Added ios & android technique and tool for re-flutter (by @appknox) #2600
Conversation
…H-0099.md, tools/generic/MASTG-TOOL-0099.md
sk3l10x1ng
changed the title
sk3l10x1ng
changed the title
There was a problem hiding this comment.
Awesome, thank you @sk3l10x1ng! Here you have some suggestions.
|
And some questions more in general:
Do you have any reference apps we can link to. If not, maybe you could re-test suing these and link them as examples: https://github.com/NVISOsecurity/disable-flutter-tls-verification We could also add them to https://mas.owasp.org/MASTG/apps/ |
sure will add it.
This is related to ssl pinning bypass and not about intercepting the traffic.
sure , can test for intercepting the traffic and add it to https://mas.owasp.org/MASTG/apps/ |
|
|
||
|
|
||
|
|
||
| **How does re-flutter method differs from other techniques ?** |
There was a problem hiding this comment.
@sk3l10x1ng thanks for all the updates, I've fixed a couple of typos for now.
Also thanks for checking those blog posts. I think the only think that remains open is the consideration of the 3rd alternative technique. If I'm not misunderstanding anything they are 2 alternative approaches,
- (re-flutter) requires patching
- (nviso script) doesn't require patching, it uses Frida
Using these apps:
- https://github.com/NVISOsecurity/disable-flutter-tls-verification/blob/main/test_app/pinning.apk
- https://github.com/NVISOsecurity/disable-flutter-tls-verification/blob/main/test_app/pinning.ipa
Could you please validate that your technique works with them and also using this alternative technique via Frida, it seems easy to run using codeshare (as indicated here):
frida -U --codeshare TheDauntless/disable-flutter-tls-v1 -f YOUR_BINARY
If all of this works we can confirm that both techniques are equivalent and could be summarized as:
re-flutter
- setup interception proxy
- patch app using re-flutter
- inspect intercepted traffic
nviso
- setup interception proxy
- run frida script
- inspect intercepted traffic
There was a problem hiding this comment.
@TheDauntless Would you mind chiming in to confirm my hypothesis (or not)?
There was a problem hiding this comment.
re-flutter also configures the proxy of the app, which is something that my script doesn't do.
So for disable-flutter-tls.js, you would need to pair that with VPN / ARP/ WIFI / DNS / ProxyDroid mitm.
tools/generic/MASTG-TOOL-0100.md
Outdated
There was a problem hiding this comment.
Could you add a new TOOL file for disable-flutter-tls-verification?
---
title: disable-flutter-tls-verification
platform: generic
source: https://github.com/NVISOsecurity/disable-flutter-tls-verification
---
[disable-flutter-tls-verification](https://github.com/Impact-I/reFlutter) is a Frida script that disables Flutter's TLS verification and works on Android x86, Android x64 and iOS x64. It uses pattern matching to find [ssl_verify_peer_cert in handshake.cc](https://github.com/google/boringssl/blob/master/ssl/handshake.cc#L323). Further information can be found in [this blogpost](https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/).
You can use it via Frida codeshare or by downloading disable-flutter-tls.js from the repo as indicated in these [instructions](https://github.com/NVISOsecurity/disable-flutter-tls-verification).
There was a problem hiding this comment.
Hi! Thanks for contributing to the MASTG! 🥳
I added some comments, both grammar and content-wise. These techniques can be quite tricky, and we try to give different alternatives and explain pros/cons of the different tools. This is important as these tools can (and will) fail at some point, and it's important to know all the possibilities.
Can you apply these comments to the iOS section, too?
(And, just for transparency, I'm also the author of disable-flutter-tls.js)
| @@ -0,0 +1,51 @@ | |||
| --- | |||
| title: Intercepting Flutter HTTP Traffic | |||
There was a problem hiding this comment.
| title: Intercepting Flutter HTTP Traffic | |
| title: Intercepting Flutter HTTPS Traffic |
@cpholguera or are we using HTTP everywhere? The difficulty is that it has its own cert store. The proxy-unaware is not Flutter specific.
| platform: android | ||
| --- | ||
|
|
||
| Flutter is an open-source UI software development kit (SDK) created by Google. It is used for building natively compiled applications for mobile, web, and desktop from a single codebase. Flutter uses Dart, which is not proxy-aware and uses its own certificate store. The application doesn't take proxy configuration from the system and send the data directly to the server. Due to this, it is not possible to intercept the request using the BurpSuite or any MITM tools. |
There was a problem hiding this comment.
| Flutter is an open-source UI software development kit (SDK) created by Google. It is used for building natively compiled applications for mobile, web, and desktop from a single codebase. Flutter uses Dart, which is not proxy-aware and uses its own certificate store. The application doesn't take proxy configuration from the system and send the data directly to the server. Due to this, it is not possible to intercept the request using the BurpSuite or any MITM tools. | |
| Flutter is an open-source UI software development kit (SDK) created by Google. It is used for building natively compiled applications for mobile, web, and desktop from a single codebase. Flutter uses Dart, which is not proxy-aware and uses its own certificate store. The application doesn't use the proxy configuration of the system and sends the data directly to the server. Connections are verified against built-in certificates, so any certificates installed on the system are simply ignored. Due to this, it is not possible to intercept HTTPS requests as the certificate of the proxy will never be trusted. |
I modified this a bit, since the proxy-unaware isn't really an issue (you could use a VPN, arp spoofing, DNS spoofing, WIFI MITM, ...), but the fact that it has a built-in cert store is an issue that can't be solved by any conventional technique.
|
|
||
|
|
||
|
|
||
| **How does re-flutter method differs from other techniques ?** |
There was a problem hiding this comment.
re-flutter also configures the proxy of the app, which is something that my script doesn't do.
So for disable-flutter-tls.js, you would need to pair that with VPN / ARP/ WIFI / DNS / ProxyDroid mitm.
|
|
||
|
|
||
|
|
||
| **How does re-flutter method differs from other techniques ?** |
There was a problem hiding this comment.
| **How does re-flutter method differs from other techniques ?** |
Would delete this line
|
|
||
| **How does re-flutter method differs from other techniques ?** | ||
|
|
||
| There are alternative methods for intercepting traffic, such as [sending traffic to the proxy through ProxyDroid/iptables](https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/). However, these techniques require some configuration. By employing the re-flutter command-line tool, the application can be patched effortlessly without the need for any setup. |
There was a problem hiding this comment.
| There are alternative methods for intercepting traffic, such as [sending traffic to the proxy through ProxyDroid/iptables](https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/). However, these techniques require some configuration. By employing the re-flutter command-line tool, the application can be patched effortlessly without the need for any setup. | |
| In order to intercept Flutter HTTPS traffic we need to deal with two problems: | |
| * Make sure the traffic is sent to the proxy | |
| * Disable the TLS verification of any HTTPS connection | |
| There are generally two approaches to this: reFlutter and Frida. | |
| * reFlutter: This tool creates a modified version of libFlutter.so which is then repackaged into the APK. It configures the internal libraries to use a specified proxy and disable the TLS verification | |
| * Frida: The [disable-flutter-tls.js script](https://github.com/NVISOsecurity/disable-flutter-tls-verification) can dynamically remove the TLS verification without the need for repackaging. As it doesn't modify the proxy configuration, additional steps are needed (e.g. ProxyDroid, DNS, iptables, ...) |
The re-flutter app also has downsides, so this is pretty one-sided:
- Only works on known/published hashes, otherwise you have to rebuild the engine yourself
- Repackages the app. This brings complications (e.g. iOS or any app that detects repackaging)
I've used reFlutter a few times (mostly for the object-dump) and it's great when it works, but not straightforward if it doesn't.
So I modified this section to give a more generic introduction of what needs to be done, and then the rest can explain both reFlutter and Frida+(eg)ProxyDroid
We should also use reFlutter, as the tool calls itself, and not re-flutter.
|
|
||
| 1. Patch the app to enable traffic interception. | ||
|
|
||
| Run the command to patch the app and select the option **Traffic monitoring and interception** and then the IP of the machine which the interception proxy is running. |
There was a problem hiding this comment.
| Run the command to patch the app and select the option **Traffic monitoring and interception** and then the IP of the machine which the interception proxy is running. | |
| Run the command to patch the app and select the option **Traffic monitoring and interception** and then enter the IP of the machine on which the interception proxy is running. |
|
|
||
| 3. Install the signed patched app on the mobile device. | ||
|
|
||
| 4. Configure the interception proxy.For example, in Burp-suite: |
There was a problem hiding this comment.
| 4. Configure the interception proxy.For example, in Burp-suite: | |
| 4. Configure the interception proxy. For example, in Burp: |
We use 'Burp' as the consistent name for PortSwigger's Burp Suite throughout the MASTG.
| 4. Configure the interception proxy.For example, in Burp-suite: | ||
| - Under Proxy -> Proxy settings -> Add new Proxy setting. | ||
| - Bind listening Port to 8083. | ||
| - Select Bind to address to All interfaces. |
There was a problem hiding this comment.
| - Select Bind to address to All interfaces. | |
| - Select `Bind to address` to `All interfaces`. |
|
|
||
| 4. Configure the interception proxy.For example, in Burp-suite: | ||
| - Under Proxy -> Proxy settings -> Add new Proxy setting. | ||
| - Bind listening Port to 8083. |
There was a problem hiding this comment.
| - Bind listening Port to 8083. | |
| - Bind listening Port to `8083`. |
|
@TheDauntless , Thanks , will work on the changes |
closes #2592