MCPcopy Create free account
hub / github.com/NVISOsecurity/disable-flutter-tls-verification

github.com/NVISOsecurity/disable-flutter-tls-verification @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
56 symbols 82 edges 19 files 12 documented · 21% updated 27d ago★ 6432 open issues

Browse by type

Functions 48 Types & classes 8
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

disable-flutter-tls-verification

A Frida script that disables Flutter's TLS verification

This script works on Android x86, Android x64 and iOS x64. It uses pattern matching to find ssl_verify_peer_cert in handshake.cc

You can use it via Frida by downloading disable-flutter-tls.js or by using Frida codeshare:

frida -U -f your.package.name -l disable-flutter-tls.js --no-pause

# or Frida codeshare

frida -U --codeshare TheDauntless/disable-flutter-tls-v1 -f YOUR_BINARY

Further information can be found in this blogpost.

:warning: What if this script doesn't work?

Before creating a GitHub issue, please test the following steps:

  • Can you intercept HTTP requests from the demo application?
    • If not, note that Flutter apps do not use the system's proxy settings by default. This means you should use Proxydroid on Android and OpenVPN on iOS (or a rogue rogue access point on both). On the Android Studio AVDs, you can use -http-proxy when launching the emulator.
  • Can you intercept HTTPS requests from the demo application?
  • Have you checked if your app's flutter library is inside the libflutter_samples directory?
    • For Android: run apktool d <YOURAPK> and run md5sum on libs/<ARCH>/libflutter.so
    • For iOS: Extract an unencrypted IPA, unzip it and run md5sum on Payload/Runner.app/Frameworks/Flutter.framework/Flutter
    • Alternatively, copy libflutter.so or Flutter to the correct folder in libflutter_samples and run python3 verify.py

If you can succesfully intercept all requests from the demo app and your library is not included in the samples, please open a GitHub issue with the app in question. It is possible that the app is using additional SSL pinning plugins, so a combination of this plugin and objection / other Frida scripts may be necessary. This is outside of the scope of this project and you will have to RE yourself to identify additional pinning protections.

Core symbols most depended-on inside this repo

Shape

Method 25
Function 23
Class 8

Languages

C++82%
Python9%
TypeScript7%
Kotlin2%

Modules by API surface

test_app/flutter_pinning/windows/runner/win32_window.cpp21 symbols
test_app/flutter_pinning/linux/my_application.cc7 symbols
test_app/flutter_pinning/windows/runner/win32_window.h5 symbols
test_app/flutter_pinning/windows/runner/flutter_window.cpp5 symbols
libflutter_samples/verify.py5 symbols
disable-flutter-tls.js4 symbols
test_app/flutter_pinning/windows/runner/utils.cpp3 symbols
test_app/flutter_pinning/windows/runner/main.cpp1 symbols
test_app/flutter_pinning/windows/runner/flutter_window.h1 symbols
test_app/flutter_pinning/windows/flutter/generated_plugin_registrant.cc1 symbols
test_app/flutter_pinning/linux/main.cc1 symbols
test_app/flutter_pinning/linux/flutter/generated_plugin_registrant.cc1 symbols

For agents

$ claude mcp add disable-flutter-tls-verification \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page