Open in app

Sign in

Write

Sign in

How to Hack & Protect Flutter Apps — Simple and Actionable Guide (Pt. 1/3)

Talsec
6 min readNov 25, 2022

--

Either you want to hack Flutter apps, or you want to make them bulletproof. I will show you how it’s done. My name is Tomáš Soukal, and I am a security consultant at Talsec. This guide is unique in its focus on Flutter apps, so you don’t have to read through iOS or Android-only specific hacks over and over again.

Together we will:

Part 1 (this article) ↓

  • Disassemble app.
  • Extract its secrets.

Part 2 (link) ↓

  • Make a fake clone.
  • Check every transmitted JSON.
  • Inject code.

Part 3 (link) ↓

  • Steal authentication tokens.
  • and attack the API.

After reading this short guide, you will know how to hack and how to protect against mobile threats.

Disclaimer: Don’t do this to anyone with ill intent, as this is legit hacking. Use this only for learning purposes.

The BetterVission In-App Payments Theft

Back in the day, I had an opportunity to interview a friend of mine whose app was hacked. He created a popular app called BetterVision for the blind and visually impaired. There was a good reason for the over 100K installations John’s creation has achieved. BetterVision provided a ground-breaking feature. It could turn a phone’s camera into a powerful assistant easing a daily routine for disabled users worldwide. With success, however, soon came difficulties. John’s app suffered a cloning attack, and his In-App purchases got stolen. Profits are now four times smaller because of cracked versions being still available. The attacker replaced In-App payments code with his payment gate!

“They stole our apps by reverse engineering and republished.” Hacking and protection go hand in hand. I have seen dozens of questions on StackOverflow about mobile application security. Some people ask for remediation only after their app is hacked, and others take security in mind from the start. I collected a few of those posts:

Let’s examine what do hackers use.

Hacker’s Shopping List

These are key tools you should know about. Hacking is a time-restricted activity. With proper tooling you will be able to dive deep into app’s internals in a no time. Time is money.

Hacknig tools I like to use:

  • Magisk or su allows you to modify app’s internal files
  • Frida gives me a relatively simple way to sniff into the app’s process during its run. I can modify return values and inspect processed data
  • ApkTool can disassemble app, and then I can modify the app and assemble it again
  • Mobile Security Framework (MobSF) is Swiss knife with many analysis, reconnaissance, and disassembling tools. (must have!)
  • Lucky Patcher can repackage and mitigate common protections directly on device
  • Runtime Mobile Security is IDE for Frida with many useful scripts and monitors
  • Ghidra or IDA PRO can create a readable code from app’s binary libs and modify the assembler
  • reFlutter is the first Flutter-oriented reverse engineering tool necessary for MiTM attacks and binary inspection
  • BurpSuite's Interceptor mode to capture app’s network requests (typically JSON’s and raw data)

It’s nice to have a rooted emulator with a feature-rich Total Commander file manager and Termux terminal on board.

MobSF Shout-out

MobSF is an automated, all-in-one mobile application (Android/iOS) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Run these three commands to install it, drag’n’drop any Flutter APK and watch the magic happen:

Note: don’t run random code found on the Internet. Check the original source and verify it’s safe to run.

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
./setup.sh

Alternatively, you can run it in Docker or check this online mobsf.live site (be careful, scan results are public!)

MobSF can do compliance checks, search for secrets, embedded URLs and find common issues automatically. It can also help you to uncover vulnerable modules (3rd party libs) and unsecured entrypoints (receivers, deep links).

Extract App’s Stored Data

Let’s proceed with some exciting stuff. I always imagine app’s stored data as a chest full of precious gold. Once the app lands on your rooted device (or enable Developer Settings), you can freely inspects it’s embedded data and assets. You will find databases, access tokens, API keys, bearer tokens, media assets, Shared Preferences. Shared Preferences files are particularly interesting as they are often misused to store sensitive data like login credentials.

Let’t check this example. I created demo app using standard shared_preferences plugin. The app just increases the counter with value preserved in the Shared Preferences.

Let’s open Total Commander.

In the Total Commander, I can see the XML file with this preference:

Here it is:

I can even modify this value and the app will immediately update (thanks, Flutter) the value in the UI! I hope you are at least a little worried about sensitive data in your shared preferences now. Before I will show you more (in the next part), let’s discuss the rooting issue.

FYI, Talsec provides technologies like Secure Storage or Obfuscation to make attacker’s life harder ;)!

There is a root in the shadows

Some developers refuse to believe there are vulnerable mobile systems (in 2022). They are convinced that the Android/iOS sandboxing model and security practices are decent nowadays. They may be wrong.

Privileged access rights escalation breaching system security model is still possible in many scenarios. Check these vulnerable systems:

  • Device or emulator can be rooted on purpose
  • App may be jeopardized by a 3rd party dependency
  • New OS exploits may be discovered / OS may be unpatched
  • HW exploits

Have you heard about Dirty Cow, Log4j, and Janus vulnerabilities?

Common Attacks and Solutions

I promised this guide to be actionable, so here is the table of most common attacks and possible remediations. The rooting attack which can help attacker to steal sensitive data (and more) can be prevented by usage of the right anti-root or RASP solution (premium: Talsec RASP, free: freeRASP, basic: flutter_jailbreak_detection). You will see more attacks in action in the next part :)

Subscribe Talsec and maybe try to crack-open some Flutter app in the meantime!

written by Tomáš Soukal, Security Consultant at Talsec

https://talsec.app | info@talsec.app | Read also 5 Things John Learned Fighting Hackers of His App — A must-read for PM’s and CISO’s | Mobile API Anti-abuse Protection: AppiCrypt® Is a New SafetyNet and DeviceCheck Attestation Alternative

Enterprise Services Promotion

Talsec RASP is courtesy of Talsec. If you are looking for a solution tailored to your specific needs, contact us at https://talsec.app. We provide enhanced RASP protection with malware detection and detailed configurable threat reactions, immediate alerts, and penetration testing of your product to our commercial customers with a self-hosted cloud platform. To get the most advanced protection compliant with PSD2 RT and eIDAS and support from our experts, contact us via https://talsec.app/contact

Flutter
Reverse Engineering
App Development
Hacking
Shielding

--

--

Talsec

Written by Talsec

240 Followers

https://talsec.app/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams