This repository contains a series of progressive challenges designed to introduce the reverse engineering of Flutter applications. Since there aren't many blog posts or tutorials that explain Flutter reversing in detail, I decided to create this repo as a hands-on way to fill that gap.
The goal is to build a solid foundation for understanding the unique characteristics of the Flutter framework and the analysis techniques commonly used with it.
The challenges are structured incrementally, starting with fundamental concepts and advancing toward intermediate and more advanced techniques such as network traffic interception and protection bypasses.
Instead of a traditional writeup, each challenge includes a detailed, blog post-style solution that guides you step-by-step through the reversing process, blending hands-on problem-solving with relevant theory so the concepts are learned directly through practice.
- Basic knowledge of Android mobile applications
- Familiarity with reverse engineering concepts
- Familiarity with Frida
- Rooted Android device (some challenges may not function correctly on emulators)
If you feel you are missing any prerequisites, the following resources are highly recommended:
Each challenge directory includes:
chall<X>.apk: the compiled APK for the challenge;solution/_images/: images referenced in the solution;solution/solution.md: a detailed, step-by-step solution;source/: the application source files and the build instructions, for those who want to modify the app and experiment further;
$ tree
.
├── chall<X>.apk
├── solution
│ ├── _images
│ │ ├── chall<X_Y>.png
│ └── solution.md
└── src
├── how_to_build.md
└── main.dart
- chall0: Introduction to Flutter
- chall1: Debug Mode - Source Code Leakage
- chall2: Release Mode - Finding Hardcoded Secrets
- chall3: Release Mode - Hooking with Frida 1 (read return value)
- chall4: Release Mode - Hooking with Frida 2 (change return value)
- chall5: Release Mode - Reversing Platform (Java) Code
- chall6: Release Mode - Intercepting HTTPS Traffic
- chall7: Release Mode - Bypassing Integrity Checks for Traffic Interception
- chall8: Release Mode - Bypassing SSL Pinning
Some of these tools require specific configurations. To simplify setup and ensure reproducibility, Dockerfiles are provided for some of these tools and can be found in the /tools directory.
Tools:
apktool- Tool for decompiling and rebuilding APKs (link)Blutter- Decompiler for Flutter applications (link, Dockerfile included in this repository)Frida- Dynamic instrumentation toolkit (link)jadx- Android decompiler (link)reFlutter- Framework for Flutter reverse engineering (link)Burp Suite- Proxy for traffic interception (link)
- Flutter Official Website
- Frida Documentation
- Blutter GitHub Repository
- reFlutter GitHub Repository
- The Complexity Of Reversing Flutter Applications by Axelle Apvrille (youtube)
- Flutter Hackers: Uncovering the Dev’s Myopia (Part 1)
- Flutter Hackers: Uncovering the Dev’s Myopia (Part 2)
- Reversing an Android sample which uses Flutter
- The Current State & Future of Reversing Flutter Apps
- Obstacles in Dart Decompilation & the Impact on Flutter App Security
- How Classical Attacks Apply to Flutter Apps
- B(l)utter - Reversing Flutter Application by using Dart Runtime
- Intercepting traffic from Android Flutter applications
- Intercept Flutter traffic on iOS and Android (HTTP/HTTPS/Dio Pinning)
- Blog frida-flutterproxy
- Intercepting HTTPS Communication in Flutter
This project is distributed under the MIT License. See the LICENSE file for more details.
This repository is created exclusively for educational purposes. The techniques described should only be used on applications for which you have the right to analyze or in controlled test environments. The author assumes no responsibility for misuse of the information contained in this repository.