Merge pull request #1616 from HackTricks-wiki/update_SSL_Pinning_Bypass___Android_20251128_123757

SSL Pinning Bypass – Android

Author: carlospolop

src/mobile-pentesting/android-app-pentesting/flutter.md

@@ -74,6 +74,37 @@ Flutter itself **ignores device proxy settings**. Easiest options:
 * **Android Studio emulator:** Settings ▶ Proxy → manual.  
 * **Physical device:** evil Wi-Fi AP + DNS spoofing, or Magisk module editing `/etc/hosts`.
 
+### Quick Flutter TLS bypass workflow (Frida Codeshare + system CA)  
+When you only need to observe a pinned Flutter API, combining a rooted/writable AVD, a system-trusted proxy CA, and a drop-in Frida script is often faster than reverse-engineering libflutter.so:
+
+1. **Install your proxy CA in the system store.** Follow [Install Burp Certificate](install-burp-certificate.md) to hash/rename Burp's DER certificate and push it into `/system/etc/security/cacerts/` (writable `/system` required).
+
+2. **Drop a matching `frida-server` binary and run it as root** so it can attach to the Flutter process:
+
+```bash
+adb push frida-server-17.0.5-android-x86_64 /data/local/tmp/frida-server
+adb shell "su -c 'chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server &'"
+```
+
+3. **Install the host-side tooling and enumerate the target package.**
+
+```bash
+pip3 install frida-tools --break-system-packages
+adb shell pm list packages -f | grep target
+```
+
+4. **Spawn the Flutter app with the Codeshare hook that neuters BoringSSL pin checks.**
+
+```bash
+frida -U -f com.example.target --codeshare TheDauntless/disable-flutter-tls-v1 --no-pause
+```
+
+The Codeshare script overrides the Flutter TLS verifier so every certificate (including Burp's dynamically generated ones) is accepted, side-stepping public-key pin comparisons.
+
+5. **Route traffic through your proxy.** Configure the emulator Wi-Fi proxy GUI or enforce it via `adb shell settings put global http_proxy 10.0.2.2:8080`; if direct routing fails, fall back to `adb reverse tcp:8080 tcp:8080` or a host-only VPN.
+
+Once the CA is trusted at the OS layer and Frida quashes Flutter's pinning logic, Burp/mitmproxy regains full visibility for API fuzzing (BOLA, token tampering, etc.) without repacking the APK.
+
 ### Offset-based hook of BoringSSL verification (no signature scan)
 When pattern-based scripts fail across architectures (e.g., x86_64 vs ARM), directly hook the BoringSSL chain verifier by absolute address within libflutter.so. Workflow:
 
@@ -114,6 +145,7 @@ iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination <Burp_IP>:<Burp_Port>
 - [https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/](https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/)
 - [Flutter SSL Bypass: How to Intercept HTTPS Traffic When all other Frida Scripts Fail](https://m4kr0x.medium.com/flutter-tls-bypass-how-to-intercept-https-traffic-when-all-other-frida-scripts-fail-bd3d04489088)
 - [BoringSSL ssl_x509.cc (ssl_crypto_x509_session_verify_cert_chain)](https://github.com/google/boringssl/blob/main/ssl/ssl_x509.cc#L238)
+- [SSL Pinning Bypass – Android](https://hardsoftsecurity.es/index.php/2025/11/26/ssl-pinning-bypass-android/)
 
 
 {{#include ../../banners/hacktricks-training.md}}