Skip to content

vichhka-git/universal-flutter-ssl-pinning

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

universal-flutter-ssl-pinning

Reverse-engineers libflutter.so with PyGhidra to locate the SSL certificate verification function, then emits ready-to-use bypass scripts for both Frida and Renef.

How it works

  1. PyGhidra loads libflutter.so headlessly and scans all defined strings for ssl_client
  2. Cross-references from that string are resolved to their containing functions
  3. Each function is decompiled to get an accurate parameter count
  4. The 3-parameter function is selected — this is ssl_crypto_x509_session_verify_cert_chain
  5. Its RVA is baked into:
    • A Frida script (flutter_ssl_pinning.js) that patches the return value to ptr(1) (SSL_VERIFY_OK) at runtime
    • A Renef script (flutter_ssl_pinning.lua) that uses Memory.patch to overwrite the function entry with MOV X0, #1 ; RET (ARM64)

Requirements

  • Ghidrabrew install ghidra
  • pyghidrapip install pyghidra
  • Fridapip install frida-tools or Renefrenef.io

Set GHIDRA_INSTALL_DIR in your environment, or pass --ghidra-install-dir.

Usage

# Analyse libflutter.so and generate both scripts
python3 flutter_ssl_pinning.py libflutter.so

# Run with Frida
frida -U -f com.example.app -l flutter_ssl_pinning.js

# Run with Renef
renef -s com.example.app -l flutter_ssl_pinning.lua

Options

Argument Default Description
binary (required) Path to libflutter.so
output flutter_ssl_pinning Output base name (generates <name>.js and <name>.lua)
--module libflutter.so Module name in target process
--ghidra-install-dir auto Ghidra installation directory

Output files

File Tool Mechanism
flutter_ssl_pinning.js Frida Interceptor.attach + retval.replace(ptr(1))
flutter_ssl_pinning.lua Renef Memory.patch (MOV X0, #1 ; RET)

See the example/ directory for sample generated output.


Tested on

Target Status
Google Flutter libflutter.so (arm64-v8a) ✅ Working
Shorebird-patched Flutter builds ✅ Working
Ghidra 12.x + pyghidra ✅ Working
Frida 17.x and 16.x ✅ Working
Renef (latest) ✅ Working

Both Google Flutter and Shorebird use the same libflutter.so SSL engine. The auto-discovered RVA is identical across build types for the same Flutter engine version.


Quick Traffic Capture (no proxy)

Besides bypassing pinning for a proxy-based MITM, you can capture decrypted HTTP traffic directly in Frida with the self-contained flutter_http_monitor.py. It auto-locates BoringSSL SSL_write/SSL_read in libflutter.so (any Flutter version, arm64) and generates a Frida script that prints plaintext requests and responses — reassembled, de-chunked, gunzipped, and JSON pretty-printed.

pip install capstone pyelftools

# scan the binary and generate the monitor (or pass an .apk)
python3 flutter_http_monitor.py path/to/libflutter.so -o monitor.js

# run it against the app
frida -U -f com.target.app -l monitor.js

Optional, live in the Frida REPL: addScope('api.example.com') to watch only specific hosts (Burp-style scope). Single file — nothing else to ship.

Disclaimer

This tool is intended for authorised security research and penetration testing only.
Do not use against apps you do not own or have explicit written permission to test.

Star History Chart

About

Automated SSL pinning bypass for any Flutter & Shorebird version — PyGhidra static analysis auto-discovers BoringSSL and generates ready-to-run Frida & Renef scripts

Topics

Resources

Stars

56 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors