Bypass SSL Pinning on Flutter iOS App Using Frida and OpenVPN

Flutter is an open-source mobile app development framework created by Google, that enables developers to create natively compiled, high-performance mobile, web, and desktop applications from a single codebase. Flutter uses a reactive programming model based on the Dart programming language. Flutter apps use a native library called libflutter.so. That handles all the network requests and does not respect the device's proxy settings. This can cause problems for penetration testers in intercepting HTTP traffic.

Prerequisites for intercepting the traffic of the iOS application include the following items.

• Kali Virtual machine with Bridge adapter
• OpenVPN server on Kali Machine
• OpenVPN client on iOS devices
• Jailbroken iPhone
• Frida Client on Kali / Windows Machine
• Frida Server on iPhone
• Burp Certificate should be installed on iPhone.

The diagram below illustrates the setup of the iOS device, Kali virtual machine, and Windows host.

OpenVPN Set Up

Use the following command on the Kali VM to set up OpenVPN:

wget https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh
sed -i "$(($(grep -ni "debian is too old" openvpn-install.sh | cut  -d : -f 1)+1))d" ./openvpn-install.sh
chmod +x openvpn-install.sh 
sudo ./openvpn-install.sh

Choose the following options and enter the private IP address of your Kali VM:

# Choose the following options:
Public IPv4 address / hostname [xx.xx.xx.xx]: 192.168.1.16     <<< Change with your public IP address.
Protocol [1]: 1         (UDP)
Port [1194]: 1194 
DNS server [1]: 3              (1.1.1.1)
Name [client]: Pentest

The script will create an OpenVPN configuration located in the /root/ home directory.

Use the following command to start the OpenVPN service on your Kali VM:

sudo service openvpn start

Install the OpenVPN client on your iPhone and start a python HTTP server on the root directory to host the OpenVPN configuration file:

sudo python3 -m http.server 80

Visit the Kali VM’s IP address on your iPhone’s browser, download the OpenVPN configuration file, and import the file into the OpenVPN client on your iPhone.

By now, you should have internet access on your iPhone and notice a VPN icon displayed at the top of your screen.

Setting up the MITM

To redirect HTTP traffic from an iOS device to a Burp proxy listener, you must enter the following commands each time you restart the Kali virtual machine. This is because iptables rules are not saved and persist after a reboot.

# For WIFI: -i wlan0
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 443 -j REDIRECT --to-port 8080
sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE
# For OpenVPN: -i tun0
sudo iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 443 -j REDIRECT --to-port 8080
sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE

On Burp Suite Proxy settings enable a listener on port 8080 on ‘all interfaces’ and enable ‘Invisible proxy’ mode as shown below:

Now HTTP traffic can be intercepted in the Burp suite as shown below:

Disable SSL verification and intercept HTTPS traffic using Frida.

The Following Frida script can be used to Disable SSL verification and intercept HTTPS traffic.

https://github.com/NVISOsecurity/disable-flutter-tls-verification

Run it with Frida:

frida -U --codeshare TheDauntless/disable-flutter-tls-v1 -n Test
     ____
    / _  |   Frida 16.0.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to iPhone (id=c4084ef625e1d259f138fa89e355a892fb4ed78f)
Attaching...
Hello! This is the first time you're running this particular snippet, or the snippet's source code has changed.

Project Name: disable-flutter-tls-v1
Author: @TheDauntless
Slug: TheDauntless/disable-flutter-tls-v1
Fingerprint: e64c1ch4f8f43f76ad4144e195281c91be83e75bd4c9a40c451152a1414dc0e1
URL: https://codeshare.frida.re/@TheDauntless/disable-flutter-tls-v1

Are you sure you'd like to trust this project? [y/N] y
Adding fingerprint e64c1ch4f8f43f76ad4144e195281c91be83e75bd4c9a40c451152a1414dc0e1to the trust store! You won't be prompted again unless the code changes.
[+] iOS environment detected
[+] Flutter library found
[!] ssl_verify_peer_cert not found. Trying again...
[iPhone::Test ]-> [+] ssl_verify_peer_cert found at offset: 0x3a380c

• -U: This flag tells Frida to connect to a USB device.
• --codeshare: This flag is followed by the name of the codeshare you want to load. Codeshares are scripts that have been shared on the Frida website by other users. By specifying this flag, you are telling Frida to download and load the specified script.
• TheDauntless/disable-flutter-tls-v1: This is the name of the codeshare you want to load.
• -n: This flag specifies the name of the process you want to instrument. By default, Frida will try to attach to the first process with the given name. If there are multiple processes with the same name, you can use this flag to specify which one to attach to.
• Test: This is the name of the process you want to instrument. It is the value that follows the -n flag. In this case, Frida will attach to the first process it finds with the name "Test".

Now HTTPS traffic is successfully intercepted from the ‘Test’ iOS App as shown below:

Reference

Intercepting Flutter traffic on iOS

Intercept Flutter traffic on iOS and Android (HTTP/HTTPS/Dio Pinning)

https://www.horangi.com/blog/a-pentesting-guide-to-intercepting-traffic-from-flutter-apps