Dart Inappwebview Ssl Verification Bypass
Description
This detector identifies SSL/TLS certificate verification bypasses in Flutter InAppWebView implementations. When SSL certificate validation is disabled or improperly configured, applications become vulnerable to man-in-the-middle attacks where attackers can intercept and manipulate HTTPS traffic by presenting invalid or malicious certificates.
Detection Strategy
• The Flutter InAppWebView library (package:flutter_inappwebview/flutter_inappwebview.dart) must be imported in the code file
• The code file must not be a test file (production code only)
• A method call or function must contain arguments that disable SSL certificate verification
• Specifically looks for unsafe implementations of onReceivedServerTrustAuthRequest callbacks or similar SSL trust handling that bypasses proper certificate validation
Vulnerable code example
import 'package:flutter_inappwebview/flutter_inappwebview.dart';
// VULNERABLE: Always accepts untrusted certificates -> MitM attacks possible
final webview = InAppWebView(
onReceivedServerTrustAuthRequest: (controller, challenge) async =>
ServerTrustAuthResponse(
action: ServerTrustAuthResponseAction.PROCEED, // Always proceeds regardless of certificate validity
),...✅ Secure code example
import 'package:flutter_inappwebview/flutter_inappwebview.dart';
// SAFE: Rejects untrusted certificates -> prevents MitM attacks
final webview = InAppWebView(
onReceivedServerTrustAuthRequest: (controller, challenge) async =>
ServerTrustAuthResponse(
action: ServerTrustAuthResponseAction.CANCEL, // Always reject invalid certificates
),...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.