Reputation: 123
How to disable SSL Pinning on Flutter?
We are using Flutter for app development. Our security testers said that we need to disable SSL Pinning in Flutter code so they can run some test. We couldn't do it. We use Dio package for HTTP request. How can we disable SSL Pinning on Flutter?
Upvotes: 4
Views: 9991
Answers (4)
Reputation: 151
Actually Flutter doesn't have SSL pinning by default, all it's happening is because of the DIO package you used it's blocking self-signed certificates so you have two options to disable SSL pinning.
1- Ask your pen.
2- Use Dio-provided callback client.badCertificateCallback and return true to it so your pen-testing team will be able to decrypt the SSL traffic.
Upvotes: 0
Reputation: 720
SSL Pinning is not a default behaviour of flutter but Dio library do reject self signed certificate that we install, when using proxy server in order to intercept API Calls. Dio library provide a call back on badCertificateCallback when it find some self signed certificate in between the connection.
(dio.httpClientAdapter as DefaultHttpClientAdapter).onHttpClientCreate =
(client) {
client.findProxy = (uri) => "PROXY 192.168.1.10:8888;";
client.badCertificateCallback =
(X509Certificate cert, String host, int port) => true;
};
if you return true in client.badCertificateCallback system will accept the self signed certificate and will call the server and you will be able intercept the call in proxy server but if you return false it will reject the certificate and API call will not proceed and you won't be able to make call to the server. By default it is false.
client.findProxy = (uri) => "PROXY 192.168.1.10:8888;"; //here you need to write your own proxy local address and port number
Upvotes: 0
Reputation: 151
I faced a similar problem. The solution was pretty simple. The http packet automatically prevents the network from listening.
To fix this problem and resubmit it for penetration testing, make these changes to the main.dart file:
class MyHttpOverrides extends HttpOverrides {
@override
HttpClient createHttpClient(SecurityContext context) {
if (Platform.isAndroid) {
return super.createHttpClient(context)..badCertificateCallback = (X509Certificate cert, String host, int port) => true;
}
return super.createHttpClient(context)
..findProxy = (uri) {
return "PROXY localhost:8080";
}
..badCertificateCallback = (X509Certificate cert, String host, int port) => true;
}
}
and add this line in main() method:
HttpOverrides.global = MyHttpOverrides();
Upvotes: 4
Reputation: 7640
EDIT:
SSL Pinning is not the default behavior. So you don't need to disable it if it had not already been enabled.
Upvotes: 2
Related Questions
- Flutter Dio HTTPS Certificate Validation Ignoring onBadCertificate - CA Cert Problem?
- How to pin public key of SSL certificate in flutter?
- How to run Flutter application on web with an https address and not http:
- How to bypass invalid SSL certificate in Flutter InAppWebView
- error when using https with flutter http.dart package
- SSL error prevents website login in flutter
- Flutter How To Change http.dart Connection To SSL HTTPS
- How to do SSL pinning via self generated signed certificates in flutter?
- How to do SSL public key pinning in flutter/dart?
- How can I do public key pinning in Flutter?