From 85aacdd0dc4cd8e69f0736f09dbb9f189e319cac Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Mon, 2 Feb 2026 13:00:56 +0000
Subject: [PATCH] Add content from: Practical Mobile Traffic Interception

---
 .../android-app-pentesting/flutter.md               | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/mobile-pentesting/android-app-pentesting/flutter.md b/src/mobile-pentesting/android-app-pentesting/flutter.md
index a7f3bbf3f18..ca37e18b12b 100644
--- a/src/mobile-pentesting/android-app-pentesting/flutter.md
+++ b/src/mobile-pentesting/android-app-pentesting/flutter.md
@@ -103,7 +103,17 @@ The Codeshare script overrides the Flutter TLS verifier so every certificate (in
 
 5. **Route traffic through your proxy.** Configure the emulator Wi-Fi proxy GUI or enforce it via `adb shell settings put global http_proxy 10.0.2.2:8080`; if direct routing fails, fall back to `adb reverse tcp:8080 tcp:8080` or a host-only VPN.
 
-Once the CA is trusted at the OS layer and Frida quashes Flutter's pinning logic, Burp/mitmproxy regains full visibility for API fuzzing (BOLA, token tampering, etc.) without repacking the APK.
+6. **If the app ignores OS proxy settings, redirect sockets with a Frida shim.** Tools like **frida4burp** hook `dart:io`/BoringSSL socket creation to force outbound TCP sessions to your proxy, even with hardcoded `HttpClient.findProxyFromEnvironment` or Wi‑Fi bypasses. Set the proxy host/port in the script and run it alongside the TLS bypass:
+
+```bash
+frida -U -f com.example.target --no-pause \
+  --codeshare TheDauntless/disable-flutter-tls-v1 \
+  -l frida4burp.js
+```
+
+Works on iOS via a Frida gadget or USB frida-server; chaining the socket redirect with the TLS bypass restores both routing and certificate acceptance for Burp/mitmproxy.
+
+Once the CA is trusted at the OS layer and Frida quashes Flutter's pinning logic (plus socket redirection if needed), Burp/mitmproxy regains full visibility for API fuzzing (BOLA, token tampering, etc.) without repacking the APK.
 
 ### Offset-based hook of BoringSSL verification (no signature scan)
 When pattern-based scripts fail across architectures (e.g., x86_64 vs ARM), directly hook the BoringSSL chain verifier by absolute address within libflutter.so. Workflow:
@@ -148,6 +158,7 @@ iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination <Burp_IP>:<Burp_Port>
 - [PoC Frida hook for Flutter SSL bypass](https://github.com/m4kr0x/flutter_ssl_bypass)
 - [BoringSSL ssl_x509.cc (ssl_crypto_x509_session_verify_cert_chain)](https://github.com/google/boringssl/blob/main/ssl/ssl_x509.cc#L238)
 - [SSL Pinning Bypass – Android](https://hardsoftsecurity.es/index.php/2025/11/26/ssl-pinning-bypass-android/)
+- [Practical Mobile Traffic Interception](https://medium.com/@justmobilesec/practical-mobile-traffic-interception-1481e33d974e)
 
 
 {{#include ../../banners/hacktricks-training.md}}