Skip to content

Commit c16cac5

Browse files
authored
Merge pull request #8 from enzowritescode/flutter-callout
Add note about Flutter request
2 parents 80cc6d6 + 2aba0dc commit c16cac5

1 file changed

Lines changed: 3 additions & 1 deletion

File tree

README.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,10 @@ On a normal unintercepted device, every button should always immediately pass.
1414

1515
On a device whose HTTPS is being intercepted (e.g. with [HTTP Toolkit](https://httptoolkit.com/android/)), the unpinned buttons will pass, and then all other buttons the first 'unpinned' buttons will fail.
1616

17-
On an intercepted device using a standard Frida script (or similar) to automatically disable certificate pinning (e.g. https://github.com/httptoolkit/frida-interception-and-unpinning/) all buttons should pass _except_ the final "custom-pinned" button.
17+
On an intercepted device using a standard Frida script (or similar) to automatically disable certificate pinning (e.g. https://github.com/httptoolkit/frida-interception-and-unpinning/) all buttons should pass _except_ the final "custom-pinned" button and the Flutter request.
1818

1919
That final button uses low-level manual checks against the TLS connection, with no external libraries or config involved. It is still possible to make this pass too, but you'll need to do a little reverse engineering to disable that code specifically. See [this Android reverse engineering blog post](https://httptoolkit.com/blog/android-reverse-engineering/) for more details.
2020

21+
The Flutter request is part of the experimental work being done in [frida-interception-and-unpinning](https://github.com/httptoolkit/frida-interception-and-unpinning) and for now will require other means for bypassing.
22+
2123
<img width=200 src="https://raw.githubusercontent.com/httptoolkit/android-ssl-pinning-demo/main/screenshot.png" alt="A screenshot of the app in action" />

0 commit comments

Comments
 (0)