updated

apps/android/MASTG-APP-0016.md

@@ -0,0 +1,7 @@
+---
+title: Disable-flutter-tls-verification
+platform: android
+source: https://github.com/NVISOsecurity/disable-flutter-tls-verification/blob/main/test_app/pinning.apk
+---
+
+An android application designed to verify the [disable-flutter-tls-verification script](../../tools/generic/MASTG-TOOL-0101.md), which disables Flutter's TLS verification.

apps/ios/MASTG-APP-0025.md

@@ -0,0 +1,7 @@
+---
+title: Disable-flutter-tls-verification
+platform: ios
+source: https://github.com/NVISOsecurity/disable-flutter-tls-verification/blob/main/test_app/pinning.ipa
+---
+
+An iOS application designed to verify the [disable-flutter-tls-verification script](../../tools/generic/MASTG-TOOL-0101.md), which disables Flutter's TLS verification.

techniques/android/MASTG-TECH-0109.md

@@ -1,22 +1,27 @@
 --- 
-title: Intercepting Flutter HTTP Traffic
+title: Intercepting Flutter HTTPS Traffic
 platform: android 
 ---
 
-Flutter is an open-source UI software development kit (SDK) created by Google. It is used for building natively compiled applications for mobile, web, and desktop from a single codebase. Flutter uses Dart, which is not proxy-aware and uses its own certificate store. The application doesn't take proxy configuration from the system and send the data directly to the server. Due to this, it is not possible to intercept the request using the BurpSuite or any MITM tools.
+Flutter is an open-source UI software development kit (SDK) created by Google. It is used for building natively compiled applications for mobile, web, and desktop from a single codebase. Flutter uses Dart, which is not proxy-aware and uses its own certificate store. The application doesn't use the proxy configuration of the system and sends the data directly to the server. Connections are verified against built-in certificates, so any certificates installed on the system are simply ignored. Due to this, it is not possible to intercept HTTPS requests as the certificate of the proxy will never be trusted.
 
+In order to intercept Flutter HTTPS traffic, we need to deal with two problems:
 
+- Make sure the traffic is sent to the proxy.
+- Disable the TLS verification of any HTTPS connection.
 
-**How does re-flutter method differs from other techniques ?**
+There are generally two approaches to this: **reFlutter** and **Frida**.
 
-There are alternative methods for intercepting traffic, such as [sending traffic to the proxy through ProxyDroid/iptables](https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/). However, these techniques require some configuration. By employing the re-flutter command-line tool, the application can be patched effortlessly without the need for any setup.
+- **reFlutter**: This tool creates a modified version of `libFlutter.so` which is then repackaged into the APK. It configures the internal libraries to use a specified proxy and disable the TLS verification.
+- **Frida**: The [disable-flutter-tls.js script](https://github.com/NVISOsecurity/disable-flutter-tls-verification) can dynamically remove the TLS verification without the need for repackaging. As it doesn't modify the proxy configuration, additional steps are needed (e.g. ProxyDroid, DNS, iptables, ...).
 
-## Intercepting Traffic using re-flutter
+## Intercepting Traffic using reFlutter
 
 1. Patch the app to enable traffic interception.
 
-Run the command to patch the app and select the option **Traffic monitoring and interception** and then the IP of the machine which the interception proxy is running.
-```
+Run the command to patch the app and select the option **Traffic monitoring and interception** and then enter the IP of the machine on which the interception proxy is running.
+
+```plaintext
 $ reflutter demo.apk
 
 Choose an option:
@@ -34,18 +39,47 @@ This will create a **release.RE.apk** file in the output folder.
 
 2. Sign the patched **release.RE.apk** file (e.g. using the [uber-apk-signer](https://github.com/patrickfav/uber-apk-signer)).
 
-```
-   $ java -jar uber-apk-signer.jar -a release.RE.apk --out demo-signed
+```plaintext
+java -jar uber-apk-signer.jar -a release.RE.apk --out demo-signed
 ```
 
 This will create a **release.RE-aligned-debugSigned.apk** file in the output folder.
 
 3. Install the signed patched app on the mobile device.
 
-4. Configure the interception proxy.For example, in Burp-suite:
-  - Under Proxy -> Proxy settings -> Add new Proxy setting.
-  - Bind listening Port to 8083.
-  - Select Bind to address to All interfaces.
-  - Request Handling -> support for invisible proxying.
+4. Configure the interception proxy. For example, in Burp:
+
+- Under Proxy -> Proxy settings -> Add new Proxy setting.
+- Bind listening Port to `8083`.
+- Select `Bind to address` to `All interfaces`.
+- Request Handling -> support for invisible proxying.
 
 5. Open the app and start intercepting traffic.
+
+## Intercepting Traffic using ProxyDroid / iptables with Frida
+
+1. Configure [proxyDroid](https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/) or iptables rules to redirect requests to Burp.
+
+Execute the command to configure iptables in order to redirect the incoming requests from the application to Burp.
+```plaintext
+$ iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination <Your-Proxy-IP>:8080 
+
+$ iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination <Your-Proxy-IP>:8080 
+```
+
+2. Install the [app](../../apps/android/MASTG-APP-0016.md) on the mobile device.
+
+3. Configure the interception proxy. For example, in Burp:
+
+- Under Proxy -> Proxy settings -> Add new Proxy setting.
+- Bind listening Port to `8080`.
+- Select `Bind to address` to `All interfaces`.
+- Request Handling -> support for invisible proxying.
+
+4. Run the [disable-flutter-tls.js](../../tools/generic/MASTG-TOOL-0101.md) frida script.
+
+```plaintext
+frida -U -f eu.nviso.flutterPinning -l disable-flutter-tls.js
+```
+
+5. Start intercepting traffic.

techniques/ios/MASTG-TECH-0110.md

@@ -1,22 +1,27 @@
 ---
-title: Intercepting Flutter HTTP Traffic
+title: Intercepting Flutter HTTPS Traffic
 platform: ios
 ---
 
-Flutter is an open-source UI software development kit (SDK) created by Google. It is used for building natively compiled applications for mobile, web, and desktop from a single codebase. Flutter uses Dart, which is not proxy-aware and uses its own certificate store. The application doesn't take proxy configuration from the system and send the data directly to the server. Due to this, it is not possible to intercept the request using the BurpSuite or any MITM tools.
+Flutter is an open-source UI software development kit (SDK) created by Google. It is used for building natively compiled applications for mobile, web, and desktop from a single codebase. Flutter uses Dart, which is not proxy-aware and uses its own certificate store. The application doesn't use the proxy configuration of the system and sends the data directly to the server. Connections are verified against built-in certificates, so any certificates installed on the system are simply ignored. Due to this, it is not possible to intercept HTTPS requests as the certificate of the proxy will never be trusted.
 
+In order to intercept Flutter HTTPS traffic, we need to deal with two problems:
 
-**How does re-flutter method differs from other techniques ?**
+- Make sure the traffic is sent to the proxy.
+- Disable the TLS verification of any HTTPS connection.
 
-There are alternative methods for intercepting traffic, such as creating a [WIFI hotspot and utilizing the openvpn approach](https://blog.nviso.eu/2020/06/12/intercepting-flutter-traffic-on-ios/). However, these techniques require some configuration. By employing the re-flutter command-line tool, the application can be patched effortlessly without the need for any setup.
+There are generally two approaches to this: **reFlutter** and **Frida**.
 
-## Intercepting Traffic using re-flutter
+- **reFlutter**: This tool creates a modified version of `libFlutter.so` which is then repackaged into the IPA. It configures the internal libraries to use a specified proxy and disable the TLS verification.
+- **Frida**: The [disable-flutter-tls.js script](https://github.com/NVISOsecurity/disable-flutter-tls-verification) can dynamically remove the TLS verification without the need for repackaging. As it doesn't modify the proxy configuration, additional steps are needed (e.g. VPN, DNS, iptables, WIFI hotspot).
+
+## Intercepting Traffic using reFlutter
 
 1. Patch the app to enable traffic interception.
+Run the command to patch the app and select the option **Traffic monitoring and interception** and then enter the IP of the machine on which the interception proxy is running.
 
-Run the command to patch the app and select the option **Traffic monitoring and interception** and then the IP of the machine which the interception proxy is running.
-```
-$ reflutter demo.apk
+```plaintext
+$ reflutter demo.ipa
 
 Choose an option:
 
@@ -35,10 +40,32 @@ This will create a **release.RE.ipa** file in the output folder.
 
 3. Install the signed patched app on the mobile device.
 
-4. Configure the interception proxy.For example, in Burp-suite:
-  - Under Proxy -> Proxy settings -> Add new Proxy setting.
-  - Bind listening Port to 8083.
-  - Select Bind to address to All interfaces.
-  - Request Handling -> support for invisible proxying.
+4. Configure the interception proxy. For example, in Burp:
+
+- Under Proxy -> Proxy settings -> Add new Proxy setting.
+- Bind listening Port to `8083`.
+- Select `Bind to address` to `All interfaces`.
+- Request Handling -> support for invisible proxying.
 
 5. Open the app and start intercepting traffic.
+
+## Intercepting Traffic using WIFI Hotspot / openVPN with Frida
+
+1. Configure using [WIFI hotspot / openVPN](https://blog.nviso.eu/2020/06/12/intercepting-flutter-traffic-on-ios/) method to redirect requests to Burp.
+
+2. Install the [app](../../apps/ios/MASTG-APP-0025.md) on the mobile device.
+
+3. Configure the interception proxy. For example, in Burp:
+
+- Under Proxy -> Proxy settings -> Add new Proxy setting.
+- Bind listening Port to `8080`.
+- Select `Bind to address` to `All interfaces`.
+- Request Handling -> support for invisible proxying.
+
+4. Run the [disable-flutter-tls.js](../../tools/generic/MASTG-TOOL-0101.md) frida script.
+
+```plaintext
+frida -U -f eu.nviso.flutterPinning -l disable-flutter-tls.js
+```
+
+5. Start intercepting traffic.

tools/generic/MASTG-TOOL-0101.md

@@ -0,0 +1,9 @@
+---
+title: disable-flutter-tls-verification
+platform: generic
+source: https://github.com/NVISOsecurity/disable-flutter-tls-verification
+---
+
+[disable-flutter-tls-verification](https://github.com/NVISOsecurity/disable-flutter-tls-verification) is a Frida script that disables Flutter's TLS verification and works on Android x86, Android x64 and iOS x64. It uses pattern matching to find [ssl_verify_peer_cert in handshake.cc](https://github.com/google/boringssl/blob/master/ssl/handshake.cc#L323). Further information can be found in [this blogpost](https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/).
+
+You can use it via Frida codeshare or by downloading disable-flutter-tls.js from the repo as indicated in these [instructions](https://github.com/NVISOsecurity/disable-flutter-tls-verification).