need confirmation regarding ssl pinning flutter default behavior

Question

I have read this answer regarding default behavior of ssl pinning in flutter.

But my security tester said that my apk still has ssl pinning installed, with screenshot below:

Looking at list java files at right, does it related with my code or are those comes from package only?

Answer 1

confirmed by this answer

libflutter.so (the flutter engine)

libapp.so (your code).

so any .java files from MobSF is apparently 3rd party or flutter library, not from my code

Answer 2

SSL Pinning is not a default behaviour of flutter but Dio library do reject self signed certificate that we install, when using proxy server in order to intercept API Calls. Dio library provide a call back on client.badCertificateCallback when it find some self signed certificate in between the connection.

(dio.httpClientAdapter as DefaultHttpClientAdapter).onHttpClientCreate =
    (client) {
      client.findProxy = (uri) => "PROXY 192.168.1.10:8888;";
      client.badCertificateCallback =
          (X509Certificate cert, String host, int port) => true;
    };

if you return true in client.badCertificateCallback system will accept the self signed certificate and will call the server and you will be able intercept the call in proxy server but if you return false it will reject the certificate and API call will not proceed and you won't be able to make call to the server. By default it is false.