Mobile Security via Flutter — Ep.1 SSL Pinning
Article Summary
Amorn Apichattanakul from KBTG reveals why the SSL pinning solution most Flutter devs find on StackOverflow has a critical security flaw. His team discovered this while building banking apps that passed penetration testing.
This article walks through implementing SSL pinning in Flutter to prevent man-in-the-middle attacks. The author shares lessons learned from KBTG's banking industry experience, where they follow OWASP security standards and practice strict data privacy (developers can't even access their own database).
Key Takeaways
- The common badCertificateCallback approach pins intermediate certificates without checking Common Name
- Hackers can create fake certificates from same provider and bypass this protection
- Solution: combine badCertificateCallback with SHA256 thumbprint verification using X509Utils
- Implementation takes roughly 10 days versus 80-90 days for typical features
- The ssl_pinning_plugin library now passes penetration testing as simpler alternative
Basic SSL pinning in Flutter requires dual verification (certificate callback plus SHA256 checking) to truly block man-in-the-middle attacks, but newer libraries can simplify the implementation.
About This Article
Amorn Apichattanakul's team found that badCertificateCallback pins intermediate certificates but skips Common Name verification. This gap lets attackers create fake certificates from the same provider and completely bypass the protection.
KBTG added a second verification layer by pairing badCertificateCallback with SHA256 thumbprint checking. They used the X509Utils library to validate certificates against an allowlist of trusted ones.
The improved SSL pinning passed KBTG's mobile security penetration tests. Their banking applications can now deploy it safely without accepting fraudulent certificates.