Bypassing SSL Pinning in Flutter-Based iOS Applications

src/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md

@@ -54,6 +54,34 @@ Notes:
 - If you use Burp, enable **Proxy --> Options --> Edit listener --> Request handling --> Support invisible proxying**.
 - `mitmproxy` can be used in the same layout if it is bound to the VPN listener IP and transparent-mode requirements are satisfied.
 
+### Flutter iOS apps that ignore the system proxy
+
+Some **Flutter-based iOS applications** do not send traffic through the usual iOS Wi-Fi proxy settings because their networking lives inside **Dart `HttpClient` / BoringSSL** instead of the common native `NSURLSession` stack. In that situation, installing the Burp CA and configuring the Wi-Fi proxy can fail even on **non-jailbroken** devices.
+
+A practical workaround is to move interception **below the app proxy layer** and force the traffic through a **VPN-style proxy app** (for example, **Potatso**) that forwards device traffic to Burp. This recovers visibility when the app bypasses the explicit proxy configuration, but it is still **not a universal certificate-pinning bypass**: if the Flutter app performs hardcoded certificate/public-key validation, you will still need patching or instrumentation.
+
+Typical workflow:
+
+1. First try the normal iOS Wi-Fi proxy + trusted Burp CA setup.
+2. If the Flutter app still does not appear in Burp, create a **manual HTTP proxy profile** in Potatso pointing to your Burp listener:
+
+    ```text
+    Type: HTTP
+    Host: <Burp listener IP>
+    Port: <Burp listener port>
+    ```
+
+3. Connect the device through that Potatso profile so traffic is routed via the VPN/network layer instead of relying on the app to honor iOS proxy settings.
+4. In Burp, enable **Proxy --> Options --> Edit listener --> Request handling --> Support invisible proxying** on that listener.
+5. Relaunch the target Flutter app and confirm whether requests now reach Burp.
+
+Notes:
+
+- This is mainly useful for **Flutter apps that ignore the explicit system proxy**; it complements, but does not replace, CA installation and classic SSL-pinning bypasses.
+- Potatso currently supports **manual HTTP(S)/SOCKS-style upstream proxy definitions** and, per the App Store listing used for this note, **requires iOS 17.0 or later**.
+- If the target device runs an older iOS release, the technique still applies conceptually with any equivalent **VPN-based transparent forwarding tool** that can send device traffic to Burp/mitmproxy.
+- Burp invisible proxying matters here because the traffic is **transparently redirected**, so the client is not behaving like a normal proxy-aware browser.
+
 ### Advanced Configuration for Jailbroken Devices
 
 For users with jailbroken devices, SSH over USB (via **iproxy**) offers a method to route traffic directly through Burp:
@@ -122,6 +150,8 @@ Steps to configure Burp as proxy:
 
 ## References
 
+- [Bypassing SSL Pinning in Flutter-Based iOS Applications](https://medium.com/@drhatab/bypassing-ssl-pinning-in-flutter-based-ios-applications-54f420d2f1a1)
+- [Potatso App Store listing](https://apps.apple.com/us/app/potatso/id1239860606)
 - [SSL Pinning Bypass for iOS -- iptables](https://github.com/SahilH4ck4you/iOS-SSL-pinning-bypass-without-jalibreak)
 - [Invisible proxying - PortSwigger](https://portswigger.net/burp/documentation/desktop/tools/proxy/invisible)