-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added ios & android technique and tool for re-flutter (by @appknox) #2600
Conversation
…H-0099.md, tools/generic/MASTG-TOOL-0099.md
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thank you @sk3l10x1ng! Here you have some suggestions.
And some questions more in general:
Do you have any reference apps we can link to. If not, maybe you could re-test suing these and link them as examples: https://github.com/NVISOsecurity/disable-flutter-tls-verification We could also add them to https://mas.owasp.org/MASTG/apps/ |
sure will add it.
This is related to ssl pinning bypass and not about intercepting the traffic.
sure , can test for intercepting the traffic and add it to https://mas.owasp.org/MASTG/apps/ |
|
||
|
||
|
||
**How does re-flutter method differs from other techniques ?** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sk3l10x1ng thanks for all the updates, I've fixed a couple of typos for now.
Also thanks for checking those blog posts. I think the only think that remains open is the consideration of the 3rd alternative technique. If I'm not misunderstanding anything they are 2 alternative approaches,
- (re-flutter) requires patching
- (nviso script) doesn't require patching, it uses Frida
Using these apps:
- https://github.com/NVISOsecurity/disable-flutter-tls-verification/blob/main/test_app/pinning.apk
- https://github.com/NVISOsecurity/disable-flutter-tls-verification/blob/main/test_app/pinning.ipa
Could you please validate that your technique works with them and also using this alternative technique via Frida, it seems easy to run using codeshare (as indicated here):
frida -U --codeshare TheDauntless/disable-flutter-tls-v1 -f YOUR_BINARY
If all of this works we can confirm that both techniques are equivalent and could be summarized as:
re-flutter
- setup interception proxy
- patch app using re-flutter
- inspect intercepted traffic
nviso
- setup interception proxy
- run frida script
- inspect intercepted traffic
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@TheDauntless Would you mind chiming in to confirm my hypothesis (or not)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
re-flutter also configures the proxy of the app, which is something that my script doesn't do.
So for disable-flutter-tls.js, you would need to pair that with VPN / ARP/ WIFI / DNS / ProxyDroid mitm.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi! Thanks for contributing to the MASTG! 🥳
I added some comments, both grammar and content-wise. These techniques can be quite tricky, and we try to give different alternatives and explain pros/cons of the different tools. This is important as these tools can (and will) fail at some point, and it's important to know all the possibilities.
Can you apply these comments to the iOS section, too?
(And, just for transparency, I'm also the author of disable-flutter-tls.js)
@@ -0,0 +1,51 @@ | |||
--- | |||
title: Intercepting Flutter HTTP Traffic |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
title: Intercepting Flutter HTTP Traffic | |
title: Intercepting Flutter HTTPS Traffic |
@cpholguera or are we using HTTP everywhere? The difficulty is that it has its own cert store. The proxy-unaware is not Flutter specific.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're correct! Thanks
platform: android | ||
--- | ||
|
||
Flutter is an open-source UI software development kit (SDK) created by Google. It is used for building natively compiled applications for mobile, web, and desktop from a single codebase. Flutter uses Dart, which is not proxy-aware and uses its own certificate store. The application doesn't take proxy configuration from the system and send the data directly to the server. Due to this, it is not possible to intercept the request using the BurpSuite or any MITM tools. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Flutter is an open-source UI software development kit (SDK) created by Google. It is used for building natively compiled applications for mobile, web, and desktop from a single codebase. Flutter uses Dart, which is not proxy-aware and uses its own certificate store. The application doesn't take proxy configuration from the system and send the data directly to the server. Due to this, it is not possible to intercept the request using the BurpSuite or any MITM tools. | |
Flutter is an open-source UI software development kit (SDK) created by Google. It is used for building natively compiled applications for mobile, web, and desktop from a single codebase. Flutter uses Dart, which is not proxy-aware and uses its own certificate store. The application doesn't use the proxy configuration of the system and sends the data directly to the server. Connections are verified against built-in certificates, so any certificates installed on the system are simply ignored. Due to this, it is not possible to intercept HTTPS requests as the certificate of the proxy will never be trusted. |
I modified this a bit, since the proxy-unaware isn't really an issue (you could use a VPN, arp spoofing, DNS spoofing, WIFI MITM, ...), but the fact that it has a built-in cert store is an issue that can't be solved by any conventional technique.
|
||
|
||
|
||
**How does re-flutter method differs from other techniques ?** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
re-flutter also configures the proxy of the app, which is something that my script doesn't do.
So for disable-flutter-tls.js, you would need to pair that with VPN / ARP/ WIFI / DNS / ProxyDroid mitm.
|
||
|
||
|
||
**How does re-flutter method differs from other techniques ?** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
**How does re-flutter method differs from other techniques ?** |
Would delete this line
|
||
**How does re-flutter method differs from other techniques ?** | ||
|
||
There are alternative methods for intercepting traffic, such as [sending traffic to the proxy through ProxyDroid/iptables](https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/). However, these techniques require some configuration. By employing the re-flutter command-line tool, the application can be patched effortlessly without the need for any setup. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are alternative methods for intercepting traffic, such as [sending traffic to the proxy through ProxyDroid/iptables](https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/). However, these techniques require some configuration. By employing the re-flutter command-line tool, the application can be patched effortlessly without the need for any setup. | |
In order to intercept Flutter HTTPS traffic we need to deal with two problems: | |
* Make sure the traffic is sent to the proxy | |
* Disable the TLS verification of any HTTPS connection | |
There are generally two approaches to this: reFlutter and Frida. | |
* reFlutter: This tool creates a modified version of libFlutter.so which is then repackaged into the APK. It configures the internal libraries to use a specified proxy and disable the TLS verification | |
* Frida: The [disable-flutter-tls.js script](https://github.com/NVISOsecurity/disable-flutter-tls-verification) can dynamically remove the TLS verification without the need for repackaging. As it doesn't modify the proxy configuration, additional steps are needed (e.g. ProxyDroid, DNS, iptables, ...) |
The re-flutter app also has downsides, so this is pretty one-sided:
- Only works on known/published hashes, otherwise you have to rebuild the engine yourself
- Repackages the app. This brings complications (e.g. iOS or any app that detects repackaging)
I've used reFlutter a few times (mostly for the object-dump) and it's great when it works, but not straightforward if it doesn't.
So I modified this section to give a more generic introduction of what needs to be done, and then the rest can explain both reFlutter and Frida+(eg)ProxyDroid
We should also use reFlutter, as the tool calls itself, and not re-flutter.
|
||
1. Patch the app to enable traffic interception. | ||
|
||
Run the command to patch the app and select the option **Traffic monitoring and interception** and then the IP of the machine which the interception proxy is running. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Run the command to patch the app and select the option **Traffic monitoring and interception** and then the IP of the machine which the interception proxy is running. | |
Run the command to patch the app and select the option **Traffic monitoring and interception** and then enter the IP of the machine on which the interception proxy is running. |
|
||
3. Install the signed patched app on the mobile device. | ||
|
||
4. Configure the interception proxy.For example, in Burp-suite: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
4. Configure the interception proxy.For example, in Burp-suite: | |
4. Configure the interception proxy. For example, in Burp: |
We use 'Burp' as the consistent name for PortSwigger's Burp Suite throughout the MASTG.
4. Configure the interception proxy.For example, in Burp-suite: | ||
- Under Proxy -> Proxy settings -> Add new Proxy setting. | ||
- Bind listening Port to 8083. | ||
- Select Bind to address to All interfaces. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Select Bind to address to All interfaces. | |
- Select `Bind to address` to `All interfaces`. |
|
||
4. Configure the interception proxy.For example, in Burp-suite: | ||
- Under Proxy -> Proxy settings -> Add new Proxy setting. | ||
- Bind listening Port to 8083. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Bind listening Port to 8083. | |
- Bind listening Port to `8083`. |
@TheDauntless , Thanks , will work on the changes |
Hello @cpholguera @TheDauntless , made the requested changes. Please Check . |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few small modifications and then it's good for me :)
|
||
1. Configure [proxyDroid](https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/) or iptables rules to redirect requests to Burp. | ||
|
||
Execute the command to configure iptables in order to redirect the incoming requests from the application to Burp. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Execute the command to configure iptables in order to redirect the incoming requests from the application to Burp. | |
If not using proxyDroid, execute the following commands on the rooted Android device to configure iptables to redirect the incoming requests from the application to Burp: |
|
||
4. Run the [disable-flutter-tls.js](../../tools/generic/MASTG-TOOL-0101.md) frida script. | ||
|
||
```plaintext |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't these be bash?
tools/generic/MASTG-TOOL-0100.md
Outdated
|
||
The [re-flutter](https://github.com/Impact-I/reFlutter) framework helps to reverse engineer Flutter apps using the patched version of the Flutter library, which is already compiled and ready for application repackaging. This library has a modified snapshot deserialization process that allows you to perform dynamic analysis. | ||
|
||
You can install and use re-flutter by following these [instructions](https://github.com/Impact-I/reFlutter?tab=readme-ov-file#install). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can install and use re-flutter by following these [instructions](https://github.com/Impact-I/reFlutter?tab=readme-ov-file#install). | |
You can install and use re-flutter by following [the official instructions](https://github.com/Impact-I/reFlutter?tab=readme-ov-file#install). |
tools/generic/MASTG-TOOL-0101.md
Outdated
source: https://github.com/NVISOsecurity/disable-flutter-tls-verification | ||
--- | ||
|
||
[disable-flutter-tls-verification](https://github.com/NVISOsecurity/disable-flutter-tls-verification) is a Frida script that disables Flutter's TLS verification and works on Android x86, Android x64 and iOS x64. It uses pattern matching to find [ssl_verify_peer_cert in handshake.cc](https://github.com/google/boringssl/blob/master/ssl/handshake.cc#L323). Further information can be found in [this blogpost](https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[disable-flutter-tls-verification](https://github.com/NVISOsecurity/disable-flutter-tls-verification) is a Frida script that disables Flutter's TLS verification and works on Android x86, Android x64 and iOS x64. It uses pattern matching to find [ssl_verify_peer_cert in handshake.cc](https://github.com/google/boringssl/blob/master/ssl/handshake.cc#L323). Further information can be found in [this blogpost](https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/). | |
[disable-flutter-tls-verification](https://github.com/NVISOsecurity/disable-flutter-tls-verification) is a Frida script that disables Flutter's TLS verification and works on Android ( ARM32, ARM64 and x64) and iOS (ARM64). It uses pattern matching to find [ssl_verify_peer_cert in handshake.cc](https://github.com/google/boringssl/blob/master/ssl/handshake.cc#L323). Further information can be found in [this blogpost](https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/). |
x86 is intel
@TheDauntless The requested modifications have been done. Please check. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sk3l10x1ng these are the last fixes and we're ready to merge. thank you!
techniques/ios/MASTG-TECH-0110.md
Outdated
|
||
There are generally two approaches to this: **reFlutter** and **Frida**. | ||
|
||
- **reFlutter**: This tool creates a modified version of `libFlutter.so` which is then repackaged into the IPA. It configures the internal libraries to use a specified proxy and disable the TLS verification. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- **reFlutter**: This tool creates a modified version of `libFlutter.so` which is then repackaged into the IPA. It configures the internal libraries to use a specified proxy and disable the TLS verification. | |
- **reFlutter**: This tool creates a modified version of the Flutter module which is then repackaged into the IPA. It configures the internal libraries to use a specified proxy and disable the TLS verification. |
tools/generic/MASTG-TOOL-0101.md
Outdated
source: https://github.com/NVISOsecurity/disable-flutter-tls-verification | ||
--- | ||
|
||
[disable-flutter-tls-verification](https://github.com/NVISOsecurity/disable-flutter-tls-verification) is a Frida script that disables Flutter's TLS verification and works on (ARM32, ARM64 and x64) and iOS (ARM64). It uses pattern matching to find [ssl_verify_peer_cert in handshake.cc](https://github.com/google/boringssl/blob/master/ssl/handshake.cc#L323). Further information can be found in [this blogpost](https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[disable-flutter-tls-verification](https://github.com/NVISOsecurity/disable-flutter-tls-verification) is a Frida script that disables Flutter's TLS verification and works on (ARM32, ARM64 and x64) and iOS (ARM64). It uses pattern matching to find [ssl_verify_peer_cert in handshake.cc](https://github.com/google/boringssl/blob/master/ssl/handshake.cc#L323). Further information can be found in [this blogpost](https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/). | |
[disable-flutter-tls-verification](https://github.com/NVISOsecurity/disable-flutter-tls-verification) is a Frida script that disables Flutter's TLS verification and works on (ARM32, ARM64 and x64) and iOS (ARM64). It uses pattern matching to find [ssl_verify_peer_cert in handshake.cc](https://github.com/google/boringssl/blob/master/ssl/handshake.cc#L323). Further information can be found in [this blog post](https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/). |
@cpholguera requested changes has been done , please check . Thank You |
Thanks a lot @sk3l10x1ng, great job! |
closes #2592