Unable to handle HTTPS traffic for some Flutter applications

[cxplay]

Please answer the following questions for yourself before submitting a question.

• [X] I am running the latest version
• [X] I checked the knowledge base and found no answer
• [X] I checked to make sure that this issue has not already been filed

Ask a question

I testing use AdGuard with Boorusama (a web gallery client) on Android:

https://github.com/khoadng/Boorusama

It doesn't have SSL pinning, but I can't handle his HTTPS traffic through AdGuard (VPN mode, v4.6.3). I'm using other HTTPS analysis tools to monitor traffic just fine, is there something I'm missing here?

[maxikuzmin]

@cxplay some apps don't trust third-party certificates. We have contacted Boorusama app support to clarify about this. Please wait

[maxikuzmin]

@cxplay Boorusama app doesn't implement SSL pinning. HTTPS filtering is unfortunately not possible

[cxplay]

@cxplay Boorusama app doesn't implement SSL pinning. HTTPS filtering is unfortunately not possible

But why? If there is no SSL pinning, why can't AdGuard filter it?

[maxikuzmin]

@cxplay HTTPS filtering is not possible for an application that does not trust third-party certificates

[cxplay]

@cxplay HTTPS filtering is not possible for an application that does not trust third-party certificates

No, this is wrong. Boorusama trusts system certificates, whether third-party or not. You should try to verify this with some HTTP(s) debugging tools:

https://github.com/wanghongenpin/network_proxy_flutter

It's just that AdGuard can't handle HTTPS traffic for that application.

[maxikuzmin]

@cxplay developer Boorusama replied to me that the app doesn't implement SSL pinning

[cxplay]

@cxplay developer Boorusama replied to me that the app doesn't implement SSL pinning

I know, I knew it from the beginning. My question is, why can't AdGuard filter HTTPS traffic for Flutter apps that most HTTPS debugging tools can catch?

[cxplay]

This has little to do with SSL pinning, and is only mentioned as a supplement.

[cxplay]

Another example of the same problem.

https://github.com/mu-fazil-vk/FluxTube (A YouTube client using piped API)

[cxplay]

This is likely related to the popular HTTP client implementation of dio in the Flutter, which AdGuard doesn't seem to be able to handle requests from.

[maxikuzmin]

@cxplay please clarify, do you have Root on your device?

[cxplay]

@cxplay please clarify, do you have Root on your device?

Yes, I have.

[maxikuzmin]

@cxplay we need a little more time to figure this out, please wait

[cxplay]

@cxplay we need a little more time to figure this out, please wait

I'm always waiting!

[maxikuzmin]

@cxplay thanks for waiting! I was able to reproduce this issue on my device, and have passed the logs to the development team. We need some more time, please wait

[cxplay]

@cxplay thanks for waiting! I was able to reproduce this issue on my device, and have passed the logs to the development team. We need some more time, please wait

Glad to hear that!

[cxplay]

Wait what? Completed? Where is "complete"?

[maxikuzmin]

@cxplay sorry, it was a mistake, it closed automatically.

[maxikuzmin]

@cxplay could you please clarify, did you enable HTTPS filtering for the app in App management?

[cxplay]

@cxplay could you please clarify, did you enable HTTPS filtering for the app in App management?

Yes, I did.

[maxikuzmin]

@cxplay hmm, now I'm testing on version 4.9, and I see in Recent activity that traffic is being processed

could you please describe in detail again how you check that HTTPS traffic is not processed by AdGuard?

[cxplay]

could you please describe in detail again how you check that HTTPS traffic is not processed by AdGuard?

It did work, I'm now using AdGuard v4.10.48, HTTPS filtering on Boorusama v1.1.4, and I can see that specific HTTPS connections are actually being processed. But I went on to test another similar Flutter app and found similar issues, can you check?

https://github.com/Notsfsssf/pixez-flutter

[maxikuzmin]

@cxplay okay, could you please describe in detail again how you check that HTTPS traffic is not processed by AdGuard for pixez-flutter?

[cxplay]

@cxplay okay, could you please describe in detail again how you check that HTTPS traffic is not processed by AdGuard for pixez-flutter?

After installing pixez-flutter and enabling AdGuard's HTTPS filtering, pixez-flutter is experiencing network problems, which according to the error message appear to be SSL certificate issues. AdGuard is actually trying to process pixez-flutter traffic, but initially a certificate error occurs.

[maxikuzmin]

@cxplay Flutter apps (like Boorusama and Pixez) use the Dart HttpClient and dio, which sometimes initialize their own TLS context independent of Android’s system trust store. Even though there’s no SSL pinning, AdGuard’s HTTPS certificate isn’t recognized because Flutter doesn’t reload the system CA list dynamically. You can try restarting the app after enabling HTTPS filtering, or, with root, install the AdGuard certificate directly into /system/etc/security/cacerts/. Alternatively, use AdGuard’s automatic proxy mode - dio usually respects proxy settings and filtering works there

[cxplay]

@cxplay Flutter apps (like Boorusama and Pixez) use the Dart HttpClient and dio, which sometimes initialize their own TLS context independent of Android’s system trust store. Even though there’s no SSL pinning, AdGuard’s HTTPS certificate isn’t recognized because Flutter doesn’t reload the system CA list dynamically. You can try restarting the app after enabling HTTPS filtering, or, with root, install the AdGuard certificate directly into /system/etc/security/cacerts/. Alternatively, use AdGuard’s automatic proxy mode - dio usually respects proxy settings and filtering works there

Yes, the main problem is that the dio library doesn't trust the Android root CA by default. I don't think there's any way to fix this at this stage.