Dodging SSL Pinning in Flutter Apps with Oxy Proxy

Rizky Muhammad
MII Cyber Security Consulting Services
3 min readApr 6, 2023

--

Hey there!

Ever found yourself stuck trying to bypass SSL Pinning using reFlutter, only to hit a wall and see an error message like the one in the image below?

reFlutter: This engine is currently not supported.

Super annoying, right?

And you might’ve even given Frida and Objection a shot, but no luck there either — none of the scripts wanted to play nice.

Well, today’s your lucky day, ’cause I’m about to spill the beans on the easiest and most mind-blowing method to bypass SSL Pinning in Flutter applications.

Trust me, you’re gonna love it!

First things first — you gotta install the Burp Suite certificate on your system. For this, you’ll need root access, so make sure you’ve got that sorted out.

Burp Suite PortSwigger Certificate.

Once that’s done, you’ll need to grab the Oxy Proxy app from the Play Store. *Sure, you could use ProxyDroid, but we’re gonna stick with Oxy Proxy for this walkthrough.

Installing Oxy Proxy Manager.

Now, it’s time to set up the IP and port that Burp Suite will use as a listener. Head over to the Oxy Proxy app settings and plug in the necessary info.

Configuring Oxy Proxy Manager.

With everything in place, all that’s left to do is open up the Flutter app with SSL Pinning.

SSL Pinning successfully bypassed.

And bam! Just like magic, the request is successfully snagged and intercepted by Burp Suite.

So, what’s the big deal? Well, bypassing SSL Pinning in this way allows you to dive deep into the app’s network traffic, making it a breeze to debug or analyze potential security issues.

However, always remember that this method should only be used for legitimate purposes and in a controlled environment, as bypassing SSL Pinning can expose applications to security risks.

And there you have it!

A super simple and unexpectedly effective way to bypass SSL Pinning in Flutter apps using Oxy Proxy.

Happy tinkering!

P.S.

  1. Don’t forget to enable the “Support invisible proxying” feature in Burp Suite.
  2. Make sure to turn off the system’s default proxy settings.

Thanks to Evan Aldiano & Yudha Prasetya

--

--