httptoolkit icon indicating copy to clipboard operation
httptoolkit copied to clipboard
verified publisher icon httptoolkit

[Bug]: Network requests are not intercepted for iOS apps built on Dart using Flutter

Open bhavukjain1 opened this issue 1 year ago • 2 comments

Has this been reported before?

  • [X] I have checked for existing reports of this issue

Repro steps

The API requests generated on iOS apps built on Dart using Flutter are not intercepted by the HTTP toolkit. Steps to reproduce -

  1. Configure iOS device with HTTP toolkit.
  2. Run http toolkit on MacOS (version 1.14.10).
  3. Download the demo flutter app - https://github.com/bhavukjain1/flutter_rest_api
  4. Run this on a physical iOS device.
  5. In the iOS app, click on Fetch User Data

Ideally this should make an API call to https://bhavukjain.com/ but is not intercepted by the HTTP toolkit on the MacOS.

How often does this bug happen?

Every time

The desktop OS you're using

MacOS 14.3

Details of other apps/devices

iOS 17.3

Error screenshot

No response

Any other info?

No response

bhavukjain1 avatar Mar 04 '24 09:03 bhavukjain1

Ah, I see! Sorry from your Twitter comment I assumed that iOS wasn't working for you at all. Sounds like it is, it's just not working for Flutter requests specifically.

That is a known problem, and yes right now workarounds like hosting a custom VPN are the best options I think. I have a few alternatives I'm working on though! I'd be interested in what you think:

  • Focusing on jailbroken/simmulator/debuggable app use cases, where Frida can be used to redirect traffic manually with no VPN required. This would be able to target a single app in isolation, and can also handle certificate setup & unpinning automatically en route. This is mostly automation & simplified setup around the existing Frida scripts I shared on Twitter.
  • Building a VPN-like network extension, effectively using the iOS VPN APIs to rewrite traffic as it leaves the device, but without actually needing a VPN server anywhere (this is how the Android app works, more info here: https://httptoolkit.com/blog/inspecting-android-http/). This would work on non-jailbroken devices, but it's quite complicated to develop, would still require manual cert setup, and wouldn't be able to help with unpinning at all.

Any thoughts on what would work best for the kind of use cases you see?

I'll keep this issue open regardless - it's a good point, and I'm definitely interested in finding proper automated solutions to this in future.

pimterry avatar Mar 04 '24 12:03 pimterry

No worries! I'm keen on looking out for solutions other than VPN for non jailbroken devices but it seems to be quite a task at the moment.

bhavukjain1 avatar Mar 04 '24 18:03 bhavukjain1