Bridging the Gap: Hosting Tor Hidden Services with Flutter

At Sarah's Forge, we are obsessed with decentralization. We believe the future of mobile isn't just about consuming APIs—it's about hosting them.

For years, native Android developers have had a superpower that Flutter developers lacked: the ability to run a Tor Hidden Service directly from a mobile device. While native apps could leverage libraries like tor-android (thanks to the Guardian Project) to turn a phone into a server, Flutter developers were left stranded. You could build a beautiful UI, but if you wanted to host a P2P onion site, you were stuck writing complex JNI bridges or drowning in FFI boilerplate.

That changes today.

We are excited to introduce tor_hidden_service, a new plugin that finally brings native-grade Tor hosting capabilities to the Flutter ecosystem.

Get the code here: 👉 https://github.com/SarahRoseLives/tor_hidden_service/

The "Missing Link" in Flutter

To understand why this plugin matters, you have to look at what was missing.

Native Android has long had access to the Tor daemon via the Guardian Project's Maven repositories. A native developer could pull in the binaries, configure the service, and route traffic—all within Java or Kotlin.

Flutter, however, operates in a Dart VM that is isolated from these low-level native processes. There was no easy "drag-and-drop" way to:

  1. Fetch the correct Tor binary for the device's architecture (arm64, x86, etc.).
  2. Manage the Tor process lifecycle (start, stop, bootstrap).
  3. Bridge the networking gap so a Dart HttpServer could receive traffic from the Tor network.

This plugin bridges that specific gap. It wraps the robust, battle-tested native binaries used by apps like Orbot and exposes them to Dart with a simple, clean API.

How It Works: The Architecture

The plugin handles the heavy lifting so you can focus on your app logic.

1. Maven Binaries (The Native Foundation)

Instead of bloating your repo with pre-compiled C libraries, the plugin dynamically pulls the official Tor binaries from the Guardian Project during the build process.

In your build.gradle, the plugin injects:

maven { url "https://raw.githubusercontent.com/guardianproject/gpmaven/master" }

This ensures your app is always running a secure, up-to-date version of Tor, just like a native Android app would.

2. The Port Mapping Magic

This is where the plugin shines. It maps the Public Onion Port (80) to a Localhost Port (8080).

  • Inbound Traffic: A user visits your .onion address.
  • Tor Network: Routes the request to your phone's native Tor process.
  • The Bridge: The native process forwards that request to localhost:8080.
  • Flutter: Your Dart HttpServer listening on InternetAddress.anyIPv4 receives the request.

3. Client-Side Tunneling

Hosting is only half the battle. If you want to connect to other hidden services, standard HTTP clients will fail because they don't know how to resolve .onion addresses.

The plugin includes a TorOnionClient that performs a manual HTTP CONNECT handshake through a local SOCKS proxy (defaulting to port 9080), bypassing the need for system-level DNS or root access.

Quick Start

Here is how easy it is to spin up a hidden service now:

import 'package:tor_hidden_service/tor_hidden_service.dart';
import 'dart:io';

// 1. Start Tor
final tor = TorHiddenService();
await tor.start();

// 2. Get your address
String? hostname = await tor.getOnionHostname();
print("You are live at: http://$hostname");

// 3. Serve content from Flutter
HttpServer server = await HttpServer.bind(InternetAddress.anyIPv4, 8080);
server.listen((request) {
  request.response.write('Hello from the decentralized web!');
  request.response.close();
});

Why This Matters

This brings True Peer-to-Peer to Flutter. We aren't talking about connecting to a central server; we are talking about being the server.

  • Censorship-Resistant Messaging: direct device-to-device communication.
  • Private File Sharing: Host a file for a friend without uploading it to the cloud.
  • IoT Control: Manage your smart devices without exposing public IP addresses.

Flutter developers finally have the tool that native Android developers have had for years.

Check out the repository, star it, and let's build a decentralized future. View on GitHub