SSL Pinning and Root Detection: Flutter Android & iOS
3 min readNov 18, 2024
When testing mobile applications, especially in fintech, advanced security measures like SSL Pinning and Root Detection can hinder dynamic analysis. Testers may need to bypass these features for legitimate purposes, such as penetration testing or debugging. In this article, we’ll delve into what these features are, why they exist, and how to disable them in Flutter apps for both Android and iOS.
Understanding the Concepts
1. SSL Pinning
- What It Does: SSL Pinning ensures that the app communicates only with a trusted server by verifying a specific certificate. Even if someone intercepts the traffic, the app will reject untrusted certificates.
- Why Disable: During testing, tools like Burp Suite or Charles Proxy use their certificates to inspect app traffic. SSL pinning blocks these tools.
2. Root/Jailbreak Detection
- What It Does: Detects if the device is rooted (Android) or jailbroken (iOS). These devices are considered insecure, as they allow unauthorized access to system-level functions, increasing the attack surface.
- Why Disable: Testers may use rooted/jailbroken devices to simulate attacks or bypass certain restrictions during testing.
