1

I have configured the Burp suit to intercept the API(http and https) calls from the iOS mobile apps.

Am getting the expected result from all my native iOS apps which use http and https(SSL certificate pinning disabled)

But for flutter mobile app, no request is intercepted and no items are listing under "http history" tab.

I am using the flutter default package "http.dart" for the API calls. Does this package contain any kind of inbuilt security to avoid network interception?

mustaq
  • 961
  • 14
  • 16
  • I think that your app simply ignores the system-wide proxy settings or uses non-http protocol(unlikely, given the package you’re using). Try intersecting traffic using Wireshark to see how it communicates with the server – Andrew Morozko Apr 27 '19 at 10:53

1 Answers1

1

Flutter uses Dart, which doesn’t use the system CA store. This way, even though you have installed BURP CA on your iOS device, flutter is oblivious to that as it uses a list of CA’s that are embedded into the application itself.

You have to disable SSL certificate verification in your app for testing purposes. For disabling SSL certificate verification in flutter, please refer to:

how to solve flutter CERTIFICATE_VERIFY_FAILED error while performing a POST request?

Also, it might be the case your iOS dart setup isn't compeltely proxy aware (usually Android Dart isn't). I'd investigate that out as well.

James Rickardson
  • 11
  • 1