Bypass SSL Pinning on Flutter iOS App Using Frida and OpenVPN

Flutter is an open-source mobile app development framework created by Google, that enables developers to create natively compiled, high-performance mobile, web, and desktop applications from a single codebase. Flutter uses a reactive programming model based on the Dart programming language. Flutter apps use a native library called That handles all the network requests and does not respect the device's proxy settings. This can cause problems for penetration testers in intercepting HTTP traffic.

Prerequisites for intercepting the traffic of the iOS application include the following items.

  • Kali Virtual machine with Bridge adapter
  • OpenVPN server on Kali Machine
  • OpenVPN client on iOS devices
  • Jailbroken iPhone
  • Frida Client on Kali / Windows Machine
  • Frida Server on iPhone
  • Burp Certificate should be installed on iPhone.

The diagram below illustrates the setup of the iOS device, Kali virtual machine, and Windows host.

OpenVPN Set Up

Use the following command on the Kali VM to set up OpenVPN:

Choose the following options and enter the private IP address of your Kali VM:

The script will create an OpenVPN configuration located in the /root/ home directory.

Use the following command to start the OpenVPN service on your Kali VM:

Install the OpenVPN client on your iPhone and start a python HTTP server on the root directory to host the OpenVPN configuration file:

Visit the Kali VM’s IP address on your iPhone’s browser, download the OpenVPN configuration file, and import the file into the OpenVPN client on your iPhone.

By now, you should have internet access on your iPhone and notice a VPN icon displayed at the top of your screen.

Setting up the MITM

To redirect HTTP traffic from an iOS device to a Burp proxy listener, you must enter the following commands each time you restart the Kali virtual machine. This is because iptables rules are not saved and persist after a reboot.

On Burp Suite Proxy settings enable a listener on port 8080 on ‘all interfaces’ and enable ‘Invisible proxy’ mode as shown below:

Now HTTP traffic can be intercepted in the Burp suite as shown below:

Disable SSL verification and intercept HTTPS traffic using Frida.

The Following Frida script can be used to Disable SSL verification and intercept HTTPS traffic.

Run it with Frida:

  • -U: This flag tells Frida to connect to a USB device.
  • --codeshare: This flag is followed by the name of the codeshare you want to load. Codeshares are scripts that have been shared on the Frida website by other users. By specifying this flag, you are telling Frida to download and load the specified script.
  • TheDauntless/disable-flutter-tls-v1: This is the name of the codeshare you want to load.
  • -n: This flag specifies the name of the process you want to instrument. By default, Frida will try to attach to the first process with the given name. If there are multiple processes with the same name, you can use this flag to specify which one to attach to.
  • Test: This is the name of the process you want to instrument. It is the value that follows the -n flag. In this case, Frida will attach to the first process it finds with the name "Test".

Now HTTPS traffic is successfully intercepted from the ‘Test’ iOS App as shown below:




Self-learner |Bug Hunter|

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store