Proxying Traffic on Android Flutter Applications
This article explains how to intercept traffic on Flutter based Android Applications. Flutter is a new open-source mobile development framework that allows developers to write a single code base for iOS, Android, Web Applications and thick clients. Flutter applications are written in Dart which is not proxy aware on Android. The applications developed using this framework are known as proxy-unaware applications. These applications don’t use the system CA store, instead it uses the list of CA’s that are compiled into the application.
To get started with this you will require a few prerequisites, so let’s jump straight to it !!
Prerequisites:
- Rooted Physical Device
- Android Debug Bridge (ADB)
- ProxyDroid
- Basic knowledge on Frida
There are other ways in which this task can be achieved but for this article, we will be focusing on two methods that I primarily use to bypass the restrictions and get the traffic into the proxy tools for Dynamic Analysis.
- Using ProxyDroid (Applications that use the HTTP protocol)
- Using iptables + SSL Unpinning using Frida (Applications that use the HTTPS protocol)
Scenario 1: Intercepting traffic for Applications that use the HTTP Protocol
For this scenario, we would be installing ProxyDroid on our testing device to route the HTTP traffic to our proxy tool. The procedure for that is fairly simple to follow, here it goes.
Step 1: After installing ProxyDroid, set the Local IP and Port of the target machine where Burpsuite has been installed and set the proxy type to “HTTP”.
Step 2: Go to “Individual Proxy” and select the Flutter application. Once the target application is selected, you can now enable the “Proxy Switch”.
Individual Proxy is used to apply the proxy settings to a specific application, this feature can also be utilized when you only want the traffic for a specific application to show up in Burpsuite.
Step 3: Configure Burpsuite to listen on all interfaces and enable the “Invisible Proxying” from the options menu as shown above.
Step 4: Start the target Flutter Application and perform any action, you will be now able to intercept the HTTP requests now.
Scenario 2: Using iptables + SSL Unpinning using Frida (Applications that use the HTTPS protocol)
For this scenario, we would be using iptables and Frida to bypass SSL Pinning on a Flutter Based Android Application.
To begin with the process, it is required to configure iptables on the testing device.
Step 1: Access the device via adb shell and grant superuser access using the su command (iptables require superuser privileges). Use the following commands to create the rules to reroute all the traffic to 127.0.0.1:8080 on the target device.
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 127.0.0.1:8080
Step 2: Use the following command to verify if the required rules have been created on our testing device. The highlighted text represents that the routing rules have been created on the device.
iptables -t nat -L
Step 3: Configure Burpsuite to listen on all interfaces and enable the “Invisible Proxying” from the options menu as shown above.
Step 4: Here we noticed that there was SSL Pinning implemented in the target application as shown in the image above. Therefore, we need to bypass SSL Pinning so that we can intercept the requests.
Step 5: We can bypass SSL Pinning in the application by using Frida. Use the following command to run the frida script (can be downloaded from the link mentioned above).
frida -U -f <package_name_app> -l <path_to_frida_script_on_local_system> --no-paushttps://github.com/m0bilesecurity/Frida-Mobile-Scripts/tree/master/Android
Step 6: Now access the application and open Burpsuite, we are now able to intercept the HTTPS requests for the Flutter Application.
Thank you for reading my article today!
If you have any queries, feel free to mention them in the comments below.