Hi all,
Since upgrading to Flutter 3.35.1, our cybersecurity team can no longer intercept API calls to our company’s domain (api.xcompany.com) using Burp Suite, even though:
- SSL verification is disabled in Dio (see code below)
- The app has no custom security libraries, just default Flutter packages
- Third-party traffic (e.g., Firebase) is intercepted fine
Cyber team setup:
- Tools: Reflutter (rebuild), Uber-sign (sign), Burp Suite (proxy)
- Device proxy set to Burp Suite
- SSL bypass Dio code:
import 'package:dio/dio.dart';
import 'dart:io';
Dio getDio() {
var dio = Dio();
(dio.httpClientAdapter as DefaultHttpClientAdapter).onHttpClientCreate =
(HttpClient client) {
client.badCertificateCallback =
(X509Certificate cert, String host, int port) => true;
return client;
};
return dio;
}
Goal:
We want to intercept our own API traffic just like other requests. Any idea what might block it in Flutter 3.35.1?
Thanks!