A Frida script that disables Flutter's TLS verification

JavaScript 9.28% Kotlin 0.21% Swift 1.92% Objective-C 0.06% Dart 13.84% CMake 30.15% C++ 34.76% C 2.37% HTML 3.05% Python 4.36%

disable-flutter-tls-verification's Introduction

disable-flutter-tls-verification

A Frida script that disables Flutter's TLS verification

This script works on Android x86, Android x64 and iOS x64. It uses pattern matching to find ssl_verify_peer_cert in handshake.cc

You can use it via Frida by downloading disable-flutter-tls.js or by using Frida codeshare:

frida -U -f your.package.name -l disable-flutter-tls.js --no-pause

# or Frida codeshare

frida -U --codeshare TheDauntless/disable-flutter-tls-v1 -f YOUR_BINARY

Further information can be found in this blogpost.

⚠️ What if this script doesn't work?

Before creating a GitHub issue, please test the following steps:

Can you intercept HTTP requests from the demo application?
- If not, note that Flutter apps do not use the system's proxy settings by default. This means you should use Proxydroid on Android and OpenVPN on iOS (or a rogue rogue access point on both). On the Android Studio AVDs, you can use -http-proxy when launching the emulator.
Can you intercept HTTPS requests from the demo application?
Have you checked if your app's flutter library is inside the libflutter_samples directory?
- For Android: run apktool d <YOURAPK> and run md5sum on libs/<ARCH>/libflutter.so
- For iOS: Extract an unencrypted IPA, unzip it and run md5sum on Payload/Runner.app/Frameworks/Flutter.framework/Flutter
- Alternatively, copy libflutter.so or Flutter to the correct folder in libflutter_samples and run python3 verify.py

If you can succesfully intercept all requests from the demo app and your library is not included in the samples, please open a GitHub issue with the app in question. It is possible that the app is using additional SSL pinning plugins, so a combination of this plugin and objection / other Frida scripts may be necessary. This is outside of the scope of this project and you will have to RE yourself to identify additional pinning protections.

disable-flutter-tls-verification's People

Contributors

Stargazers

Watchers

disable-flutter-tls-verification's Issues

X509: Certificate signed by unknown authority

I used this script with demo app and everything works well but when I try it with my app it doesn't work.

request GCM checkin: Post "https://android.clients.google.com'checkin": x509: certificate signed by unknown authority

I proxied with ProxyDroids (iptables)

APK for test: https://drive.google.com/file/d/1cuqoP1tzr2YvOqrlpbw67eSXJK4VGfv0/view?usp=sharing
(It has 3 input fields you can test it with random number 10 & 13 & 6 digits)

Flutter library found, but ssl_verify_peer_cert could not be found

iOS app - the md5sum b547eba74d755c423d83341d3cb4306a for '/Payload/Runner.app/Frameworks/Flutter.framework/Flutter' is not present in the samples folder.

ssl_verify_peer_cert not found

For context - I'm using an x86_64 Genymotion emulator.

frida -D "192.168.56.101:5555" -f com.pepsico.pepsico_loyalty_app -l flutter_sslpin.js
     ____
    / _  |   Frida 16.1.4 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Galaxy S9 (id=192.168.56.101:5555)
Spawning `com.pepsico.pepsico_loyalty_app`...
[+] Java environment detected
Spawned `com.pepsico.pepsico_loyalty_app`. Resuming main thread!
[Galaxy S9::com.pepsico.pepsico_loyalty_app ]-> [+] libflutter.so loaded
[+] Flutter library found
[!] ssl_verify_peer_cert not found. Trying again...
[+] ssl_verify_peer_cert found at offset: 0x669c8e

While it finds one of the offsets, it's not the right offset for the SSL pinning so all the calls are still tunneled. The test apk in this repo works as normal.

Link to libflutter.so - 57c77580e0a353a117c4a1a4d87fa337.zip

Not working in emulator even with test app (M1 Mac / Android 10 / Google APIs / arm64 image)

I'm trying to get this working in the Android emulator. Originally my test app was the Stadia APK which didn't work, but I tried the provided test app and HTTPS requests fail even in that.

Here is the Frida log from when launching the test app:

Spawning `eu.nviso.flutter_pinning`...
[+] Java environment detected
Spawned `eu.nviso.flutter_pinning`. Resuming main thread!
[Android Emulator 5554::eu.nviso.flutter_pinning ]-> [+] libflutter.so loaded
[+] Flutter library found
[!] ssl_verify_peer_cert not found. Please open an issue at https://github.com/NVISOsecurity/disable-flutter-tls-verification/issues
[+] ssl_verify_peer_cert found at offset: 0x3a251c

But when clicking HTTPS Request in the test app it says "ERROR". The request doesn't seem to hit my proxy at all either. HTTPS are intercepted fine in other regular apps and my cert is trusted within the emulator. The HTTP option in the app works fine, and clicking Pinned Request gives a "DIO: ERROR".

Any ideas? Have you tested this on any of the emulator images? I'm on an M1 Mac if that matters.

The Frida script hook32-bit libflutter.so produced the following errors

closed

Bypass all connections handshake without the script

Hi there,

I was doing a little test of. your application and I found that I was able to get the connectivity of the communication of the flutter application (http/https/DIO) without run the Frida script.

I have already patched the engine with the "reflutter proyect" patches... (the hook is done in session_verify() not in ssl_verify_peer_cert()

Any idea of what could be happening?

Thanks in advance :)

SCRIPT NOT WORKING

i really appreciate for making this script
but this script is not working on my flutter app
can please look into it
error that showing is

SM-G977N::com.app.com ]-> [+] libflutter.so loaded
[!] Flutter module not found.
[!] Flutter module not found.
i used this in arm7

link to my app

[reacted]

ssl_verify_peer_cert not found

Hi I run the script on a flutter app and I received this message saying "[!] ssl_verify_peer_cert not found. Please open an issue at https://github.com/NVISOsecurity/disable-flutter-tls-verification/issues"

That's why I open this :) (I modified the application name by "app")

frida -U -f app -l  nviso-certificatepinning.js --no-pause
     ____
    / _  |   Frida 15.1.22 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Nexus 5X (id=192.168.1.18:5555)
Spawning ` app`...                                               
[+] Java environment detected
Spawned `app`. Resuming main thread!                            
[Nexus 5X::app ]-> [+] libflutter.so loaded
[+] Flutter library found
[!] ssl_verify_peer_cert not found. Please open an issue at https://github.com/NVISOsecurity/disable-flutter-tls-verification/issues
[+] Flutter library found
[!] ssl_verify_peer_cert not found. Please open an issue at https://github.com/NVISOsecurity/disable-flutter-tls-verification/issues

AVD x86_64: Automated script doesn't work, but old `Memory.scanSync` does

Hi,

first of all, thanks for all your work and especially for sharing it! Was a huge help!

After using the "manual" way from your blog posts for a while, I discovered your automated script and wanted to try it.
Unfortunately, it does not work on a Android AVD (x86_64) with frida 15.2.2 on Windows:

(venv) PS C:\Users\rikro\Downloads\apktool> frida -Uf de.bmw.connected.mobile20.row -l .\disable-flutter-tls-verification\disable-flutter-tls.js --no-pause
     ____
    / _  |   Frida 15.2.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawning `de.bmw.connected.mobile20.row`...
[+] Java environment detected
Spawned `de.bmw.connected.mobile20.row`. Resuming main thread!
[Android Emulator 5554::de.bmw.connected.mobile20.row ]-> [+] Flutter library found
[!] No memory ranges found in Flutter library. This is either a Frida bug, or the application is using some kind of RASP.
[+] libflutter.so loaded
[+] Flutter library found
[!] ssl_verify_peer_cert not found. Trying again...

However, if I use the "old" way of getting the memory pattern, it does find it (and setting ssl_verify_result to true does work):

(venv) PS C:\Users\rikro\Downloads\apktool> frida -Uf de.bmw.connected.mobile20.row --no-pause
     ____
    / _  |   Frida 15.2.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawned `de.bmw.connected.mobile20.row`. Resuming main thread!
[Android Emulator 5554::de.bmw.connected.mobile20.row ]-> var m = Process.findModuleByName("libflutter.so")
[Android Emulator 5554::de.bmw.connected.mobile20.row ]-> var pattern = "55 41 57 41 56 41 55 41 54 53 50 49 89 f? 4c 8b 37 49 8b 46 30 4c 8b a? ?? 0? 00 00 4d 85 e? 74 1? 4d 8b"
[Android Emulator 5554::de.bmw.connected.mobile20.row ]-> Memory.scanSync(m.base, m.size, pattern)
[
    {
        "address": "0x7b8141c1bfe6",
        "size": 35
    }
]

I am not sure if this is a frida issue or something with your script, but I am kind of at a loss as this goes way into the details and possibilites of frida.
Maybe it gives you an idea what needs to be changed. Happy to test things!

Could also be related to #3.

Working code for `de.bmw.connected.mobile20.row` 2.9.2 on x86_64 AVD

function hook_ssl_verify_result(address) {
  Interceptor.attach(address, {
    onEnter: function (args) {
      console.log("Disabling SSL validation")
    },
    onLeave: function (retval) {
      console.log("Retval: " + retval)
      retval.replace(0x1);

    }
  });
}
function disablePinning() {
  var m = Process.findModuleByName("libflutter.so");
  var pattern = "55 41 57 41 56 41 55 41 54 53 50 49 89 f? 4c 8b 37 49 8b 46 30 4c 8b a? ?? 0? 00 00 4d 85 e? 74 1? 4d 8b"


  var res = Memory.scan(m.base, m.size, pattern, {
    onMatch: function (address, size) {
      console.log('[+] ssl_verify_result found at: ' + address.toString());

      // Add 0x01 because it's a THUMB function
      // Otherwise, we would get 'Error: unable to intercept function at 0x9906f8ac; please file a bug'
      // hook_ssl_verify_result(address.add(0x01));

    },
    onError: function (reason) {
      console.log('[!] There was an error scanning memory');
    },
    onComplete: function () {
      console.log("All done")
    }
  });
}
setTimeout(disablePinning, 1000)

Flutter library not found but shows ssl_verify_peer_cert has been patched. But it still not working

Here are my device specifications:
Nox Emulator running x86_64
frida-server-16.2.1-android-x86_64 --> this is the one i uploaded on the mobile device
Frida 16.2.1 --> this is the one running on my laptop

Software installed:
Proxydroid
pinning.apk

I am trying to ssl bypass the example app in this github (pinning.apk) but I always get this message:

Spawning `eu.nviso.flutter_pinning`...
[+] Attempting to find and hook ssl_verify_peer_cert (1/5)
[!] Flutter library not found
Spawned `eu.nviso.flutter_pinning`. Resuming main thread!
[SM-G965N::eu.nviso.flutter_pinning ]-> [+] Attempting to find and hook ssl_verify_peer_cert (2/5)
[+] ssl_verify_peer_cert found at offset: 0x3faec6
[+] ssl_verify_peer_cert has been patched

It says it can't find the flutter library.
I tried to change timeout value but it still not working

Now to check if flutter is really not in there I used this code.

function hook_ssl_verify_result(address)
{
  Interceptor.attach(address, {
    onEnter: function(args) {
      console.log("Disabling SSL validation")
    },
    onLeave: function(retval)
    {
      console.log("Retval: " + retval)
      retval.replace(0x1);
  
    }
  });
}




function disablePinning(){
    // Change the offset on the line below with the binwalk result
    // If you are on 32 bit, add 1 to the offset to indicate it is a THUMB function: .add(0x1)
    // Otherwise, you will get  'Error: unable to intercept function at ......; please file a bug'
    var address_flutter = Module.findBaseAddress('libflutter.so')
    var address = Module.findBaseAddress('libflutter.so').add(0x60E71)
    console.log(address_flutter)
    hook_ssl_verify_result(address);
}
setTimeout(disablePinning, 9000)



function disablePinning(){
    // Change the offset on the line below with the binwalk result
    // If you are on 32 bit, add 1 to the offset to indicate it is a THUMB function: .add(0x1)
    // Otherwise, you will get  'Error: unable to intercept function at ......; please file a bug'
    var address_flutter = Module.findBaseAddress('libflutter.so')
    var address = Module.findBaseAddress('libflutter.so').add(0x60E71)
    console.log(address_flutter)
    hook_ssl_verify_result(address);
}
setTimeout(disablePinning, 9000)

The result is:
Spawned eu.nviso.flutter_pinning. Resuming main thread!
[SM-G965N::eu.nviso.flutter_pinning ]-> 0x70abe0e42000

It was able to find libflutter.so because it returned its address 0x70abe0e42000. However it just stop there. From the looks of it, the function hook_ssl_verify_result did not execute.

Am I missing something?

Could it be the frida versions that I am using?

May I know the frida versions that you used in the blog?

Flutter module not found

Hello, after running my app i have this issue, can you help me to solve this ?
I use genymotion as emulator for Android 9 on Linux OS.
Frida server and client have a same version (16.0.15)

frida -U -f target.app --codeshare TheDauntless/disable-flutter-tls-v1`
     ____
    / _  |   Frida 16.0.15 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Nexus 4 (id=192.168.56.102:5555)
Spawning `target.app`...                                     
[+] Java environment detected
Spawned `target.app`. Resuming main thread!                  
[Nexus 4::target.app ]-> [+] libflutter.so loaded
[!] Flutter module not found.

Different end results on different apps, by returning 0 or 1

Hi, Hope you are good.

I have just collected the SSL calls from the application successfully after the struggle of many many hours. Your script was working fine for the test application you provided and for this application. But was not working fine for this application which was just updated on Feb 26, 2024, and this was my target application.

By updating the return type from 0 to 1, the application started to work fine and SSL calls can be accessed. Writing here so, one can be able to find the solution if needed.

disable-flutter-tls-verification/disable-flutter-tls.js

Lines 139 to 143 in d3ae368

 function hook_ssl_verify_peer_cert(address) { 

 Interceptor.replace(address, new NativeCallback((pathPtr, flags) => { 

 return 0; 

 }, 'int', ['pointer', 'int'])); 

 }

TLS Verification disabling fails; No memory ranges found in Flutter library.

Unfortunately I can't provide the target application due to an NDA, but I'll try to give as much information as possible.

Target: Android 10, LineageOS 17.1, Frida-Server 16.0.2-arm64, rooted with magisk.
I proxy everything with ProxyDroid.

From the target app, I gathered:

b688f2eb9a116109f741054c677b51e2  libflutter.so #arm64-v8a
ea7152a75804de845a325e6de3a01dfe  libflutter.so #armeabi-v7a
5898924479a8b38309efa14a0603dc52  libflutter.so #x86_64

Attempting to disable TLS verification:

     ____
    / _  |   Frida 16.0.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Redmi Note 8 (id=123456)
Spawning `target.app`...                                  
[+] Java environment detected
Spawned `target.app`. Resuming main thread!               
[Redmi Note 8::target.app ]-> [+] libflutter.so loaded
[+] Flutter library found
[!] ssl_verify_peer_cert not found. Trying again...
[+] Flutter library found
[!] No memory ranges found in Flutter library. This is either a Frida bug, or the application is using some kind of RASP.

The target app opens on the device, but requests fail. Burp logs "client failed to negotiate the TLS connection. Remote host terminated the handshake".

App flutter not working

Hello

Flutter library found, but ssl_verify_peer_cert could not be found

Hi. Can you please add new signatures for x64?

apk (gdrive)

Frida log:

[+] Attempting to find and hook ssl_verify_peer_cert (1/5)
[!] Flutter library not found
[+] Attempting to find and hook ssl_verify_peer_cert (2/5)
[!] Flutter library found, but ssl_verify_peer_cert could not be found.
[+] Attempting to find and hook ssl_verify_peer_cert (2/5)
[!] Flutter library found, but ssl_verify_peer_cert could not be found.
[+] Attempting to find and hook ssl_verify_peer_cert (3/5)
[!] Flutter library found, but ssl_verify_peer_cert could not be found.
[+] Attempting to find and hook ssl_verify_peer_cert (4/5)
[!] Flutter library found, but ssl_verify_peer_cert could not be found.
[+] Attempting to find and hook ssl_verify_peer_cert (5/5)
[!] ssl_verify_peer_cert not found. Please open an issue at https://github.com/NVISOsecurity/disable-flutter-tls-verification/issues
[!] Max attempts reached, stopping

verify.py log:

user>python3 verify.py
.\android\arm64-v8a\libapp.so >  NOK
.\android\arm64-v8a\libflutter.so >  OK  [0xd4b308] [fe0f1cf8f85f01a9f65702a9f44f03a9e5dc0b94681a40f9]
.\android\arm64-v8a\libsqlite3.so >  NOK
.\android\armeabi-v7a\libapp.so >  NOK
.\android\armeabi-v7a\libflutter.so >  OK  [0x93a8c8] [2de9fe43d0f800808146d8f81800d0f888]
.\android\armeabi-v7a\libsqlite3.so >  NOK
.\android\x86\libsqlite3.so >  NOK
.\android\x86_64\libapp.so >  NOK
.\android\x86_64\libflutter.so >  NOK
.\android\x86_64\libsqlite3.so >  NOK

ssl_verify_peer_cert not found.

When running the Android Emulator with a Flutter application, I encountered the following error message:

Spawned `----------`. Resuming main thread!                     
[Android Emulator 5554::-----------]-> [+] Flutter library found
[!] ssl_verify_peer_cert not found. Please open an issue at https://github.com/NVISOsecurity/disable-flutter-tls-verification/issues
[+] Match pattern: F? 0F 1C F8 F? 5? 01 A9 F? 5? 02 A9 F? ?? 03 A9 ?? ?? ?? ?? 68 1A 40 F9
[+] ssl_verify_result found at: 0x6d346133e8
[+] ssl_verify_peer_cert found at offset: 0x3a23e8
[+] Hook success!
[+] Done
[+] Done                                                                                                                                      
[+] Done

On android studio i got following error

Exception occurred: DioException [bad certificate]: The certificate of the response is not approved.
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  Error: Instance of '_X509CertificateImpl' stackTrace: #0      DioMixin.fetch.<anonymous closure> (package:dio/src/dio_mixin.dart:507)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #1      _rootRunUnary (dart:async/zone.dart:1434)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #2      _CustomZone.runUnary (dart:async/zone.dart:1335)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #3      _FutureListener.handleError (dart:async/future_impl.dart:165)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #4      Future._propagateToListeners.handleError (dart:async/future_impl.dart:778)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #5      Future._propagateToListeners (dart:async/future_impl.dart:799)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #6      Future._completeError (dart:async/future_impl.dart:574)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #7      _SyncCompleter._completeError (dart:async/future_impl.dart:51)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #8      _Completer.completeError (dart:async/future_impl.dart:23)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #9      Future.any.onError (dart:async/future.dart:616)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #10     _rootRunBinary (dart:async/zone.dart:1450)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #11     _CustomZone.runBinary (dart:async/zone.dart:1342)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #12     _FutureListener.handleError (dart:async/future_impl.dart:162)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #13     Future._propagateToListeners.handleError (dart:async/future_impl.dart:778)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #14     Future._propagateToListeners (dart:async/future_impl.dart:799)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #15     Future._completeError (dart:async/future_impl.dart:574)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #16     Future._chainForeignFuture.<anonymous closure> (dart:async/future_impl.dart:519)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #17     _rootRun (dart:async/zone.dart:1426)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #18     _CustomZone.run (dart:async/zone.dart:1328)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #19     _CustomZone.runGuarded (dart:async/zone.dart:1236)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #20     _CustomZone.bindCallbackGuarded.<anonymous closure> (dart:async/zone.dart:1276)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #21     _microtaskLoop (dart:async/schedule_microtask.dart:40)
2023-11-04 07:28:07.893  6232-6321  flutter                 com.app.id                   I  #22     _startMicrotaskLoop (dart:async/schedule_microtask.dart:49)

Test app works fine

dint even work for demo application

what am i doing wrong?

Used this demo application on MEMU emulator 8.1.0 with root enabled and proxy's certificate installed. Here's emulator info:

Doesn't work for https://play.google.com/store/apps/details?id=enterprises.dating.boo

How do I find the offset manually? I've read your article. And it said

If we take a look at the [ssl_crypto_x509_session_verify_cert_chain](https://github.com/google/boringssl/blob/master/ssl/ssl_x509.cc#L362) function again, we can see that the OPENSSL_PUT_ERROR macro is called at line 390. Searching for the number 390 (or 0x186) gives us some results (Search > For Scalars…):

How did you know that OPENSSL_PUT_ERROR is called at line 390? Because there are so many OPENSSL_PUT_ERROR in the x509.cc script. Can you give me screenshot of the code at line 390? Thank you

Apologize for my bad english

library "libframework-connectivity-jni.so" not found

pawned com.nu.production. Resuming main thread!
[SM G991B::com.nu.production ]-> Error: java.lang.UnsatisfiedLinkError: dlopen failed: library "libframework-connectivity-jni.so" not found
Process terminated
[SM G991B::com.nu.production ]->

App play store

https://play.google.com/store/apps/details?id=com.nu.production&hl=pt

library "libframework-connectivity-jni.so" not found

frida -U --codeshare TheDauntless/disable-flutter-tls-v1 -f eu.nviso.flutter_pinning

[Android Emulator 5554::eu.nviso.flutter_pinning ]-> Error: java.lang.UnsatisfiedLinkError: dlopen failed: library "libframework-connectivity-jni.so" not found

I get an error when I run this cmd
Help me pls !

Value never changing using frida (Interceptor.attach) is not being triggered

Hello,

I was doing the same steps as the article and i got the offset from the library and hooked it via the js using frida.

However the interceptor.attach is never being triggered on the android and IOS devices changing the value of the function.

Any idea why this is happening ?

It seems that the Interceptor.attach is not being triggered, i tried hooking other method and they return values.

Flutter App not working

Hello

This banking app uses Flutter. I tried several ways, including using your script to bypass pinning, but nothing worked.

Is there any solution to be able to intercept HTTP traffic from flutter applications? From what I understand, Flutter has its own list of certificates and does not use the one provided by Android.

https://play.google.com/store/apps/details?id=com.nu.production&hl=en_US

libflutter.so not found

TypeError: cannot read property ‘add’ of null
at disablePinning
Getting this error when firing this script.

On further investigation of modules being loaded using the below code.

Process.enumerateModules({
onMatch: function(module){
console.log(‘Module name: ‘ + module.name + ” – Base Address: ” + module.base.toString());
},
onComplete: function(){}
});

It was observed that libflutter.so is not there.

ssl_verify_peer_cert not found with myBmw

the myBmw App
https://play.google.com/store/apps/details?id=de.bmw.connected.mobile20.row&hl=en&gl=US
log:

:de.bmw.connected.mobile20.row ]-> [+] libflutter.so loaded
[+] Flutter library found
[!] ssl_verify_peer_cert not found. Trying again...
[+] Flutter library found
[!] No memory ranges found in Flutter library. This is either a Frida bug, or the application is using some kind of RASP. Try using Frida as a Gadget or using an older Android version (https://github.com/frida/frida/issues/2266)
[+] libflutter.so loaded
[+] Flutter library found
[!] ssl_verify_peer_cert not found. Trying again...

unable to get local issuer certificate

I can't get Pinned Request when no agent is opened. The error information is as follows
12-20 17:37:11.414 3696 3724 I flutter : Request via DIO failed
12-20 17:37:11.414 3696 3724 I flutter : Exception: DioError [DioErrorType.other]: HandshakeException: Handshake error in client (OS Error:
12-20 17:37:11.414 3696 3724 I flutter : CERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate(handshake.cc:393))
12-20 17:37:11.414 3696 3724 I flutter : Source stack:
12-20 17:37:11.414 3696 3724 I flutter : #0 DioMixin.fetch (package:dio/src/dio_mixin.dart:488)
12-20 17:37:11.414 3696 3724 I flutter : #1 DioMixin.request (package:dio/src/dio_mixin.dart:483)
12-20 17:37:11.414 3696 3724 I flutter : #2 DioMixin.get (package:dio/src/dio_mixin.dart:61)
12-20 17:37:11.414 3696 3724 I flutter : #3 _MyHomePageState.callPinnedHTTPS (package:flutter_pinning/main.dart:123)
12-20 17:37:11.414 3696 3724 I flutter :

	function hook_ssl_verify_peer_cert(address) {
	Interceptor.replace(address, new NativeCallback((pathPtr, flags) => {
	return 0;
	}, 'int', ['pointer', 'int']));
	}

nvisosecurity / disable-flutter-tls-verification Goto Github PK

disable-flutter-tls-verification's Introduction

disable-flutter-tls-verification

⚠️ What if this script doesn't work?

disable-flutter-tls-verification's People

Contributors

Stargazers

Watchers

Forkers

disable-flutter-tls-verification's Issues

Recommend Projects

Recommend Topics

Recommend Org