Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added ios & android technique and tool for re-flutter (by @appknox) #2600

Open
wants to merge 17 commits into
base: master
Choose a base branch
from
Open

Added ios & android technique and tool for re-flutter (by @appknox) #2600

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
1570297
Added techniques/android/MASTG-TECH-0099.md ,techniques/ios/MASTG-TEC…
sk3l10x1ng Apr 8, 2024
c66ad79
updated title
sk3l10x1ng Apr 8, 2024
67ef2c4
small correction fixes
sk3l10x1ng Apr 8, 2024
55cceab
renamed file to MASTG-TECH-0109.md
sk3l10x1ng Apr 10, 2024
c7b2103
updated ios & android techniques
sk3l10x1ng Apr 16, 2024
a8e2af9
update ios technique
sk3l10x1ng Apr 17, 2024
bab130a
added link
sk3l10x1ng Apr 17, 2024
3e8026e
added content
sk3l10x1ng Apr 17, 2024
4400933
updated mastg-tech-0109
sk3l10x1ng Apr 22, 2024
2e8a6db
updated mastg-tech-0110
sk3l10x1ng Apr 22, 2024
a7313bf
removed duplicate re-flutter mastg-tool-0099
sk3l10x1ng Apr 22, 2024
58a0c5b
removed duplicate file mastg-tech-0099
sk3l10x1ng Apr 22, 2024
a739edc
fix typo
cpholguera Apr 27, 2024
987322d
fix typo
cpholguera Apr 27, 2024
b3fc2e1
updated
sk3l10x1ng May 13, 2024
2f9e0bd
rename filename
sk3l10x1ng May 14, 2024
3d414a7
renamed the android app filename to MASTG-APP-0017
sk3l10x1ng Jun 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
51 changes: 51 additions & 0 deletions techniques/android/MASTG-TECH-0109.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
---
title: Intercepting Flutter HTTP Traffic
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
title: Intercepting Flutter HTTP Traffic
title: Intercepting Flutter HTTPS Traffic

@cpholguera or are we using HTTP everywhere? The difficulty is that it has its own cert store. The proxy-unaware is not Flutter specific.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're correct! Thanks

platform: android
---

Flutter is an open-source UI software development kit (SDK) created by Google. It is used for building natively compiled applications for mobile, web, and desktop from a single codebase. Flutter uses Dart, which is not proxy-aware and uses its own certificate store. The application doesn't take proxy configuration from the system and send the data directly to the server. Due to this, it is not possible to intercept the request using the BurpSuite or any MITM tools.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Flutter is an open-source UI software development kit (SDK) created by Google. It is used for building natively compiled applications for mobile, web, and desktop from a single codebase. Flutter uses Dart, which is not proxy-aware and uses its own certificate store. The application doesn't take proxy configuration from the system and send the data directly to the server. Due to this, it is not possible to intercept the request using the BurpSuite or any MITM tools.
Flutter is an open-source UI software development kit (SDK) created by Google. It is used for building natively compiled applications for mobile, web, and desktop from a single codebase. Flutter uses Dart, which is not proxy-aware and uses its own certificate store. The application doesn't use the proxy configuration of the system and sends the data directly to the server. Connections are verified against built-in certificates, so any certificates installed on the system are simply ignored. Due to this, it is not possible to intercept HTTPS requests as the certificate of the proxy will never be trusted.

I modified this a bit, since the proxy-unaware isn't really an issue (you could use a VPN, arp spoofing, DNS spoofing, WIFI MITM, ...), but the fact that it has a built-in cert store is an issue that can't be solved by any conventional technique.




**How does re-flutter method differs from other techniques ?**
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sk3l10x1ng thanks for all the updates, I've fixed a couple of typos for now.

Also thanks for checking those blog posts. I think the only think that remains open is the consideration of the 3rd alternative technique. If I'm not misunderstanding anything they are 2 alternative approaches,

  • (re-flutter) requires patching
  • (nviso script) doesn't require patching, it uses Frida

Using these apps:

Could you please validate that your technique works with them and also using this alternative technique via Frida, it seems easy to run using codeshare (as indicated here):

frida -U --codeshare TheDauntless/disable-flutter-tls-v1 -f YOUR_BINARY

If all of this works we can confirm that both techniques are equivalent and could be summarized as:

re-flutter

  1. setup interception proxy
  2. patch app using re-flutter
  3. inspect intercepted traffic

nviso

  1. setup interception proxy
  2. run frida script
  3. inspect intercepted traffic

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@TheDauntless Would you mind chiming in to confirm my hypothesis (or not)?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

re-flutter also configures the proxy of the app, which is something that my script doesn't do.

So for disable-flutter-tls.js, you would need to pair that with VPN / ARP/ WIFI / DNS / ProxyDroid mitm.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
**How does re-flutter method differs from other techniques ?**

Would delete this line


There are alternative methods for intercepting traffic, such as [sending traffic to the proxy through ProxyDroid/iptables](https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/). However, these techniques require some configuration. By employing the re-flutter command-line tool, the application can be patched effortlessly without the need for any setup.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
There are alternative methods for intercepting traffic, such as [sending traffic to the proxy through ProxyDroid/iptables](https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/). However, these techniques require some configuration. By employing the re-flutter command-line tool, the application can be patched effortlessly without the need for any setup.
In order to intercept Flutter HTTPS traffic we need to deal with two problems:
* Make sure the traffic is sent to the proxy
* Disable the TLS verification of any HTTPS connection
There are generally two approaches to this: reFlutter and Frida.
* reFlutter: This tool creates a modified version of libFlutter.so which is then repackaged into the APK. It configures the internal libraries to use a specified proxy and disable the TLS verification
* Frida: The [disable-flutter-tls.js script](https://github.com/NVISOsecurity/disable-flutter-tls-verification) can dynamically remove the TLS verification without the need for repackaging. As it doesn't modify the proxy configuration, additional steps are needed (e.g. ProxyDroid, DNS, iptables, ...)

The re-flutter app also has downsides, so this is pretty one-sided:

  • Only works on known/published hashes, otherwise you have to rebuild the engine yourself
  • Repackages the app. This brings complications (e.g. iOS or any app that detects repackaging)

I've used reFlutter a few times (mostly for the object-dump) and it's great when it works, but not straightforward if it doesn't.

So I modified this section to give a more generic introduction of what needs to be done, and then the rest can explain both reFlutter and Frida+(eg)ProxyDroid

We should also use reFlutter, as the tool calls itself, and not re-flutter.


## Intercepting Traffic using re-flutter

1. Patch the app to enable traffic interception.

Run the command to patch the app and select the option **Traffic monitoring and interception** and then the IP of the machine which the interception proxy is running.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Run the command to patch the app and select the option **Traffic monitoring and interception** and then the IP of the machine which the interception proxy is running.
Run the command to patch the app and select the option **Traffic monitoring and interception** and then enter the IP of the machine on which the interception proxy is running.

```
$ reflutter demo.apk

Choose an option:

Traffic monitoring and interception
Display absolute code offset for functions

[1/2]? 1

Example: (192.168.1.154) etc.
Please enter your BurpSuite IP: 192.168.29.216
```

This will create a **release.RE.apk** file in the output folder.

2. Sign the patched **release.RE.apk** file (e.g. using the [uber-apk-signer](https://github.com/patrickfav/uber-apk-signer)).

```
$ java -jar uber-apk-signer.jar -a release.RE.apk --out demo-signed
```

This will create a **release.RE-aligned-debugSigned.apk** file in the output folder.

3. Install the signed patched app on the mobile device.

4. Configure the interception proxy.For example, in Burp-suite:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
4. Configure the interception proxy.For example, in Burp-suite:
4. Configure the interception proxy. For example, in Burp:

We use 'Burp' as the consistent name for PortSwigger's Burp Suite throughout the MASTG.

- Under Proxy -> Proxy settings -> Add new Proxy setting.
- Bind listening Port to 8083.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Bind listening Port to 8083.
- Bind listening Port to `8083`.

- Select Bind to address to All interfaces.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Select Bind to address to All interfaces.
- Select `Bind to address` to `All interfaces`.

- Request Handling -> support for invisible proxying.

5. Open the app and start intercepting traffic.
44 changes: 44 additions & 0 deletions techniques/ios/MASTG-TECH-0110.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
---
title: Intercepting Flutter HTTP Traffic
platform: ios
---

Flutter is an open-source UI software development kit (SDK) created by Google. It is used for building natively compiled applications for mobile, web, and desktop from a single codebase. Flutter uses Dart, which is not proxy-aware and uses its own certificate store. The application doesn't take proxy configuration from the system and send the data directly to the server. Due to this, it is not possible to intercept the request using the BurpSuite or any MITM tools.


**How does re-flutter method differs from other techniques ?**

There are alternative methods for intercepting traffic, such as creating a [WIFI hotspot and utilizing the openvpn approach](https://blog.nviso.eu/2020/06/12/intercepting-flutter-traffic-on-ios/). However, these techniques require some configuration. By employing the re-flutter command-line tool, the application can be patched effortlessly without the need for any setup.

## Intercepting Traffic using re-fultter
cpholguera marked this conversation as resolved.
Show resolved Hide resolved

1. Patch the app to enable traffic interception.

Run the command to patch the app and select the option **Traffic monitoring and interception** and then the IP of the machine which the interception proxy is running.
```
$ reflutter demo.apk

Choose an option:

Traffic monitoring and interception
Display absolute code offset for functions

[1/2]? 1

Example: (192.168.1.154) etc.
Please enter your BurpSuite IP: 192.168.29.216
```

This will create a **release.RE.ipa** file in the output folder.

2. [Sign](../../techniques/ios/MASTG-TECH-0092.md) the patched **release.RE.ipa** with the Apple certificates. This will create a signed ".ipa" file in the output folder.

3. Install the signed patched app on the mobile device.

4. Configure the interception proxy.For example, in Burp-suite:
- Under Proxy -> Proxy settings -> Add new Proxy setting.
- Bind listening Port to 8083.
- Select Bind to address to All interfaces.
- Request Handling -> support for invisible proxying.

5. Open the app and start intercepting traffic.
9 changes: 9 additions & 0 deletions tools/generic/MASTG-TOOL-0100.md
View file
Open in desktop
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a new TOOL file for disable-flutter-tls-verification?

---
title: disable-flutter-tls-verification
platform: generic
source: https://github.com/NVISOsecurity/disable-flutter-tls-verification
---

[disable-flutter-tls-verification](https://github.com/Impact-I/reFlutter) is a Frida script that disables Flutter's TLS verification and works on Android x86, Android x64 and iOS x64. It uses pattern matching to find [ssl_verify_peer_cert in handshake.cc](https://github.com/google/boringssl/blob/master/ssl/handshake.cc#L323). Further information can be found in [this blogpost](https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/).

You can use it via Frida codeshare or by downloading disable-flutter-tls.js from the repo as indicated in these [instructions](https://github.com/NVISOsecurity/disable-flutter-tls-verification).

Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
title: re-flutter
platform: generic
source: https://github.com/Impact-I/reFlutter
---

The [re-flutter](https://github.com/Impact-I/reFlutter) framework helps to reverse engineer Flutter apps using the patched version of the Flutter library, which is already compiled and ready for application repackaging. This library has a modified snapshot deserialization process that allows you to perform dynamic analysis.

You can install and use re-flutter by following these [instructions](https://github.com/Impact-I/reFlutter?tab=readme-ov-file#install).
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
You can install and use re-flutter by following these [instructions](https://github.com/Impact-I/reFlutter?tab=readme-ov-file#install).
You can install and use re-flutter by following [the official instructions](https://github.com/Impact-I/reFlutter?tab=readme-ov-file#install).