flutter-spy: Explore, analyze, and gain valuable data & insights from reverse engineered Flutter apps

Flutter Spy

Flutter Spy is a Bash-based command-line tool designed to provide insightful code analysis and data extraction capabilities from built Flutter apps with reverse engineering. It empowers developers, bug hunters, and security enthusiasts to explore and uncover valuable information within Flutter app binaries.

Flutter Spy supports currently gathering info from Android apps only (APK files), thus it is universal for almost all other platforms since this is what Flutter is used for.

Features

•  Data Extraction: Extracts essential information such as API endpoints, URLs, emails, used packages, phone numbers, secret/public keys, environment variables, and config files.

  •  Extract emails.
  •  Extract URLs/URIs.
  •  Extract potential phone numbers.
  •  Extract potential API endpoints/routes.
  •  Extract used Flutter packages and their links at pub.dev.
  •  Extract SQL and other database queries…
  •  Extract .env (Environment Variables) files.
  •  Extract Potential JSON/YAML config files.
  •  Extract content-specific files. (md, html, css, js…)
  •  Extract Potential localization files.
  •  Extract all other Flutter assets (PNG, GIF, SVG, TTF, PSD, WEBP…).
  •  Extract used Flutter Engine information as the used Flutter engine.
  •  Extract the original project file structure.

•  Exportable Reports: Output a detailed report folder with all results.

•  Easy to use: Flutter Spy is designed to be easy to use and requires no prior knowledge of Flutter or Dart, you can use it on any built Flutter app.

Planned Features

Let me know if there is a need for this:

•  Extract common API keys such as Firebase, Stripe, OpenAI, AWS…

•  Code Analysis: Performs static analysis on the app’s code to identify potential security issues and vulnerabilities.

  •  Analyse the AndroidManifest.xml file and gather permissions, intents, activities, services, compileSdkVersion, minSdkVersion, and targetSdkVersion.
  •  Analyse MainActivity.java used platform channels, initializations…

•  Automated bug hunting: Identifies common security issues and vulnerabilities such as unsecured API endpoints, exposed sensitive data, and Insecure Firebase Database (this is planned to be done with another language, maybe Python or Dart itself).

Install & Use

Copyright (c) 2024 Anas FIKHI