-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added ios & android technique and tool for re-flutter (by @appknox) #2600
Changes from 12 commits
1570297
c66ad79
67ef2c4
55cceab
c7b2103
a8e2af9
bab130a
3e8026e
4400933
2e8a6db
a7313bf
58a0c5b
a739edc
987322d
b3fc2e1
2f9e0bd
3d414a7
338d809
e5eff2d
6541328
f91f157
843c05e
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
@@ -0,0 +1,51 @@ | ||||||||||||||||||||
--- | ||||||||||||||||||||
title: Intercepting Flutter HTTP Traffic | ||||||||||||||||||||
platform: android | ||||||||||||||||||||
--- | ||||||||||||||||||||
|
||||||||||||||||||||
Flutter is an open-source UI software development kit (SDK) created by Google. It is used for building natively compiled applications for mobile, web, and desktop from a single codebase. Flutter uses Dart, which is not proxy-aware and uses its own certificate store. The application doesn't take proxy configuration from the system and send the data directly to the server. Due to this, it is not possible to intercept the request using the BurpSuite or any MITM tools. | ||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
I modified this a bit, since the proxy-unaware isn't really an issue (you could use a VPN, arp spoofing, DNS spoofing, WIFI MITM, ...), but the fact that it has a built-in cert store is an issue that can't be solved by any conventional technique. |
||||||||||||||||||||
|
||||||||||||||||||||
|
||||||||||||||||||||
|
||||||||||||||||||||
**How does re-flutter method differs from other techniques ?** | ||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @sk3l10x1ng thanks for all the updates, I've fixed a couple of typos for now. Also thanks for checking those blog posts. I think the only think that remains open is the consideration of the 3rd alternative technique. If I'm not misunderstanding anything they are 2 alternative approaches,
Using these apps:
Could you please validate that your technique works with them and also using this alternative technique via Frida, it seems easy to run using codeshare (as indicated here):
If all of this works we can confirm that both techniques are equivalent and could be summarized as: re-flutter
nviso
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @TheDauntless Would you mind chiming in to confirm my hypothesis (or not)? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. re-flutter also configures the proxy of the app, which is something that my script doesn't do. So for disable-flutter-tls.js, you would need to pair that with VPN / ARP/ WIFI / DNS / ProxyDroid mitm. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
Would delete this line |
||||||||||||||||||||
|
||||||||||||||||||||
There are alternative methods for intercepting traffic, such as [sending traffic to the proxy through ProxyDroid/iptables](https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/). However, these techniques require some configuration. By employing the re-flutter command-line tool, the application can be patched effortlessly without the need for any setup. | ||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
The re-flutter app also has downsides, so this is pretty one-sided:
I've used reFlutter a few times (mostly for the object-dump) and it's great when it works, but not straightforward if it doesn't. So I modified this section to give a more generic introduction of what needs to be done, and then the rest can explain both reFlutter and Frida+(eg)ProxyDroid We should also use reFlutter, as the tool calls itself, and not re-flutter. |
||||||||||||||||||||
|
||||||||||||||||||||
## Intercepting Traffic using re-flutter | ||||||||||||||||||||
|
||||||||||||||||||||
1. Patch the app to enable traffic interception. | ||||||||||||||||||||
|
||||||||||||||||||||
Run the command to patch the app and select the option **Traffic monitoring and interception** and then the IP of the machine which the interception proxy is running. | ||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||||
``` | ||||||||||||||||||||
$ reflutter demo.apk | ||||||||||||||||||||
|
||||||||||||||||||||
Choose an option: | ||||||||||||||||||||
|
||||||||||||||||||||
Traffic monitoring and interception | ||||||||||||||||||||
Display absolute code offset for functions | ||||||||||||||||||||
|
||||||||||||||||||||
[1/2]? 1 | ||||||||||||||||||||
|
||||||||||||||||||||
Example: (192.168.1.154) etc. | ||||||||||||||||||||
Please enter your BurpSuite IP: 192.168.29.216 | ||||||||||||||||||||
``` | ||||||||||||||||||||
|
||||||||||||||||||||
This will create a **release.RE.apk** file in the output folder. | ||||||||||||||||||||
|
||||||||||||||||||||
2. Sign the patched **release.RE.apk** file (e.g. using the [uber-apk-signer](https://github.com/patrickfav/uber-apk-signer)). | ||||||||||||||||||||
|
||||||||||||||||||||
``` | ||||||||||||||||||||
$ java -jar uber-apk-signer.jar -a release.RE.apk --out demo-signed | ||||||||||||||||||||
``` | ||||||||||||||||||||
|
||||||||||||||||||||
This will create a **release.RE-aligned-debugSigned.apk** file in the output folder. | ||||||||||||||||||||
|
||||||||||||||||||||
3. Install the signed patched app on the mobile device. | ||||||||||||||||||||
|
||||||||||||||||||||
4. Configure the interception proxy.For example, in Burp-suite: | ||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
We use 'Burp' as the consistent name for PortSwigger's Burp Suite throughout the MASTG. |
||||||||||||||||||||
- Under Proxy -> Proxy settings -> Add new Proxy setting. | ||||||||||||||||||||
- Bind listening Port to 8083. | ||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||||
- Select Bind to address to All interfaces. | ||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||||
- Request Handling -> support for invisible proxying. | ||||||||||||||||||||
|
||||||||||||||||||||
5. Open the app and start intercepting traffic. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
--- | ||
title: Intercepting Flutter HTTP Traffic | ||
platform: ios | ||
--- | ||
|
||
Flutter is an open-source UI software development kit (SDK) created by Google. It is used for building natively compiled applications for mobile, web, and desktop from a single codebase. Flutter uses Dart, which is not proxy-aware and uses its own certificate store. The application doesn't take proxy configuration from the system and send the data directly to the server. Due to this, it is not possible to intercept the request using the BurpSuite or any MITM tools. | ||
|
||
|
||
**How does re-flutter method differs from other techniques ?** | ||
|
||
There are alternative methods for intercepting traffic, such as creating a [WIFI hotspot and utilizing the openvpn approach](https://blog.nviso.eu/2020/06/12/intercepting-flutter-traffic-on-ios/). However, these techniques require some configuration. By employing the re-flutter command-line tool, the application can be patched effortlessly without the need for any setup. | ||
|
||
## Intercepting Traffic using re-fultter | ||
cpholguera marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
1. Patch the app to enable traffic interception. | ||
cpholguera marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
Run the command to patch the app and select the option **Traffic monitoring and interception** and then the IP of the machine which the interception proxy is running. | ||
``` | ||
$ reflutter demo.apk | ||
|
||
Choose an option: | ||
|
||
Traffic monitoring and interception | ||
Display absolute code offset for functions | ||
|
||
[1/2]? 1 | ||
|
||
Example: (192.168.1.154) etc. | ||
Please enter your BurpSuite IP: 192.168.29.216 | ||
``` | ||
|
||
This will create a **release.RE.ipa** file in the output folder. | ||
|
||
2. [Sign](../../techniques/ios/MASTG-TECH-0092.md) the patched **release.RE.ipa** with the Apple certificates. This will create a singed ".ipa" file in the output folder. | ||
cpholguera marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
3. Install the signed patched app on the mobile device. | ||
|
||
4. Configure the interception proxy.For example, in Burp-suite: | ||
- Under Proxy -> Proxy settings -> Add new Proxy setting. | ||
- Bind listening Port to 8083. | ||
- Select Bind to address to All interfaces. | ||
- Request Handling -> support for invisible proxying. | ||
|
||
5. Open the app and start intercepting traffic. |
cpholguera marked this conversation as resolved.
Show resolved
Hide resolved
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,9 @@ | ||||||
--- | ||||||
title: re-flutter | ||||||
platform: generic | ||||||
source: https://github.com/Impact-I/reFlutter | ||||||
--- | ||||||
|
||||||
The [re-flutter](https://github.com/Impact-I/reFlutter) framework helps to reverse engineer Flutter apps using the patched version of the Flutter library, which is already compiled and ready for application repackaging. This library has a modified snapshot deserialization process that allows you to perform dynamic analysis. | ||||||
|
||||||
You can install and use re-flutter by following these [instructions](https://github.com/Impact-I/reFlutter?tab=readme-ov-file#install). | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cpholguera or are we using HTTP everywhere? The difficulty is that it has its own cert store. The proxy-unaware is not Flutter specific.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're correct! Thanks