Intercepting a Flutter Android app that ignores system proxy + pins certs — best method in 2026?
Trying to reverse-engineer a Flutter Android app’s private API for personal use.
Setup: rooted Google APIs emulator on macOS, app installed and logged in, Frida working with a ssl_verify_peer_cert bypass, APK extracted.
What works: auth flow (Firebase OTP → refresh → access token) and one REST endpoint that returns a venue list.
What doesn’t:
the availability endpoint (path found in libapp.so strings) returns 400 "General error" for every param combo and date format I’ve tried. Could be wrong headers, wrong method, or maybe availability is actually delivered over Socket.IO (the binary also references socket.io and partners). Frida connect(2) logging confirms TLS to two IPs but I can’t see paths or payloads.
I need plaintext HTTP/WebSocket capture from a Flutter app that statically links BoringSSL and ignores the system proxy. Options I’m aware of:
• HTTP Toolkit’s frida-interception-and-unpinning scripts
• reFlutter (APK repack)
• Direct SSL_write/SSL_read Frida hooks in libflutter.so
Which actually works end-to-end on current Flutter engine builds? Any gotchas with recent Flutter versions, or a cleaner approach I’m missing?