Flutter Hackers: Uncovering the Dev’s Myopia (Part 2)

Deep dive in reverse engineering Flutter APK Release Mode with Frida

Not all Flutter Applications are hard to be statically analyzed and to spot a vulnerability itself, we may also began to include the used package as an in-scope variable of the black-box testing demand.

In the previous post, I’ve introduced how the relations between Dart and Flutter are correlated each other and also one of the mistake on how the Developer should’ve spotted on their application building phase. If you haven’t read about it, I’d recommend you to read it first especially if you’ve never heard about this application framework.

There’s a company which I consider as a startup and invited me to do some black-box testing on their recent web server and APK on their private program. I was not sure about it since once I heard that Flutter is their choice on how their APK was built on top of it. Yet, there’s always a first-time for everything so I took a chance on scrutinizing the application.

Within approximately 4–5 days, One of the vulnerability that I’ve discovered is pretty unique but the cause is not from their design, in fact it was from the public package which they’ve been used. This vulnerability allows me to go inside a developer mode and shows a numerous PII inside of that APK. I also pointed out that it’s not a best practice at all to store a hardcoded “super-user” credentials even if it’s encrypted and it’d be the best if they’ve managed all

Read more

Explore the site

More from the blog

Latest News