-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added ios & android technique and tool for re-flutter (by @appknox) #2600
Changes from 17 commits
1570297
c66ad79
67ef2c4
55cceab
c7b2103
a8e2af9
bab130a
3e8026e
4400933
2e8a6db
a7313bf
58a0c5b
a739edc
987322d
b3fc2e1
2f9e0bd
3d414a7
338d809
e5eff2d
6541328
f91f157
843c05e
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
--- | ||
title: Disable-flutter-tls-verification | ||
platform: android | ||
source: https://github.com/NVISOsecurity/disable-flutter-tls-verification/blob/main/test_app/pinning.apk | ||
--- | ||
|
||
An android application designed to verify the [disable-flutter-tls-verification script](../../tools/generic/MASTG-TOOL-0101.md), which disables Flutter's TLS verification. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
--- | ||
title: Disable-flutter-tls-verification | ||
platform: ios | ||
source: https://github.com/NVISOsecurity/disable-flutter-tls-verification/blob/main/test_app/pinning.ipa | ||
--- | ||
|
||
An iOS application designed to verify the [disable-flutter-tls-verification script](../../tools/generic/MASTG-TOOL-0101.md), which disables Flutter's TLS verification. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
--- | ||
title: Intercepting Flutter HTTPS Traffic | ||
platform: android | ||
--- | ||
|
||
Flutter is an open-source UI software development kit (SDK) created by Google. It is used for building natively compiled applications for mobile, web, and desktop from a single codebase. Flutter uses Dart, which is not proxy-aware and uses its own certificate store. The application doesn't use the proxy configuration of the system and sends the data directly to the server. Connections are verified against built-in certificates, so any certificates installed on the system are simply ignored. Due to this, it is not possible to intercept HTTPS requests as the certificate of the proxy will never be trusted. | ||
|
||
In order to intercept Flutter HTTPS traffic, we need to deal with two problems: | ||
|
||
- Make sure the traffic is sent to the proxy. | ||
- Disable the TLS verification of any HTTPS connection. | ||
|
||
There are generally two approaches to this: **reFlutter** and **Frida**. | ||
|
||
- **reFlutter**: This tool creates a modified version of `libFlutter.so` which is then repackaged into the APK. It configures the internal libraries to use a specified proxy and disable the TLS verification. | ||
- **Frida**: The [disable-flutter-tls.js script](https://github.com/NVISOsecurity/disable-flutter-tls-verification) can dynamically remove the TLS verification without the need for repackaging. As it doesn't modify the proxy configuration, additional steps are needed (e.g. ProxyDroid, DNS, iptables, ...). | ||
|
||
## Intercepting Traffic using reFlutter | ||
|
||
1. Patch the app to enable traffic interception. | ||
|
||
Run the command to patch the app and select the option **Traffic monitoring and interception** and then enter the IP of the machine on which the interception proxy is running. | ||
|
||
```plaintext | ||
$ reflutter demo.apk | ||
|
||
Choose an option: | ||
|
||
Traffic monitoring and interception | ||
Display absolute code offset for functions | ||
|
||
[1/2]? 1 | ||
|
||
Example: (192.168.1.154) etc. | ||
Please enter your BurpSuite IP: 192.168.29.216 | ||
``` | ||
|
||
This will create a **release.RE.apk** file in the output folder. | ||
|
||
2. Sign the patched **release.RE.apk** file (e.g. using the [uber-apk-signer](https://github.com/patrickfav/uber-apk-signer)). | ||
|
||
```plaintext | ||
java -jar uber-apk-signer.jar -a release.RE.apk --out demo-signed | ||
``` | ||
|
||
This will create a **release.RE-aligned-debugSigned.apk** file in the output folder. | ||
|
||
3. Install the signed patched app on the mobile device. | ||
|
||
4. Configure the interception proxy. For example, in Burp: | ||
|
||
- Under Proxy -> Proxy settings -> Add new Proxy setting. | ||
- Bind listening Port to `8083`. | ||
- Select `Bind to address` to `All interfaces`. | ||
- Request Handling -> support for invisible proxying. | ||
|
||
5. Open the app and start intercepting traffic. | ||
|
||
## Intercepting Traffic using ProxyDroid / iptables with Frida | ||
|
||
1. Configure [proxyDroid](https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/) or iptables rules to redirect requests to Burp. | ||
|
||
Execute the command to configure iptables in order to redirect the incoming requests from the application to Burp. | ||
```plaintext | ||
$ iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination <Your-Proxy-IP>:8080 | ||
|
||
$ iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination <Your-Proxy-IP>:8080 | ||
``` | ||
|
||
2. Install the [app](../../apps/android/MASTG-APP-0016.md) on the mobile device. | ||
|
||
3. Configure the interception proxy. For example, in Burp: | ||
|
||
- Under Proxy -> Proxy settings -> Add new Proxy setting. | ||
- Bind listening Port to `8080`. | ||
- Select `Bind to address` to `All interfaces`. | ||
- Request Handling -> support for invisible proxying. | ||
|
||
4. Run the [disable-flutter-tls.js](../../tools/generic/MASTG-TOOL-0101.md) frida script. | ||
|
||
```plaintext | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Shouldn't these be bash? |
||
frida -U -f eu.nviso.flutterPinning -l disable-flutter-tls.js | ||
``` | ||
|
||
5. Start intercepting traffic. |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,71 @@ | ||||||
--- | ||||||
title: Intercepting Flutter HTTPS Traffic | ||||||
platform: ios | ||||||
--- | ||||||
|
||||||
Flutter is an open-source UI software development kit (SDK) created by Google. It is used for building natively compiled applications for mobile, web, and desktop from a single codebase. Flutter uses Dart, which is not proxy-aware and uses its own certificate store. The application doesn't use the proxy configuration of the system and sends the data directly to the server. Connections are verified against built-in certificates, so any certificates installed on the system are simply ignored. Due to this, it is not possible to intercept HTTPS requests as the certificate of the proxy will never be trusted. | ||||||
|
||||||
In order to intercept Flutter HTTPS traffic, we need to deal with two problems: | ||||||
|
||||||
- Make sure the traffic is sent to the proxy. | ||||||
- Disable the TLS verification of any HTTPS connection. | ||||||
|
||||||
There are generally two approaches to this: **reFlutter** and **Frida**. | ||||||
|
||||||
- **reFlutter**: This tool creates a modified version of `libFlutter.so` which is then repackaged into the IPA. It configures the internal libraries to use a specified proxy and disable the TLS verification. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
- **Frida**: The [disable-flutter-tls.js script](https://github.com/NVISOsecurity/disable-flutter-tls-verification) can dynamically remove the TLS verification without the need for repackaging. As it doesn't modify the proxy configuration, additional steps are needed (e.g. VPN, DNS, iptables, WIFI hotspot). | ||||||
|
||||||
## Intercepting Traffic using reFlutter | ||||||
|
||||||
1. Patch the app to enable traffic interception. | ||||||
cpholguera marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
Run the command to patch the app and select the option **Traffic monitoring and interception** and then enter the IP of the machine on which the interception proxy is running. | ||||||
|
||||||
```plaintext | ||||||
$ reflutter demo.ipa | ||||||
|
||||||
Choose an option: | ||||||
|
||||||
Traffic monitoring and interception | ||||||
Display absolute code offset for functions | ||||||
|
||||||
[1/2]? 1 | ||||||
|
||||||
Example: (192.168.1.154) etc. | ||||||
Please enter your BurpSuite IP: 192.168.29.216 | ||||||
``` | ||||||
|
||||||
This will create a **release.RE.ipa** file in the output folder. | ||||||
|
||||||
2. [Sign](../../techniques/ios/MASTG-TECH-0092.md) the patched **release.RE.ipa** with the Apple certificates. This will create a signed ".ipa" file in the output folder. | ||||||
|
||||||
3. Install the signed patched app on the mobile device. | ||||||
|
||||||
4. Configure the interception proxy. For example, in Burp: | ||||||
|
||||||
- Under Proxy -> Proxy settings -> Add new Proxy setting. | ||||||
- Bind listening Port to `8083`. | ||||||
- Select `Bind to address` to `All interfaces`. | ||||||
- Request Handling -> support for invisible proxying. | ||||||
|
||||||
5. Open the app and start intercepting traffic. | ||||||
|
||||||
## Intercepting Traffic using WIFI Hotspot / openVPN with Frida | ||||||
|
||||||
1. Configure using [WIFI hotspot / openVPN](https://blog.nviso.eu/2020/06/12/intercepting-flutter-traffic-on-ios/) method to redirect requests to Burp. | ||||||
|
||||||
2. Install the [app](../../apps/ios/MASTG-APP-0025.md) on the mobile device. | ||||||
|
||||||
3. Configure the interception proxy. For example, in Burp: | ||||||
|
||||||
- Under Proxy -> Proxy settings -> Add new Proxy setting. | ||||||
- Bind listening Port to `8080`. | ||||||
- Select `Bind to address` to `All interfaces`. | ||||||
- Request Handling -> support for invisible proxying. | ||||||
|
||||||
4. Run the [disable-flutter-tls.js](../../tools/generic/MASTG-TOOL-0101.md) frida script. | ||||||
|
||||||
```plaintext | ||||||
frida -U -f eu.nviso.flutterPinning -l disable-flutter-tls.js | ||||||
``` | ||||||
|
||||||
5. Start intercepting traffic. |
cpholguera marked this conversation as resolved.
Show resolved
Hide resolved
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,9 @@ | ||||||
--- | ||||||
title: re-flutter | ||||||
platform: generic | ||||||
source: https://github.com/Impact-I/reFlutter | ||||||
--- | ||||||
|
||||||
The [re-flutter](https://github.com/Impact-I/reFlutter) framework helps to reverse engineer Flutter apps using the patched version of the Flutter library, which is already compiled and ready for application repackaging. This library has a modified snapshot deserialization process that allows you to perform dynamic analysis. | ||||||
|
||||||
You can install and use re-flutter by following these [instructions](https://github.com/Impact-I/reFlutter?tab=readme-ov-file#install). | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,9 @@ | ||||||
--- | ||||||
title: disable-flutter-tls-verification | ||||||
platform: generic | ||||||
source: https://github.com/NVISOsecurity/disable-flutter-tls-verification | ||||||
--- | ||||||
|
||||||
[disable-flutter-tls-verification](https://github.com/NVISOsecurity/disable-flutter-tls-verification) is a Frida script that disables Flutter's TLS verification and works on Android x86, Android x64 and iOS x64. It uses pattern matching to find [ssl_verify_peer_cert in handshake.cc](https://github.com/google/boringssl/blob/master/ssl/handshake.cc#L323). Further information can be found in [this blogpost](https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/). | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
x86 is intel |
||||||
|
||||||
You can use it via Frida codeshare or by downloading disable-flutter-tls.js from the repo as indicated in these [instructions](https://github.com/NVISOsecurity/disable-flutter-tls-verification). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.