Intro When analyzing the security of mobile applications, it's important to verify that all data is stored securely (See OWASP MASVS-STORAGE-1). A recent engagement involved a Flutter app that uses the Isar/Hive framework to store data. The engagement was unfortunately blackbox, so we did not have access to any of the source code. This especially … Continue reading Unpacking Flutter hives
Some time ago I wrote some articles on how to Man-In-The-Middle Flutter on iOS, Android (ARM) and Android (ARM64). Those posts were quite popular and I often went back to copy those scripts myself. Last week, however, we received a Flutter application where the script wouldn't work anymore. As we had the source code, it … Continue reading Intercept Flutter traffic on iOS and Android (HTTP/HTTPS/Dio Pinning)
My previous blogposts explained how to intercept Flutter traffic on Android ARMv8, with a detailed follow along guide for ARMv7. This blogpost does the same for iOS. ⚠️ Update August 2022 ⚠️An update to this blog post was written and can be found here. It covers both iOS and Android and a convenient script / … Continue reading Intercepting Flutter traffic on iOS
In a previous blogpost, I explained my steps for reversing the flutter.so binary to identify the correct offset/pattern to bypass certificate validation. As a very quick summary: Flutter doesn't use the system's proxy settings, and it doesn't use the system's certificate store, so normal approaches don't work. My previous guide only explained how to intercept … Continue reading Intercepting Flutter traffic on Android (ARMv8)
