Bypassing SSL Pinning in Flutter-Based iOS Applications

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://medium.com/@drhatab/bypassing-ssl-pinning-in-flutter-based-ios-applications-54f420d2f1a1
• Blog Title: Bypassing SSL Pinning in Flutter-Based iOS Applications
• Suggested Section: Mobile Pentesting > iOS Pentesting > iOS Burp Suite Configuration / iOS Pentesting without Jailbreak; possibly add a Flutter iOS traffic interception note

🎯 Content Summary

The blog post explains a practical mobile pentesting technique for intercepting HTTPS traffic from Flutter-based iOS applications when the usual iOS proxy + Burp Suite setup fails. The method does not rely on Frida and can be performed on either a jailbroken or non-jailbroken iPhone.

Problem: Flutter iOS applications handle networking differently from traditional native iOS apps. Native iOS apps commonly use Apple’s NSURLSession st...

🔧 Technical Details

VPN-layer interception for Flutter iOS apps: Flutter iOS apps may not use Apple’s native NSURLSession networking stack. Instead, they can use Dart’s HttpClient and BoringSSL compiled into the application binary. Because of this, the app may ignore iOS Wi-Fi proxy settings and the system trust store, making the traditional “install Burp CA + configure Wi-Fi proxy” approach ineffective. A practical workaround is to route all device traffic through a VPN/proxy app, such as Potatso, and forward it to Burp Suite. This moves interception from the application proxy layer to the network interface layer.

Using Burp invisible proxying with transparently redirected traffic: When traffic is redirected by a VPN/proxy tool instead of being explicitly sent to Burp as a normal proxy-aware HTTP request, Burp may need Support Invisible Proxying enabled on the listener. This allows Burp to proce...

🤖 Agent Actions

Done.

Updated:

• src/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md

What I added:

• A new subsection for Flutter iOS apps that ignore the system proxy
• Why standard iOS Wi‑Fi proxying can fail with Flutter (HttpClient / BoringSSL stack)
• A VPN-layer interception workflow using Potatso + Burp invisible proxying
• A clear limitation that this is not a full pinning bypass if hardcoded pin validation still exists
• References to the Medium post, Potatso App Store listing, and PortSwigger invisible proxy docs

Validation:

• Checked the resulting diff
• Ran git diff --check
• mdbook and markdownlint-cli2 were not installed in this environment, so full build/lint wasn’t possible here

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://medium.com/@drhatab/bypassing-ssl-pinning-in-flutter-based-ios-applications-54f420d2f1a1

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting > iOS Pentesting > iOS Burp Suite Configuration / iOS Pentesting without Jailbreak; possibly add a Flutter iOS traffic interception note".

Repository Maintenance:

• MD Files Formatting: 974 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0