Intercepting Flutter Android(ARMv8) Application




In this blog we’ll see how to intercept the traffic of Flutter based Android application for dynamic analysis with the help of Frida, ghidra and Proxy droid.


As Flutter uses dart, Dart is not proxy aware and uses its own certificate store. Hence, The application doesn’t take any proxy settings from the system and sends data directly to server, because of this we cannot intercept the request using Burpsuite or any MITM tool, so changing the proxy settings in wifi or trusting any certificate won’t help here.

~ Question what we can do in this condition?

  • Here comes ProxyDroid in picture which modifies iptables in android system to send the traffic to burp proxy.


  1. Rooted android device
  2. Burp Suite
  3. ProxyDroid
  4. Frida client and server
  5. Ghidra/ida-pro
  6. Droid Hardware Info
  7. Your system and mobile device must be connected to same wifi network.

Let’s Get Started:

1.) First install the Droid Hardware Info to the Android device from Playstore and check the ARM version of your android device in my case it’s ARMv8.


+ As flutter has it own engine to run application, there are different libraries developed based on CPU architectures, In order to find the CPU architecture we need  droid info app to get the CPU architecture details
Check the details on Instruction set to see the CPU architecture.

2.) Now after the archicture verification install the ProxyDroid from the playstore.

~ Setup the Following:
1. HOST: Burp Proxy hostname
2. Proxy: burp proxy port
3. Proxy Type: HTTP
4. Leave the remaining settings unchanged.

3.) Download the flutter based APK to your PC and extract the apk via 7-zip or just decompile the apk via apktool [command: apktool d APK filename].


4.) After extracting the apk file, go to the lib folder.


5.) Now select the desired archicture that we have taken from droid hardware info app (arm64-v8). Now in your case these archicture folders may resides inside the bin folder.


6.) Once we move into desired CPU architecture folder(e.g here arm64v8) we can see the This is the file that contains all the functions and libraries to call SSL pinning in the app according to CPU archicture.


7.) Set the Host to system Ip and port 8081 which is set as in ProxyDroid. also Identified SSL verification implemented using Run the application installed on the android device to capture the traffic and observe the burpsuite dashboard -> Event logs. We got TLS handshake error, Hence we can not intercept https traffic.


8.) Install Ghidra and dissemble the file. file path C:\Desktop\flutter\yourfolder\lib\arm64-v8a Start Ghidra and drag and drop the Flutter file to it.

  • Once is imported in ghidra, select all default details. analyse the fucntions and packages.This analysis process take time so don’t worry about that(5-10mins approx).
  • Now Once Analysis is completed search for the strings option.
  • Search for string in the binary, and we can see, we have got four XREF against the line.It’s pretty obvious that the class has been compiled somewhere in the 0x650000 region, but that’s still a lot of functions to try to find the correct one. If searching for the filename doesn’t work, maybe searching for the line number would work.
  • Also perform the Scalar search for Magic number 0x186 To understand what is this magic number in details I suggest you should read this blog by nviso Team.
  • Map scalar search near to the output and observe that one address we found in scalar search is in the range of the XREF[4] we got for
  • now click on the following three heighlited parts. as we can see there so many Locations we have found in the scalar search but we choose the 0x65000 region because it has XREF[4] in
  • Click on that address range FUN_0065a4ec and Observe the initial bytes value of FUN_0065a4ec. Copy some of those bytes:
  • Copy the inital bytes as below and send to binwalk for offset count if needed.
ff 03 05 d1 fc 6b 0f a9 f9 63 10 a9 f7 5b 11 a9 f5 53 12 a9 f3 7b 13 a9 08 0a 80 52
# The first bytes of the FUN_0065a4ec function
ff 03 05 d1 fc 6b 0f a9 f9 63 10 a9 f7 5b 11 a9 f5 53 12 a9 f3 7b 13 a9 08 0a 80 52
# Find it using binwalk
binwalk -R "\xff\x03\x05\xd1\xfc\x6b\x0f\xa9\xf9\x63\x10\xa9\xf7\x5b\x11\xa9\xf5\x53\x12\xa9\xf3\x7b\x13\xa9\x08\x0a\x80\x52"
5612780       0x55A4EC        Raw signature (\xff\x03\x05\xd1\xfc\x6b\x0f\xa9\xf9\x63\x10\xa9\xf7\x5b\x11\xa9\xf5\x53\x12\xa9\xf3\x7b\x13\xa9\x08\x0a\x80\x52)

  • Replace the function value in the below frida script as a pattern variable.
function hook_ssl_verify_result(address)
  Interceptor.attach(address, {
    onEnter: function(args) {
      console.log("Disabling SSL validation")
    onLeave: function(retval)
      console.log("Retval: " + retval)
function disablePinning(){
    // Change the offset on the line below with the binwalk result
    // If you are on 32 bit, add 1 to the offset to indicate it is a THUMB function.
    // Otherwise, you will get  'Error: unable to intercept function at ......; please file a bug'
    var address = Module.findBaseAddress('').add(0x55a4ec)
setTimeout(disablePinning, 1000)

  • Connect mobile using USB with your system and run adb shell to find the package name of your apk.

  • Run frida script to your application package Name using below command:
> frida –Uf `package_name` -l `Bypass script` --no-pause


  • Perform some activity in the application and check back to burp to see the requests from app being intercepted now:


This blog was to share how I have bypassed the security implementation of an Android application, and how I have intercepted the traffic of flutter Android application. As the method for the same is different compare to what we actually do in mobile application testing to intercept the traffic.



Last_updated 23-06-2021