Security and Performance Testers are always facing problems with listening to HTTP requests with applications using the Flutter framework.
It may either be happening because the HTTP packet automatically prevents the network from listening in main.dart file or there may be SSL Pinning. By watching the following steps, you will be able to listen to the services in both scenarios.
If you need to record the services to create a dynamic JMX for performance testing or perform a security test, here are the steps to watch.
Install Reflutter
To install reflutter we will be typing pip3 install reflutter on our terminal. If you don’t have Python3 you can type:
brew install python3
breq install reflutter
Download Uber APK Signer
Firstly, you need to be in the same directory with your apk and uber-apk-signer.jar. Then run the below command
reflutter NAME_OF_YOUR_APP.apk
Reflutter will create you a new apk in the same directory with the name of apkname.RE.apk
To sign the new apk you can use:
java -jar uber-apk-signer.apk --apks NEW_APP_NAME.apk
Setting Up BurpSuite and JMeter
Now you have an apk you can listen to on port 8083 with the name of NEW_APP_NAME.apk.
You can listen to all the requests on port 8083 without making any changes in your emulator or physical device network settings.
We need to set the proxy settings of Burp Suite to listen to the services and upstream those to JMeter’s Recorder.
Your Proxy Listener should look like this:
You need to select your existing Proxy Listener and click on the Edit button. You can follow these steps on opened window.
Port must be 8083 and you must select All Interfaces.
You also need to select the Support Invisible Proxying checkbox from the Request Handling tab:
We are now able to get the requests through Burp Suite. Preferably you can upstream data traffic to JMeter. You need to click add on User Options > Upstream Proxy Servers. You can set the port as 8888 which is JMeter’s default recording port. It needs to look like this:
We are now ready to go. Just make sure you installed NEW_APP_NAME.apk to an emulator or Android device which is using the same internet connection. Click record on JMeter and run the app. You will be seeing every request on both Burp Suite and JMeter UI.
