Proxying Traffics of Flutter-Based Android Apps Having Split APKs or XAPK

Bimal DhitalBimal Dhital
2 min read

If you are not familiar with the restriction that Flutter-Based Apps have while proxying it's traffic for analysis proposes then you can head over to this blog and read more about it, Bypass SSL Pinning for Flutter Apps using reFlutter Framework | Medium

Now that we know what kind of restriction it is and how it works. In this blog, I will try to apply the same method to Android apps that come with split APKs.

The split apks method has started getting more common these days, as it solves a lot of problems related to the spec differences of a vast number of Android devices. It also helps devs to quickly push short updates for specific components of the app.

I will be using MeMuPlay Android Emulator on my Windows 11 machine to test this apk having split apks.

Once the app is installed. Connect to the Emulator's adb from your Windows Terminal. Enter into the shell of the emulator using adb shell the command. You can use this command to search for the package you looking for.

In my case it's io.github.ictsolved.csit

Now find its path. Using the command as shown below

Now grab all the APKs from the emulator. To do that, make sure you copy the folder location of the package and use adb pull to copy it into your PC.

Go inside the directory. You should have files that look like this.

Those 3 apk files are what we are interested in. Since I am using an emulator, let's look at the split_config.x86_64.apk file.

So this one has the libflutter.so file. We use reFlutter on it to add our bypass.

Once you reflutter on the right apk, sign all of the apks using uber apk signer.

Uninstall the app from the emulator and use adb to install the apks. To install multiple apks, use this command

adb install-multiple
Make sure you add the base.apk first, then enter split apks behind it. And don't forget to add the signed apks only, you won't be able to install non-signed apks or it won't work.

And that's it. Start your analysis using Burp Suite. You can also download split apks from the sites like Apkmirror. They usually pack those apks inside an XAPK zip-like format. You can simply extract it grab the apks from it and follow the procedure.

0
Subscribe to my newsletter

Read articles from Bimal Dhital directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Flutterandroid app securitypentestingBurpsuite

Written by

Bimal Dhital
Bimal Dhital

A guy with a keen interest in computer networks, software development, web technologies, embedded systems, and programming. When I am bored you can find me bingeing anime series, reading novels, and tinkering with hardware and software.