An open API service indexing awesome lists of open source software.

https://github.com/anousonephyakeo/flutter-security-toolkit

A comprehensive penetration testing toolkit for Flutter applications. Includes SSL pinning bypass techniques, Frida scripts, static/dynamic analysis guides, automated security scanning tools, and real-world case studies. Everything you need to assess Flutter app security on Android & iOS
https://github.com/anousonephyakeo/flutter-security-toolkit

android-security apk-analysis cybersecurity flutter frida ios-security mobile-pentesting mobile-security penetration-testing reverse-engineering security-testing ssl-pinning

Last synced: about 6 hours ago
JSON representation

A comprehensive penetration testing toolkit for Flutter applications. Includes SSL pinning bypass techniques, Frida scripts, static/dynamic analysis guides, automated security scanning tools, and real-world case studies. Everything you need to assess Flutter app security on Android & iOS

Awesome Lists containing this project

README

          

# Flutter Application Penetration Testing Guide

![GitHub stars](https://img.shields.io/github/stars/anousonephyakeo/flutter-security-toolkit?style=social)
![GitHub forks](https://img.shields.io/github/forks/anousonephyakeo/flutter-security-toolkit?style=social)
![License](https://img.shields.io/github/license/anousonephyakeo/flutter-security-toolkit)
![Last Commit](https://img.shields.io/github/last-commit/anousonephyakeo/flutter-security-toolkit)
![GitHub issues](https://img.shields.io/github/issues/anousonephyakeo/flutter-security-toolkit)

> 🔐 A comprehensive guide for security professionals conducting penetration tests on Flutter applications across iOS and Android platforms.

---
# Flutter Application Penetration Testing Guide

A comprehensive guide for security professionals conducting penetration tests on Flutter applications across iOS and Android platforms.

## Table of Contents

- [Introduction](#introduction)
- [Prerequisites](#prerequisites)
- [SSL/TLS Certificate Pinning Bypass](#ssltls-certificate-pinning-bypass)
- [Automated Methods](#automated-methods)
- [Manual Methods](#manual-methods)
- [Network Traffic Interception](#network-traffic-interception)
- [Static Analysis Techniques](#static-analysis-techniques)
- [Dynamic Analysis](#dynamic-analysis)
- [Common Vulnerabilities](#common-vulnerabilities)
- [Advanced Techniques](#advanced-techniques)
- [Tools & Resources](#tools--resources)

---

## Introduction

Flutter applications present unique security challenges due to their architecture. Unlike traditional native apps, Flutter compiles Dart code into native ARM/x86 code, making reverse engineering more complex. This guide provides methodologies and tools specifically tailored for Flutter app security assessments.

## 🚀 Quick Start
```bash
# 1. Clone the repository
git clone https://github.com/anousonephyakeo/flutter-security-toolkit.git
cd flutter-security-toolkit

# 2. Install dependencies
pip3 install frida-tools reflutter

# 3. Download NVISO script
wget https://raw.githubusercontent.com/NVISOsecurity/disable-flutter-tls-verification/main/disable-flutter-tls.js

# 4. Start testing!
frida -U -f com.target.app -l disable-flutter-tls.js --no-pause
```

---

### **9. Add Badges** 🏅

Add these to the very top of README for credibility:
```markdown
# Flutter Application Penetration Testing Guide

![GitHub stars](https://img.shields.io/github/stars/anousonephyakeo/flutter-security-toolkit?style=social)
![GitHub forks](https://img.shields.io/github/forks/anousonephyakeo/flutter-security-toolkit?style=social)
![License](https://img.shields.io/github/license/anousonephyakeo/flutter-security-toolkit)
![Last Commit](https://img.shields.io/github/last-commit/anousonephyakeo/flutter-security-toolkit)
![Issues](https://img.shields.io/github/issues/anousonephyakeo/flutter-security-toolkit)

A comprehensive guide for security professionals...
```

---

### **10. Create a SECURITY.md** 🔒
```bash
cat > SECURITY.md << 'EOF'
# Security Policy

## Reporting Security Issues

**DO NOT** open public issues for security vulnerabilities.

Instead:
- Open a GitHub Security Advisory
- Email: [your email]

## Responsible Disclosure

This toolkit is for **authorized testing only**.

Always:
✅ Get written permission
✅ Follow responsible disclosure
✅ Respect applicable laws

Never:
❌ Test without authorization
❌ Access unauthorized data
❌ Exploit vulnerabilities maliciously

## Legal Notice

Unauthorized access to computer systems is **illegal**.
Use this toolkit responsibly and ethically.
EOF
```

---

### **11. Add Examples Folder Content** 📚

Create **examples/case-studies.md**:
```markdown
# Case Studies

## Banking App Analysis (Anonymized)

**Protections**: SSL pinning, root detection, Frida detection

**Approach**:
1. Used physical rooted device
2. Renamed Frida server
3. Applied Reflutter
4. Successfully bypassed all protections

**Findings**:
- Unencrypted tokens in SharedPreferences
- IDOR vulnerabilities in API
- Hardcoded API keys

**Impact**: Critical

---

*Add your own case studies (with permission)*
```

---

### **12. Enable GitHub Features** ⚙️

Go to **Settings** → Enable:
- ✅ **Issues** (for bug reports)
- ✅ **Discussions** (for Q&A)
- ✅ **Wiki** (optional, for extended docs)
- ✅ **Sponsorship** (optional, if you want donations)

---

### **13. Add a .github Folder** 🤖

Create issue templates and automation:
```bash
mkdir -p .github/ISSUE_TEMPLATE

# Bug report template
cat > .github/ISSUE_TEMPLATE/bug_report.md << 'EOF'
---
name: Bug Report
about: Report a bug or issue
---

**Description**
Clear description of the issue

**Steps to Reproduce**
1. Step 1
2. Step 2
3. ...

**Expected Behavior**
What should happen

**Actual Behavior**
What actually happens

**Environment**
- Flutter version:
- Device:
- OS:
EOF

# Feature request template
cat > .github/ISSUE_TEMPLATE/feature_request.md << 'EOF'
---
name: Feature Request
about: Suggest a new feature
---

**Feature Description**
What feature would you like?

**Use Case**
Why is this needed?

**Proposed Solution**
How should it work?
EOF
```

---

### **14. Add a Tools Comparison Table** 📊

Create **tools/recommended-tools.md**:
```markdown
# Recommended Tools

## SSL Pinning Bypass

| Tool | Platform | Difficulty | Effectiveness |
|------|----------|------------|---------------|
| NVISO Script | Android/iOS | Easy | High |
| Reflutter | Android | Medium | High |
| Manual Patching | Both | Hard | Very High |

## Network Interception

| Tool | Features | Cost | Best For |
|------|----------|------|----------|
| BurpSuite | Full suite | Free/Paid | Professionals |
| mitmproxy | CLI-based | Free | Automation |
| Charles Proxy | GUI | Paid | Beginners |

...
```

---

### **15. Create First Release** 🎉

1. Click **"Create a new release"** on GitHub
2. Tag: `v2.0.0`
3. Title: `Flutter Security Toolkit v2.0.0`
4. Description:
```markdown
## 🎉 Initial Public Release

Complete Flutter application penetration testing toolkit.

### Features
✅ Comprehensive SSL pinning bypass guide
✅ Working Frida scripts
✅ Network interception techniques
✅ Automation tools
✅ Real-world case studies
✅ Developer security best practices

### Getting Started
Check the [README](https://github.com/anousonephyakeo/flutter-security-toolkit#readme)

**⚠️ For authorized security testing only**
```

---

## **Priority Order:**

1. ✅ **Add repository topics** (5 minutes - maximum impact)
2. ✅ **Create folder structure** (5 minutes)
3. ✅ **Add actual Frida scripts** (30 minutes)
4. ✅ **Replace placeholders** with your info (5 minutes)
5. ✅ **Add Quick Start section** (10 minutes)
6. ✅ **Add badges** (5 minutes)
7. ✅ **Enable Issues & Discussions** (2 minutes)
8. ✅ **Create first release** (10 minutes)

---

## **Quick Command to Add Everything:**
```bash
# Run this in your local repo:
mkdir -p scripts/frida scripts/automation examples tools .github/ISSUE_TEMPLATE

# Add all files (copy scripts from my earlier messages)
# Then:
git add .
git commit -m "Add complete toolkit structure with scripts and documentation"
git push
```

---

**Would you like me to create a single comprehensive script that sets up everything at once?** 🚀
### Flutter Architecture Overview

Flutter apps use the Dart VM in development and compile to native code for production. Key components include:

- **libflutter.so**: Flutter engine library
- **libapp.so**: Compiled Dart application code
- **Snapshot files**: Dart code snapshots (kernel_blob.bin, vm_snapshot_data, isolate_snapshot_data)

---

## Prerequisites

### Required Tools

- **Frida**: Dynamic instrumentation toolkit (v16.0.0+)
- **BurpSuite/mitmproxy**: HTTP/HTTPS proxy tools
- **ADB**: Android Debug Bridge
- **APKTool**: APK decompilation
- **Ghidra/IDA Pro**: Binary analysis
- **iOS-specific**: iFunBox, iProxy, frida-ios-dump
- **Python 3.8+**: For automation scripts

### Environment Setup

```bash
# Install Frida tools
pip3 install frida-tools

# Verify installation
frida --version
```

### Device Requirements

**Android:**
- Rooted device or emulator (recommended: Genymotion, Android Studio AVD)
- USB debugging enabled
- ADB installed and configured

**iOS:**
- Jailbroken device (checkra1n, unc0ver, or Dopamine)
- Frida server installed via Cydia/Sileo
- Valid provisioning profile for app installation

---

## SSL/TLS Certificate Pinning Bypass

Flutter implements certificate pinning at the Dart level, making traditional Android/iOS SSL unpinning methods ineffective. These specialized techniques target Flutter's specific implementation.

### Automated Methods

#### Method 1: NVISO Flutter TLS Bypass (Recommended)

The NVISO script dynamically patches Flutter's SSL validation functions during runtime.

**Installation:**

```bash
# Download the latest script
wget https://raw.githubusercontent.com/NVISOsecurity/disable-flutter-tls-verification/main/disable-flutter-tls.js
```

**Usage:**

```bash
# Basic usage - spawn application
frida -U -f com.example.target -l disable-flutter-tls.js

# Attach to running process
frida -U -n "App Name" -l disable-flutter-tls.js

# With persistent changes
frida -U -f com.example.target -l disable-flutter-tls.js --no-pause
```

**Advantages:**
- No repackaging required
- Works on both Android and iOS
- Regularly maintained and updated
- Supports latest Flutter versions (3.x)

**Troubleshooting:**
- If the script fails, ensure you're using the latest Frida version
- Some apps may implement anti-Frida checks; see [Anti-Instrumentation Bypass](#anti-instrumentation-bypass)
- Check Frida server is running: `frida-ps -U`

#### Method 2: Reflutter (Automated APK Patching)

Reflutter patches Flutter binaries to disable certificate validation at the binary level.

**Installation:**

```bash
pip3 install reflutter
```

**Step-by-Step Process:**

```bash
# 1. Patch the APK (provide your BurpSuite/proxy IP when prompted)
reflutter target_app.apk

# Example output:
# Enter your BurpSuite IP: 192.168.1.100

# 2. Sign the patched APK
# Download uber-apk-signer if not already installed
wget https://github.com/patrickfav/uber-apk-signer/releases/download/v1.3.0/uber-apk-signer-1.3.0.jar

# Sign the APK
java -jar uber-apk-signer-1.3.0.jar --apk release.RE.apk

# 3. Uninstall original app (if installed)
adb uninstall com.example.target

# 4. Install the patched APK
adb install release.RE-aligned-debugSigned.apk
```

**Important Notes:**
- Reflutter modifies the app binary, which may trigger integrity checks
- Backup the original APK before patching
- The app may crash if it implements root/tamper detection
- Works only on Android applications

**Comparison of Automated Methods:**

| Feature | NVISO Script | Reflutter |
|---------|-------------|-----------|
| Platform | Android + iOS | Android only |
| Repackaging | No | Yes |
| Detection Risk | Lower | Higher |
| Setup Complexity | Easy | Moderate |
| Maintenance | Active | Active |

### Manual Methods

#### Binary Patching with Ghidra

For apps with anti-Frida or anti-repackaging measures, manual binary patching provides deeper control.

**Steps:**

1. **Extract libapp.so/App binary**
```bash
# Android
unzip target_app.apk
# Binary located at: lib/arm64-v8a/libapp.so

# iOS
unzip target_app.ipa
# Binary located at: Payload/AppName.app/Frameworks/App.framework/App
```

2. **Load in Ghidra**
- Open Ghidra and create new project
- Import libapp.so or App binary
- Analyze with default options

3. **Locate SSL verification functions**

Search for common certificate validation strings:
```
"certificate verify failed"
"CERTIFICATE_VERIFY_FAILED"
"HandshakeException"
"SecurityContext"
```

4. **Patch verification logic**

Common patterns to patch:
- Change conditional jumps (JNZ → JMP, BNE → B)
- NOP out validation calls
- Force return values (MOV R0, #1 for success)

5. **Export and repack**
```bash
# Replace original library
# Repack APK with APKTool
apktool d target_app.apk
# Replace lib/arm64-v8a/libapp.so with patched version
apktool b target_app -o target_patched.apk

# Sign and install
java -jar uber-apk-signer-1.3.0.jar --apk target_patched.apk
adb install target_patched-aligned-debugSigned.apk
```

**Advanced: Custom Frida Scripts**

Create targeted Frida scripts for specific Flutter versions:

```javascript
// Custom Flutter SSL bypass
Java.perform(function() {
// Hook native SSL functions
var ssl_verify_result = Module.findExportByName("libflutter.so",
"ssl_verify_result_t");

if (ssl_verify_result) {
Interceptor.replace(ssl_verify_result, new NativeCallback(function() {
console.log("[*] SSL verification bypassed");
return 0; // X509_V_OK
}, 'int', []));
}

// Hook Dart SSL context
var symbols = Module.enumerateSymbolsSync("libapp.so");
symbols.forEach(function(symbol) {
if (symbol.name.includes("SecurityContext") ||
symbol.name.includes("X509")) {
console.log("[*] Found symbol: " + symbol.name);
// Further hooking logic here
}
});
});
```

---

## Network Traffic Interception

### VPN-Based Interception (OpenVPN + iptables)

This method is effective when apps detect and block system proxy settings.

#### OpenVPN Server Setup

```bash
# Download and prepare installation script
sudo wget https://git.io/vpn -O openvpn-install.sh

# Fix compatibility issues
sudo sed -i "$(($(grep -ni "debian is too old" openvpn-install.sh | cut -d : -f 1)+1))d" ./openvpn-install.sh

# Make executable
sudo chmod +x openvpn-install.sh

# Run installation
sudo ./openvpn-install.sh
```

**Configuration Prompts:**

```
IPv4 address: [Your PC's local IP, e.g., 192.168.1.100]
Public IPv4/hostname: [Your PC's local IP, e.g., 192.168.1.100]
Protocol: 1 (UDP)
Port: 1194
DNS Server: 1 (Current system resolvers)
Client name: [Any name, e.g., "pentest-client"]
```

#### Traffic Redirection with iptables

```bash
# Start OpenVPN service
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

# Verify VPN is running
sudo systemctl status openvpn@server

# Configure iptables rules for traffic redirection
# Replace 192.168.1.50 with your mobile device's IP
# Replace 192.168.1.100 with your proxy server IP

# Redirect HTTP traffic (port 80) to BurpSuite (8080)
sudo iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to-port 8080

# Redirect HTTPS traffic (port 443) to BurpSuite (8080)
sudo iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 443 -j REDIRECT --to-port 8080

# Enable NAT for device traffic
sudo iptables -t nat -A POSTROUTING -s 192.168.1.50/24 -o eth0 -j MASQUERADE

# Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -p

# Persist iptables rules (Debian/Ubuntu)
sudo apt-get install iptables-persistent
sudo netfilter-persistent save

# View current rules
sudo iptables -t nat -L -n -v
```

#### Client Configuration

**iOS:**
1. Install OpenVPN Connect from App Store
2. Transfer .ovpn profile via AirDrop or email
3. Import profile and connect
4. Configure BurpSuite to listen on all interfaces (0.0.0.0:8080)

**Android:**
1. Install OpenVPN for Android from Play Store
2. Transfer .ovpn file to device
3. Import and connect
4. Alternatively, use ProxyDroid for system-wide proxy

---

### Android Proxy Configuration

#### ProxyDroid Method (Root Required)

ProxyDroid enforces system-wide proxy at the network layer, bypassing app-level proxy detection.

**Setup:**

1. Install ProxyDroid from Google Play Store or F-Droid
2. Grant root permissions when prompted
3. Configure settings:
```
Host: [BurpSuite IP, e.g., 192.168.1.100]
Port: [BurpSuite Port, e.g., 8080]
Proxy Type: HTTP
Global Proxy: Enabled
```
4. Start proxy service

**Alternative: iptables Direct Method**

```bash
# On rooted Android device (via ADB shell)
adb shell

# Become root
su

# Redirect traffic to proxy
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:8080
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 192.168.1.100:8080

# Verify rules
iptables -t nat -L OUTPUT -n -v
```

---

## Static Analysis Techniques

### Extracting Application Assets

#### Android APK Extraction

```bash
# Method 1: Rename and extract
cp target_app.apk target_app.zip
unzip target_app.zip -d apk_contents/

# Method 2: APKTool for full decompilation
apktool d target_app.apk -o apk_decompiled/

# Key files to examine:
# - lib/[arch]/libapp.so (compiled Dart code)
# - lib/[arch]/libflutter.so (Flutter engine)
# - assets/flutter_assets/ (resources, fonts, images)
# - AndroidManifest.xml (permissions, components)
```

#### iOS IPA Extraction

```bash
# Option 1: Use frida-ios-dump (jailbroken device required)
frida-ios-dump -H [device IP] -u [bundle ID]

# Option 2: Use Clutch (for decrypting App Store apps)
# Install Clutch via Cydia
# SSH into device
ssh root@[device IP]
Clutch -d com.example.target

# Extract IPA contents
unzip target_app.ipa -d ipa_contents/

# Navigate to binary
cd ipa_contents/Payload/AppName.app/Frameworks/App.framework/

# Key files:
# - App (main binary)
# - Info.plist (app metadata)
# - Assets.car (compiled assets)
```

### String Analysis

Extract hardcoded credentials, API endpoints, and sensitive data.

```bash
# Extract all strings
strings libapp.so > app_strings.txt
strings App > app_strings.txt

# Filter for common patterns
grep -i "api" app_strings.txt
grep -i "http" app_strings.txt
grep -i "password\|passwd\|pwd" app_strings.txt
grep -i "secret\|token\|key" app_strings.txt
grep -i "amazonaws.com\|firebase\|cloudfront" app_strings.txt

# Search for specific API routes
strings libapp.so | grep -E "/(api|v1|v2|v3|auth|login|user|admin)" > api_routes.txt

# Extract potential secrets with regex
strings libapp.so | grep -E "[A-Za-z0-9]{32,}" > potential_secrets.txt

# Find URLs
strings libapp.so | grep -E "https?://[^\s]+" > urls.txt

# Look for SQL queries
strings libapp.so | grep -i -E "(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP)" > sql_queries.txt
```

### Flutter-Specific Analysis

```bash
# Look for Flutter framework versions
strings libflutter.so | grep -i "version\|flutter"

# Find Dart package dependencies
cat pubspec.yaml # If available in assets

# Analyze snapshot files (if present)
# These contain compiled Dart code
find . -name "*.snapshot*" -o -name "kernel_blob.bin"

# Decompile Dart snapshots (advanced)
# Use reFlutter or custom tools
```

### Sensitive Data Patterns

Create a comprehensive search:

```bash
#!/bin/bash
# save as analyze_strings.sh

BINARY=$1
OUTPUT="analysis_report.txt"

echo "=== Flutter App Security Analysis ===" > $OUTPUT
echo "Binary: $BINARY" >> $OUTPUT
echo "Date: $(date)" >> $OUTPUT
echo "" >> $OUTPUT

echo "[+] Extracting strings..."
strings $BINARY > all_strings.txt

echo "[*] API Endpoints:" >> $OUTPUT
grep -E "/(api|v[0-9]|auth|user|admin)" all_strings.txt >> $OUTPUT

echo "" >> $OUTPUT
echo "[*] Potential Secrets:" >> $OUTPUT
grep -E "([A-Za-z0-9+/]{40,}={0,2}|[a-f0-9]{32,64})" all_strings.txt | head -20 >> $OUTPUT

echo "" >> $OUTPUT
echo "[*] Hardcoded Credentials:" >> $OUTPUT
grep -iE "(password|passwd|pwd|secret|token|api[_-]?key).*[:=].*" all_strings.txt >> $OUTPUT

echo "" >> $OUTPUT
echo "[*] Cloud Services:" >> $OUTPUT
grep -iE "(amazonaws|azure|firebase|cloudfront|s3\.)" all_strings.txt >> $OUTPUT

echo "" >> $OUTPUT
echo "[*] Database References:" >> $OUTPUT
grep -iE "(SELECT|INSERT|UPDATE|DELETE|sqlite|mongodb|postgresql)" all_strings.txt >> $OUTPUT

echo "[+] Analysis complete. Results saved to $OUTPUT"
```

**Usage:**
```bash
chmod +x analyze_strings.sh
./analyze_strings.sh libapp.so
cat analysis_report.txt
```

---

## Dynamic Analysis

### Frida Hooking Techniques

#### Basic Function Tracing

```javascript
// trace_network.js - Monitor network requests
Java.perform(function() {
var HttpURLConnection = Java.use("java.net.HttpURLConnection");

HttpURLConnection.getRequestMethod.implementation = function() {
var method = this.getRequestMethod();
var url = this.getURL();
console.log("\n[HTTP Request]");
console.log("Method: " + method);
console.log("URL: " + url.toString());
return method;
};

HttpURLConnection.getResponseCode.implementation = function() {
var code = this.getResponseCode();
var url = this.getURL();
console.log("\n[HTTP Response]");
console.log("URL: " + url.toString());
console.log("Status: " + code);
return code;
};
});
```

#### Monitoring Shared Preferences (Android)

```javascript
// monitor_storage.js
Java.perform(function() {
var SharedPreferences = Java.use("android.content.SharedPreferences");
var Editor = Java.use("android.content.SharedPreferences$Editor");

Editor.putString.implementation = function(key, value) {
console.log("\n[SharedPreferences Write]");
console.log("Key: " + key);
console.log("Value: " + value);
return this.putString(key, value);
};

SharedPreferences.getString.implementation = function(key, defValue) {
var value = this.getString(key, defValue);
console.log("\n[SharedPreferences Read]");
console.log("Key: " + key);
console.log("Value: " + value);
return value;
};
});
```

#### Crypto Operations Monitoring

```javascript
// monitor_crypto.js
Java.perform(function() {
var Cipher = Java.use("javax.crypto.Cipher");

Cipher.doFinal.overload('[B').implementation = function(input) {
console.log("\n[Crypto Operation]");
console.log("Algorithm: " + this.getAlgorithm());
console.log("Input: " + bytesToHex(input));
var result = this.doFinal(input);
console.log("Output: " + bytesToHex(result));
return result;
};

function bytesToHex(bytes) {
var hex = "";
for (var i = 0; i < Math.min(bytes.length, 32); i++) {
hex += ("0" + (bytes[i] & 0xFF).toString(16)).slice(-2);
}
return hex + (bytes.length > 32 ? "..." : "");
}
});
```

#### Running Frida Scripts

```bash
# Spawn app with script
frida -U -f com.example.app -l script.js --no-pause

# Attach to running app
frida -U -n "App Name" -l script.js

# Multiple scripts
frida -U -f com.example.app -l script1.js -l script2.js --no-pause

# Interactive mode
frida -U -f com.example.app
```

---

## Common Vulnerabilities

### 1. Insecure Data Storage

**Check for:**
- Unencrypted sensitive data in SharedPreferences/UserDefaults
- Sensitive data in application logs
- Unprotected local databases (SQLite)
- Cached credentials in memory

**Testing:**

```bash
# Android - Check SharedPreferences
adb shell
run-as com.example.app
cd shared_prefs/
cat *.xml

# Android - Check databases
cd databases/
sqlite3 app.db
.tables
.schema [table_name]
SELECT * FROM [sensitive_table];

# iOS - Check UserDefaults
# On jailbroken device
cat /var/mobile/Containers/Data/Application/[UUID]/Library/Preferences/com.example.app.plist
```

### 2. Insufficient Transport Layer Protection

**Indicators:**
- Missing certificate pinning
- Accepting self-signed certificates
- Using HTTP for sensitive operations
- Weak TLS versions (< 1.2)

**Verification:**
```bash
# Check for HTTP URLs in binary
strings libapp.so | grep "http://"

# Monitor network traffic
tcpdump -i any -n -s 0 -w capture.pcap host [device IP]

# Analyze with Wireshark
wireshark capture.pcap
```

### 3. Client-Side Injection

Flutter apps can be vulnerable to:
- SQL Injection (local databases)
- XSS (if using WebView)
- Path Traversal (file operations)

**Example Test:**

```javascript
// Test SQL injection via Frida
Java.perform(function() {
var SQLiteDatabase = Java.use("android.database.sqlite.SQLiteDatabase");

SQLiteDatabase.rawQuery.overload('java.lang.String', '[Ljava.lang.String;')
.implementation = function(sql, args) {
console.log("\n[SQL Query]");
console.log("Query: " + sql);
console.log("Args: " + args);

// Test with malicious input
// sql = "SELECT * FROM users WHERE id='" + userInput + "'";
// userInput = "1' OR '1'='1"

return this.rawQuery(sql, args);
};
});
```

### 4. Insecure Authentication

**Check for:**
- Hardcoded credentials
- Weak session management
- Missing biometric authentication
- JWT tokens stored insecurely

**Testing:**

```bash
# Search for auth-related strings
strings libapp.so | grep -iE "(bearer|authorization|jwt|session|cookie)"

# Monitor authentication flow
frida -U -f com.example.app -l trace_auth.js
```

### 5. Insufficient Binary Protection

**Indicators:**
- Missing obfuscation
- Debug symbols present
- No root/jailbreak detection
- No tamper detection

**Check:**

```bash
# Android - Check for debug symbols
nm -D libapp.so | grep " T "

# Check for obfuscation
jadx -d output/ target_app.apk
# Review decompiled code clarity

# iOS - Check for encryption
otool -l App | grep cryptid
# cryptid 0 = unencrypted, cryptid 1 = encrypted
```

---

## Advanced Techniques

### Anti-Instrumentation Bypass

Many apps detect Frida and other instrumentation tools.

#### Detect Frida Checks

```javascript
// detect_anti_frida.js
Java.perform(function() {
// Hook common anti-Frida checks
var File = Java.use("java.io.File");
File.exists.implementation = function() {
var path = this.getAbsolutePath();
if (path.indexOf("frida") !== -1 || path.indexOf("re.frida") !== -1) {
console.log("[*] Blocked Frida detection: " + path);
return false;
}
return this.exists();
};

// Hook port scanning (Frida default port 27042)
var Socket = Java.use("java.net.Socket");
Socket.$init.overload('java.lang.String', 'int').implementation = function(host, port) {
if (port === 27042 || port === 27043) {
console.log("[*] Blocked Frida port scan: " + port);
throw new Error("Connection refused");
}
return this.$init(host, port);
};
});
```

#### Rename Frida Server

```bash
# Android
adb push frida-server /data/local/tmp/my_daemon
adb shell "chmod 755 /data/local/tmp/my_daemon"
adb shell "/data/local/tmp/my_daemon &"

# Verify
frida-ps -U
```

#### Root Detection Bypass

```javascript
// bypass_root.js
Java.perform(function() {
// Hook RootBeer library (common root detection)
try {
var RootBeer = Java.use("com.scottyab.rootbeer.RootBeer");
RootBeer.isRooted.implementation = function() {
console.log("[*] Root check bypassed");
return false;
};
} catch(e) {}

// Hook common root check files
var File = Java.use("java.io.File");
File.exists.implementation = function() {
var path = this.getAbsolutePath();
var rootPaths = ["/system/app/Superuser.apk", "/su", "/system/bin/su",
"/system/xbin/su", "/data/local/xbin/su", "/magisk"];

for (var i = 0; i < rootPaths.length; i++) {
if (path.indexOf(rootPaths[i]) !== -1) {
console.log("[*] Blocked root path check: " + path);
return false;
}
}
return this.exists();
};

// Hook Runtime.exec for su commands
var Runtime = Java.use("java.lang.Runtime");
Runtime.exec.overload('java.lang.String').implementation = function(cmd) {
if (cmd.indexOf("su") !== -1) {
console.log("[*] Blocked su command: " + cmd);
throw new Error("Command not found");
}
return this.exec(cmd);
};
});
```

### Memory Dumping

Extract decrypted data and runtime strings from memory.

```bash
# Attach Frida and dump memory
frida -U -n "App Name" -e 'Process.enumerateModules()' | grep libapp

# Dump specific module
frida -U -n "App Name"
# In Frida console:
> var base = Module.findBaseAddress("libapp.so")
> var size = Process.getModuleByName("libapp.so").size
> Memory.dump(base, size).then(function(bytes) {
var fs = require('fs');
fs.writeFileSync("libapp_dump.bin", bytes);
})

# Alternatively, use objection
objection -g com.example.app explore
memory list modules
memory dump all libapp.so /tmp/libapp_dump.bin
```

### Snapshot Analysis

Analyze Dart snapshots for sensitive data.

```bash
# Locate snapshots in APK
unzip -l app.apk | grep -E "(kernel|snapshot|isolate|vm)"

# Extract
unzip app.apk -d app_extracted/
cd app_extracted/assets/

# Analyze with reFlutter (includes snapshot parser)
reflutter app.apk

# Manual analysis: search for strings
strings kernel_blob.bin | grep -E "(api|http|secret|password)"
```

### Custom Protocol Analysis

Many Flutter apps use protobuf, GraphQL, or custom protocols.

**Intercepting Protobuf:**

```javascript
// intercept_protobuf.js
Java.perform(function() {
var MessageLite = Java.use("com.google.protobuf.MessageLite");
MessageLite.toByteArray.implementation = function() {
var bytes = this.toByteArray();
console.log("\n[Protobuf Serialized]");
console.log("Message: " + this.$className);
console.log("Hex: " + bytesToHex(bytes));
return bytes;
};

function bytesToHex(bytes) {
var hex = "";
for (var i = 0; i < bytes.length; i++) {
hex += ("0" + (bytes[i] & 0xFF).toString(16)).slice(-2);
}
return hex;
}
});
```

---

## Tools & Resources

### Essential Tools

| Tool | Purpose | Platform | Link |
|------|---------|----------|------|
| Frida | Dynamic instrumentation | Android/iOS | [frida.re](https://frida.re) |
| Reflutter | SSL pinning bypass | Android | [GitHub](https://github.com/ptswarm/reFlutter) |
| Objection | Mobile security toolkit | Android/iOS | [GitHub](https://github.com/sensepost/objection) |
| APKTool | APK decompilation | Android | [ibotpeaches.github.io](https://ibotpeaches.github.io/Apktool/) |
| jadx | Java decompiler | Android | [GitHub](https://github.com/skylot/jadx) |
| Ghidra | Binary analysis | All | [ghidra-sre.org](https://ghidra-sre.org/) |
| BurpSuite | HTTP proxy | All | [portswigger.net](https://portswigger.net/burp) |
| mitmproxy | HTTP proxy | All | [mitmproxy.org](https://mitmproxy.org/) |
| frida-ios-dump | iOS app decryption | iOS | [GitHub](https://github.com/AloneMonkey/frida-ios-dump) |
| MobSF | Mobile security framework | Android/iOS | [GitHub](https://github.com/MobSF/Mobile-Security-Framework-MobSF) |

### Specialized Flutter Tools

- **NVISO Flutter Unpinner**: [GitHub](https://github.com/NVISOsecurity/disable-flutter-tls-verification)
- **reFlutter**: [GitHub](https://github.com/ptswarm/reFlutter)
- **Dart Decompiler**: [GitHub](https://github.com/xtremely-undead/Dart-Decompiler)

### Learning Resources

- **OWASP Mobile Security Testing Guide**: [GitHub](https://github.com/OWASP/owasp-mstg)
- **Mobile Application Penetration Testing Cheat Sheet**: [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Mobile_Application_Penetration_Testing_Cheat_Sheet.html)
- **Frida CodeShare**: [codeshare.frida.re](https://codeshare.frida.re/)
- **Flutter Security Best Practices**: [flutter.dev/security](https://flutter.dev/security)

### Communities

- **r/AskNetsec** (Reddit)
- **Frida Slack** ([frida.re/slack](https://frida.re/slack/))
- **OWASP Mobile Security Project**

---

## Testing Checklist

Use this checklist to ensure comprehensive coverage during penetration tests.

### Pre-Test Setup
- [ ] Device rooted/jailbroken
- [ ] Frida server installed and running
- [ ] BurpSuite configured with CA certificate
- [ ] APK/IPA obtained (via extraction or legitimate purchase)
- [ ] Testing environment documented

### Static Analysis
- [ ] Decompiled application
- [ ] Extracted and analyzed strings
- [ ] Identified API endpoints
- [ ] Located hardcoded secrets/credentials
- [ ] Reviewed AndroidManifest.xml/Info.plist
- [ ] Analyzed third-party libraries
- [ ] Checked for debug symbols
- [ ] Examined certificate pinning implementation

### Dynamic Analysis
- [ ] SSL/TLS pinning bypassed
- [ ] Network traffic intercepted
- [ ] Authentication flow analyzed
- [ ] Session management tested
- [ ] API endpoints enumerated
- [ ] Input validation tested
- [ ] Crypto operations monitored
- [ ] Local storage examined

### Security Tests
- [ ] Insecure data storage
- [ ] Weak cryptography
- [ ] Insecure communication
- [ ] Authentication bypass attempts
- [ ] Authorization flaws
- [ ] Client-side injection (SQL, XSS, etc.)
- [ ] Business logic flaws
- [ ] Anti-tampering measures evaluated

### Additional Checks
- [ ] Root/jailbreak detection tested
- [ ] Anti-debugging measures identified
- [ ] Code obfuscation assessed
- [ ] Logging sensitive information
- [ ] Backup flag configuration
- [ ] Deep link vulnerabilities
- [ ] WebView security (if applicable)

---

## Reporting Findings

### Severity Classification

Use CVSS or a simplified risk matrix:

| Severity | Criteria |
|----------|----------|
| **Critical** | Remote code execution, full data breach, authentication bypass |
| **High** | Privilege escalation, significant data exposure, weak cryptography |
| **Medium** | Information disclosure, missing security controls, insecure storage |
| **Low** | Best practice violations, minor information leakage |
| **Informational** | Security observations, recommendations |

### Report Structure

1. **Executive Summary**
- Overview of assessment
- Key findings
- Risk summary
- Recommendations

2. **Technical Details**
- Testing methodology
- Tools used
- Scope and limitations

3. **Findings**
For each vulnerability:
- Title and severity
- Description
- Proof of concept
- Impact assessment
- Remediation recommendations
- References (CWE, OWASP Mobile Top 10)

4. **Appendices**
- Testing checklist
- Tool output
- Screenshots
- Code snippets

---

## Best Practices for Secure Flutter Development

### For Developers

**1. Certificate Pinning Implementation**

```dart
// Implement certificate pinning properly
import 'package:http/http.dart' as http;
import 'package:http/io_client.dart';
import 'dart:io';

class SecureHttpClient {
static HttpClient createHttpClient() {
final client = HttpClient();

client.badCertificateCallback = (cert, host, port) {
// Pin specific certificates
final expectedSHA256 = 'YOUR_CERT_SHA256_FINGERPRINT';
final certSHA256 = sha256.convert(cert.der).toString();

return certSHA256 == expectedSHA256 && host == 'api.yourapp.com';
};

return client;
}

static http.Client getClient() {
return IOClient(createHttpClient());
}
}
```

**2. Secure Storage**

```dart
// Use flutter_secure_storage for sensitive data
import 'package:flutter_secure_storage/flutter_secure_storage.dart';

final storage = FlutterSecureStorage();

// Store sensitive data
await storage.write(key: 'auth_token', value: token);

// Retrieve sensitive data
final token = await storage.read(key: 'auth_token');

// Delete sensitive data
await storage.delete(key: 'auth_token');
```

**3. Code Obfuscation**

```bash
# Build with obfuscation enabled
flutter build apk --obfuscate --split-debug-info=build/app/outputs/symbols

flutter build ios --obfuscate --split-debug-info=build/ios/outputs/symbols
```

**4. Input Validation**

```dart
// Validate all user inputs
String sanitizeInput(String input) {
// Remove potentially dangerous characters
return input.replaceAll(RegExp(r'[<>\"\'%;()&+]'), '');
}

// Use parameterized queries
await database.rawQuery(
'SELECT * FROM users WHERE id = ?',
[userId] // Parameterized to prevent SQL injection
);
```

**5. Secure API Communication**

```dart
// Always use HTTPS
const String apiBaseUrl = 'https://api.yourapp.com'; // Never HTTP

// Implement proper error handling
try {
final response = await http.get(
Uri.parse('$apiBaseUrl/endpoint'),
headers: {
'Authorization': 'Bearer $token',
'Content-Type': 'application/json',
},
);

if (response.statusCode == 200) {
// Process response
} else {
// Handle error without exposing sensitive info
throw Exception('Request failed');
}
} catch (e) {
// Log securely, don't expose stack traces to users
debugPrint('Error: $e');
}
```

**6. Root/Jailbreak Detection**

```dart
// Implement basic tamper detection
import 'package:flutter_jailbreak_detection/flutter_jailbreak_detection.dart';

Future checkDeviceSecurity() async {
try {
bool jailbroken = await FlutterJailbreakDetection.jailbroken;
bool developerMode = await FlutterJailbreakDetection.developerMode;

if (jailbroken || developerMode) {
// Handle insecure device
return false;
}
return true;
} catch (e) {
// Handle error
return false;
}
}
```

**7. Secure Logging**

```dart
// Never log sensitive information
// BAD:
print('User password: $password'); // NEVER DO THIS
debugPrint('Auth token: $token'); // NEVER DO THIS

// GOOD:
debugPrint('Authentication successful'); // Generic message
// Use proper logging framework in production
import 'package:logger/logger.dart';

final logger = Logger(
printer: PrettyPrinter(
methodCount: 0,
errorMethodCount: 5,
lineLength: 50,
colors: true,
printEmojis: true,
printTime: true,
),
);

// In production, disable verbose logging
if (kReleaseMode) {
logger.level = Level.error;
}
```

**8. Disable Debug Features in Production**

```dart
// Check for release mode
import 'package:flutter/foundation.dart';

if (kDebugMode) {
// Debug-only features
print('Debug mode active');
} else {
// Production settings
// Disable all debug outputs
// Enable security hardening
}
```

**9. AndroidManifest.xml Security**

```xml



```

**10. iOS Info.plist Security**

```xml

NSAppTransportSecurity

NSAllowsArbitraryLoads

NSAllowsArbitraryLoadsInWebContent

```

---

## Common Pitfalls and Solutions

### Pitfall 1: Over-reliance on Client-Side Security

**Problem**: Implementing all security logic on the client side.

**Solution**:
- Always validate on server side
- Client-side validation is for UX, not security
- Implement proper authentication/authorization on backend
- Use server-side rate limiting

### Pitfall 2: Hardcoded Secrets

**Problem**: Storing API keys, passwords, or tokens in source code.

**Solution**:
- Use environment variables during build
- Implement secure key management systems
- Rotate secrets regularly
- Use backend proxy for sensitive API keys

```dart
// BAD
const String apiKey = 'sk_live_1234567890abcdef';

// GOOD - Use environment variables
const String apiKey = String.fromEnvironment('API_KEY');

// Build with: flutter build --dart-define=API_KEY=your_key_here
```

### Pitfall 3: Insufficient Error Handling

**Problem**: Exposing stack traces or sensitive information in error messages.

**Solution**:
```dart
try {
// Operation
} catch (e) {
// BAD: Exposing raw error to user
// showDialog(content: Text('Error: $e'));

// GOOD: Generic user message, detailed logging backend
showDialog(content: Text('An error occurred. Please try again.'));
logErrorToBackend(e, stackTrace); // Send to monitoring service
}
```

### Pitfall 4: Insecure WebViews

**Problem**: Using WebViews without security configurations.

**Solution**:
```dart
import 'package:webview_flutter/webview_flutter.dart';

WebView(
javascriptMode: JavascriptMode.unrestricted,
initialUrl: 'https://yoursite.com',
onWebViewCreated: (WebViewController controller) {
// Implement URL filtering
controller.currentUrl().then((url) {
if (!url.startsWith('https://yoursite.com')) {
// Block navigation
}
});
},
navigationDelegate: (NavigationRequest request) {
// Whitelist allowed domains
if (!request.url.startsWith('https://yoursite.com')) {
return NavigationDecision.prevent;
}
return NavigationDecision.navigate;
},
);
```

### Pitfall 5: Weak Session Management

**Problem**: Sessions never expire or can be easily hijacked.

**Solution**:
- Implement session timeouts
- Use secure, httpOnly cookies (if applicable)
- Implement proper token refresh mechanisms
- Clear sessions on logout

```dart
class SessionManager {
static const Duration sessionTimeout = Duration(minutes: 30);
DateTime? _lastActivity;

bool isSessionValid() {
if (_lastActivity == null) return false;

final now = DateTime.now();
final difference = now.difference(_lastActivity!);

return difference < sessionTimeout;
}

void updateActivity() {
_lastActivity = DateTime.now();
}

void clearSession() {
_lastActivity = null;
// Clear tokens, user data
SecureStorage().deleteAll();
}
}
```

---

## Advanced Scenarios

### Scenario 1: Testing Apps with Multiple Layers of Protection

**Challenge**: App has SSL pinning, root detection, Frida detection, and tamper detection.

**Approach**:
1. Use renamed Frida server
2. Patch root detection in binary
3. Use VPN-based interception instead of system proxy
4. Modify anti-Frida checks in libapp.so
5. Consider using Magisk Hide or custom ROMs

**Script combination**:
```bash
# 1. Start renamed Frida
adb push frida-server /data/local/tmp/.daemon
adb shell "chmod 755 /data/local/tmp/.daemon && /data/local/tmp/.daemon &"

# 2. Use multiple bypass scripts
frida -U -f com.target.app \
-l bypass_root.js \
-l bypass_frida_detect.js \
-l disable-flutter-tls.js \
--no-pause
```

### Scenario 2: Analyzing GraphQL APIs

**Challenge**: App uses GraphQL with complex queries.

**Approach**:
```javascript
// intercept_graphql.js
Java.perform(function() {
var RequestBody = Java.use("okhttp3.RequestBody");
var Buffer = Java.use("okio.Buffer");

RequestBody.writeTo.implementation = function(sink) {
var buffer = Buffer.$new();
this.writeTo(buffer);
var body = buffer.readUtf8();

if (body.includes("query") || body.includes("mutation")) {
console.log("\n[GraphQL Request]");
console.log(body);
}

this.writeTo(sink);
};
});
```

### Scenario 3: Bypassing Binary Integrity Checks

**Challenge**: App verifies its own binary signature.

**Approach**:
1. Locate integrity check function in Ghidra
2. Patch to always return success
3. Or hook at runtime with Frida

```javascript
// bypass_integrity.js
Interceptor.attach(Module.findExportByName("libapp.so", "_checkIntegrity"), {
onLeave: function(retval) {
console.log("[*] Integrity check bypassed");
retval.replace(1); // Return success
}
});
```

---

## Real-World Case Studies

### Case Study 1: Banking App with Multiple Protections

**Target**: Major banking application
**Protections**: SSL pinning, root detection, emulator detection, Frida detection

**Methodology**:
1. Initial reconnaissance: Extracted strings, identified protection libraries
2. Used physical rooted device (bypassed emulator detection)
3. Renamed Frida server to `.system_daemon`
4. Applied Reflutter for SSL pinning bypass
5. Patched root detection in native libraries
6. Successfully intercepted API traffic

**Findings**:
- JWT tokens stored in SharedPreferences (unencrypted)
- API endpoints vulnerable to IDOR
- Session tokens didn't expire
- Hardcoded API keys in libapp.so

**Impact**: Critical - Unauthorized access to user accounts

### Case Study 2: E-commerce App with Weak Crypto

**Target**: E-commerce application
**Protections**: Basic SSL pinning only

**Methodology**:
1. NVISO script successfully bypassed SSL pinning
2. Intercepted checkout process
3. Analyzed payment API

**Findings**:
- Payment processing used predictable transaction IDs
- Price manipulation possible via client-side parameters
- No server-side validation of cart totals
- Discount codes not properly validated

**Impact**: High - Financial loss potential

### Case Study 3: Social Media App with Insecure Storage

**Target**: Social media application
**Protections**: None

**Methodology**:
1. Simple APK extraction and analysis
2. No SSL pinning present
3. Static analysis of storage mechanisms

**Findings**:
- User credentials stored in plaintext in SharedPreferences
- Private messages cached unencrypted in SQLite
- Session tokens never expired
- API tokens exposed in logs

**Impact**: Critical - Complete account compromise

---

## Automation and Continuous Testing

### Automated Security Scanning

```bash
#!/bin/bash
# automated_flutter_scan.sh

APK_PATH=$1
OUTPUT_DIR="scan_results_$(date +%Y%m%d_%H%M%S)"

mkdir -p $OUTPUT_DIR

echo "[+] Starting automated Flutter security scan..."

# 1. Extract APK
echo "[*] Extracting APK..."
unzip -q $APK_PATH -d $OUTPUT_DIR/apk_contents

# 2. String analysis
echo "[*] Analyzing strings..."
strings $OUTPUT_DIR/apk_contents/lib/arm64-v8a/libapp.so > $OUTPUT_DIR/strings.txt

# 3. Search for sensitive data
echo "[*] Searching for sensitive patterns..."
grep -iE "(password|secret|token|api[_-]?key)" $OUTPUT_DIR/strings.txt > $OUTPUT_DIR/sensitive_strings.txt
grep -E "https?://" $OUTPUT_DIR/strings.txt > $OUTPUT_DIR/urls.txt
grep -E "/(api|v[0-9])" $OUTPUT_DIR/strings.txt > $OUTPUT_DIR/api_endpoints.txt

# 4. Analyze manifest
echo "[*] Analyzing AndroidManifest.xml..."
apktool d -f $APK_PATH -o $OUTPUT_DIR/decompiled
cat $OUTPUT_DIR/decompiled/AndroidManifest.xml > $OUTPUT_DIR/manifest.txt

# 5. Check for security flags
echo "[*] Checking security configurations..."
grep -i "allowBackup\|usesCleartextTraffic\|debuggable" $OUTPUT_DIR/manifest.txt > $OUTPUT_DIR/security_flags.txt

# 6. Generate report
echo "[*] Generating report..."
cat > $OUTPUT_DIR/report.txt << EOF
Flutter Application Security Scan Report
Generated: $(date)
APK: $APK_PATH

=== Summary ===
Total strings found: $(wc -l < $OUTPUT_DIR/strings.txt)
Potential sensitive strings: $(wc -l < $OUTPUT_DIR/sensitive_strings.txt)
URLs found: $(wc -l < $OUTPUT_DIR/urls.txt)
API endpoints: $(wc -l < $OUTPUT_DIR/api_endpoints.txt)

=== Findings ===
See individual files in $OUTPUT_DIR for details.

EOF

echo "[+] Scan complete. Results saved to $OUTPUT_DIR/"
echo "[+] Review $OUTPUT_DIR/report.txt for summary."
```

**Usage**:
```bash
chmod +x automated_flutter_scan.sh
./automated_flutter_scan.sh app.apk
```

### Integration with CI/CD

Add security checks to your development pipeline:

```yaml
# .github/workflows/security-scan.yml
name: Flutter Security Scan

on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]

jobs:
security-scan:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v3

- name: Setup Flutter
uses: subosito/flutter-action@v2
with:
flutter-version: '3.x'

- name: Build APK
run: flutter build apk --release

- name: Run MobSF Scan
run: |
docker pull opensecurity/mobile-security-framework-mobsf
docker run -d -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
# Upload and scan APK

- name: Check for hardcoded secrets
run: |
flutter pub global activate pubspec_lock
flutter pub run analyze_hardcoded_secrets

- name: Dependency vulnerability check
run: flutter pub outdated --show-all
```

---

## Legal and Ethical Considerations

### Authorization

**Critical**: Always obtain written permission before testing:
- Client authorization letter
- Defined scope and boundaries
- Clear start/end dates
- Rules of engagement
- Emergency contact procedures

### Responsible Disclosure

If you discover vulnerabilities:

1. **Report to the vendor immediately**
- Use official security contact
- Provide detailed technical information
- Allow reasonable time to fix (typically 90 days)

2. **Do not publicly disclose**
- Before vendor has patched
- Without coordinating with vendor
- In ways that could cause harm

3. **Follow disclosure guidelines**
- CERT/CC coordination
- CVE assignment process
- Responsible disclosure platforms (HackerOne, Bugcrowd)

### Testing Limitations

**Do not**:
- Test production systems without permission
- Access other users' data
- Perform DoS attacks
- Test third-party services
- Exceed authorized scope

---

## Conclusion

Flutter application security testing requires a specialized approach due to the framework's unique architecture. This guide provides comprehensive methodologies, from basic SSL pinning bypass to advanced binary analysis and automation.

### Key Takeaways

1. **SSL Pinning**: Use NVISO script or Reflutter for reliable bypass
2. **Static Analysis**: Always extract and analyze strings from libapp.so/App binary
3. **Dynamic Analysis**: Frida is essential for runtime instrumentation
4. **Obfuscation**: Expect resistance; prepare multiple bypass techniques
5. **Automation**: Integrate security testing into development workflows

### Next Steps

- Practice on intentionally vulnerable Flutter apps
- Contribute to open-source security tools
- Stay updated with Flutter security updates
- Join security communities
- Continuous learning and skill development

### Additional Resources

- **OWASP Mobile Top 10 2024**
- **Flutter Security Documentation**
- **Frida CodeShare Scripts**
- **Mobile Security Testing Guide (MSTG)**

---

## Contributing

This guide is open source. Contributions are welcome:

1. Fork the repository
2. Create a feature branch
3. Add content or improvements
4. Submit a pull request

### Areas for Contribution

- Additional case studies
- New bypass techniques
- Updated tool versions
- Platform-specific tips
- Automation scripts
- Translations

---

## Changelog

**v2.0.0** - October 2025
- Complete rewrite with improved structure
- Added advanced techniques section
- Included automation scripts
- Expanded security best practices
- Added real-world case studies
- Comprehensive testing checklist

---

## License

MIT License - Free to use, modify, and distribute with attribution.

## Disclaimer

This guide is for educational purposes and authorized security testing only. Unauthorized access to computer systems is illegal. Always obtain proper authorization before conducting security assessments.

---

**Author**: Anousone Phyakeo
**Last Updated**: October 2025
**Version**: 2.0.0
**Repository**: (https://github.com/anousonephyakeo/flutter-security-toolkit)

---

*For questions, updates, or contributions, please open an issue on GitHub.*