OK"
            console.log('[+] ssl_verify_result: forced OK');
        }
    });
}

var libflutter = Process.getModuleByName("libflutter.so");
var pattern = "FF 83 01 D1 FD 7B 03 A9 FD C3 00 91";
Memory.scan(libflutter.base, libflutter.size, pattern, {
    onMatch: function(address, size) {
        console.log('[+] Found ssl_verify_result at: ' + address);
        hook_ssl_verify_result(address);
    }
});
bash — frida flutter bypass
$ frida -U -l flutter_ssl_bypass.js com.target.app
[*] Scanning libflutter.so for ssl_verify_result…
[+] Found at 0x7f2abc1234
[+] Hook installed — SSL verification neutralized
POST /api/v2/login HTTP/1.1
{“email”:”test@test.com”,”password”:”hunter2″}

Analyzing Dart Code with blutter

# Install blutter
git clone https://github.com/worawit/blutter
cd blutter && python3 setup.py

# Extract libapp.so from APK
unzip target.apk lib/arm64-v8a/libapp.so -d extracted/

# Analyze Dart snapshot
python3 blutter/main.py extracted/lib/arm64-v8a/libapp.so output/
# Output: class names, method names, string constants, API endpoints

Flutter Pentest Checklist

  • Verify it is Flutter — both libflutter.so and libapp.so present in APK
  • Set up traffic interception with reFlutter or Frida
  • Run blutter to extract Dart class and method names
  • Check assets/flutter_assets/ for bundled config files and secrets
  • Review AndroidManifest.xml for exported components (same as native Android)
  • Check SharedPreferences and SQLite databases via ADB
  • Test deep links and intent handling via ADB am commands

Flutter security testing requires a different toolchain but yields the same class of vulnerabilities. Master the reFlutter + Frida combination for traffic interception and blutter for code analysis — you will be as effective on Flutter apps as on native Android. For hands-on labs, explore Mobile Hacking Lab.

Continue Reading
More Articles
View all