Reverse-engineers libflutter.so with PyGhidra to locate the SSL certificate verification function, then emits ready-to-use bypass scripts for both Frida and Renef.
- PyGhidra loads
libflutter.soheadlessly and scans all defined strings forssl_client - Cross-references from that string are resolved to their containing functions
- Each function is decompiled to get an accurate parameter count
- The 3-parameter function is selected — this is
ssl_crypto_x509_session_verify_cert_chain - Its RVA is baked into:
- A Frida script (
flutter_ssl_pinning.js) that patches the return value toptr(1)(SSL_VERIFY_OK) at runtime - A Renef script (
flutter_ssl_pinning.lua) that usesMemory.patchto overwrite the function entry withMOV X0, #1 ; RET(ARM64)
- A Frida script (
- Ghidra —
brew install ghidra - pyghidra —
pip install pyghidra - Frida —
pip install frida-toolsor Renef — renef.io
Set
GHIDRA_INSTALL_DIRin your environment, or pass--ghidra-install-dir.
# Analyse libflutter.so and generate both scripts
python3 flutter_ssl_pinning.py libflutter.so
# Run with Frida
frida -U -f com.example.app -l flutter_ssl_pinning.js
# Run with Renef
renef -s com.example.app -l flutter_ssl_pinning.lua| Argument | Default | Description |
|---|---|---|
binary |
(required) | Path to libflutter.so |
output |
flutter_ssl_pinning |
Output base name (generates <name>.js and <name>.lua) |
--module |
libflutter.so |
Module name in target process |
--ghidra-install-dir |
auto | Ghidra installation directory |
| File | Tool | Mechanism |
|---|---|---|
flutter_ssl_pinning.js |
Frida | Interceptor.attach + retval.replace(ptr(1)) |
flutter_ssl_pinning.lua |
Renef | Memory.patch (MOV X0, #1 ; RET) |
See the example/ directory for sample generated output.
| Target | Status |
|---|---|
Google Flutter libflutter.so (arm64-v8a) |
✅ Working |
| Shorebird-patched Flutter builds | ✅ Working |
| Ghidra 12.x + pyghidra | ✅ Working |
| Frida 17.x and 16.x | ✅ Working |
| Renef (latest) | ✅ Working |
Both Google Flutter and Shorebird use the same
libflutter.soSSL engine. The auto-discovered RVA is identical across build types for the same Flutter engine version.
Besides bypassing pinning for a proxy-based MITM, you can capture decrypted HTTP
traffic directly in Frida with the self-contained flutter_http_monitor.py.
It auto-locates BoringSSL SSL_write/SSL_read in libflutter.so (any Flutter
version, arm64) and generates a Frida script that prints plaintext requests and
responses — reassembled, de-chunked, gunzipped, and JSON pretty-printed.
pip install capstone pyelftools
# scan the binary and generate the monitor (or pass an .apk)
python3 flutter_http_monitor.py path/to/libflutter.so -o monitor.js
# run it against the app
frida -U -f com.target.app -l monitor.jsOptional, live in the Frida REPL: addScope('api.example.com') to watch only
specific hosts (Burp-style scope). Single file — nothing else to ship.
This tool is intended for authorised security research and penetration testing only.
Do not use against apps you do not own or have explicit written permission to test.