Flutter applications present a unique challenge for mobile penetration testers. Unlike native Android apps where SSL pinning is typically implemented in Java/Kotlin and can be bypassed with tools like Frida or objection, Flutter apps compile to native ARM64 machine code via Dart. The TLS stack is baked directly into libflutter.so — a monolithic shared library that ships with every Flutter app.
This post walks through a technique I used during an authorized penetration test of a Flutter-based government application: binary patching libflutter.so to disable BoringSSL's certificate verification at the assembly level — without needing to inject a Frida gadget.
Why Frida Gadget Doesn't Always Work
Frida is the standard tool for dynamic instrumentation on Android. The typical workflow is to inject frida-gadget.so into the APK, repack it, and hook Dart's SSL verification functions at runtime. This works reliably on many consumer devices. However, on certain constrained environments — particularly devices with restricted ptrace permissions or when dealing with Houdini (Intel's ARM64-to-x86 translation layer on some emulators) — gadget injection fails silently or crashes the app entirely.
The root cause in my engagement was Houdini translation: the ARM64 libflutter binary was being translated to x86_64 instructions at runtime, causing Frida's address resolution to break. The function offsets I was hooking were stale by the time execution reached them.
Understanding Flutter's TLS Stack
Flutter uses BoringSSL (Google's fork of OpenSSL) for all TLS operations. Certificate verification flows through a chain of functions, with the key decision point being ssl_verify_cert_chain inside libflutter.so. This function ultimately calls X509_verify_cert and checks the return value to decide whether to allow or reject the connection.
The verification logic, simplified, looks like this:
int ssl_verify_cert_chain(SSL *ssl, STACK_OF(X509) *chain) {
int ret = 0;
// ... certificate chain validation ...
ret = X509_verify_cert(ctx);
if (ret <= 0) {
// Certificate invalid — abort TLS handshake
ssl->error = SSL_ERROR_SSL;
return 0;
}
return 1; // Certificate valid
}Our goal is to make this function always return 1 (success), regardless of certificate validity. To do that, we need to find it inside the compiled ARM64 binary and patch its return instruction.
Extracting and Analysing libflutter.so
First, pull the APK from the device and extract the library:
# Pull APK from device
adb shell pm path com.target.app
adb pull /data/app/com.target.app-xxx/base.apk
# Extract the library
unzip base.apk lib/arm64-v8a/libflutter.so -d extracted/
# Get the Flutter version (helps locate known offsets)
strings extracted/lib/arm64-v8a/libflutter.so | grep "Flutter/"Once you have the version string (e.g., Flutter/3.x.x), you can reference the Dart SDK source to cross-reference the BoringSSL commit used in that Flutter release. This narrows down which version of the ssl_verify_cert_chain function we're dealing with.
Locating the Target Function
Open libflutter.so in Ghidra or IDA Pro. Since the binary is stripped (no symbol names), we need to find our target via signature matching.
Search for the byte pattern corresponding to a known BoringSSL sequence near the certificate verification logic. A useful anchor is the error string CERTIFICATE_VERIFY_FAILED — find the string in the binary's rodata section, then find all cross-references to it. The function that references this string is almost certainly part of the TLS error reporting path adjacent to our target.
# Find the string offset
strings -t x extracted/lib/arm64-v8a/libflutter.so | grep -i "verify_failed"
# In Ghidra: Search > For String > "CERTIFICATE_VERIFY_FAILED"
# Then: Right click > References > Show References to AddressTrace backward from the error-reporting callsite to find the conditional branch that decides whether to report the error. This branch instruction is your patch target.
The Binary Patch
In ARM64, the conditional branch that skips the error path typically looks like:
; ARM64 assembly (before patch)
CBZ W0, error_path ; Branch to error if return value is 0
; ... success path continues ...
error_path:
; ... sets SSL error, returns 0 ...We want to replace CBZ W0, error_path with a NOP (no operation) instruction so execution never branches to the error path:
# ARM64 NOP opcode
NOP = 0x1F 0x20 0x03 0xD5
# Python patch script
import sys
FLUTTER_LIB = "libflutter.so"
PATCH_OFFSET = 0xABCDEF # Replace with your identified offset
NOP_BYTES = b'\x1f\x20\x03\xd5'
with open(FLUTTER_LIB, 'r+b') as f:
f.seek(PATCH_OFFSET)
original = f.read(4)
print(f"Original bytes at offset: {original.hex()}")
f.seek(PATCH_OFFSET)
f.write(NOP_BYTES)
print(f"Patched with NOP: {NOP_BYTES.hex()}")Always back up the original libflutter.so before patching. Verify the offset is correct by checking the 4 bytes before patching — they should match the expected branch instruction encoding.
Repacking and Signing the APK
# Replace the library in the APK
zip -r patched.apk base.apk
cp patched_libflutter.so lib/arm64-v8a/libflutter.so
zip -u patched.apk lib/arm64-v8a/libflutter.so
# Sign with a debug certificate
keytool -genkey -v -keystore debug.keystore -alias androiddebugkey \
-keyalg RSA -keysize 2048 -validity 10000 -storepass android
apksigner sign --ks debug.keystore --ks-key-alias androiddebugkey \
--ks-pass pass:android --out signed.apk patched.apk
# Install on device
adb install -r signed.apkConfirming Interception
With Burp Suite's proxy configured and the patched APK installed, launch the app and observe traffic. If the patch was applied correctly, HTTPS requests from the Flutter app should now appear in Burp's Proxy > HTTP History tab — no more TLS handshake failures.
Mitigations
For developers and security teams looking to harden Flutter applications against this technique, consider the following layered defences:
- Integrity checking: Use Play Integrity API or implement your own signature verification to detect APK tampering at runtime.
- Root and emulator detection: Many testing scenarios require root or emulated environments. Detecting these conditions adds friction.
- Obfuscated native code: Use LLVM-based obfuscation (e.g., Ollvm) to make the binary patching location harder to identify across releases.
- Certificate transparency enforcement: Require CT logs in TLS handshakes — harder to spoof even with a patched verification path.
Conclusion
Binary patching Flutter's libflutter.so is a reliable fallback when dynamic instrumentation via Frida fails. The technique is well within the capability of any intermediate-level mobile security researcher, which means the bar for bypassing certificate pinning on Flutter apps is lower than many developers assume. The practical takeaway: SSL pinning alone is not a security control — it's a minor obstacle. Real protection requires layered runtime integrity mechanisms.
All testing described here was performed on an authorized engagement. Never apply these techniques to apps you don't own or have explicit written permission to test.