Hello,
I recently installed Fiddler, and I must say it is super easy to use and works perfectly in almost every example.
However, I encountered one special error: I am trying to track traffic on my Mac (Mac OS Sonoma 14.6.1.) for the Apple TV app (1.4.6.32).
When I try to launch Fiddler first and then the Apple TV app later, Apple TV won't start properly, and only my collection is visible. I am not able to see or visit the store or even the Apple TV+ subscription offer.
When I switch the order, so Apple TV is launched first and Fiddler afterward, it works, but there are some hiccups, like images not properly downloading. And, of course, the initial traffic when Apple TV is launching, which is crucial to me, is not visible anymore, and I can not force the app to reload the Apple TV storefront.
Is there a problem with the certificates or any other settings?
I also noticed during the very first launch and some digging in Settings that basically every major Apple domain (apple.com, mzstatic.com) was blacklisted, which was the reason why it was not working at the beginning entirely. After the removal of the Apple domains from the blacklist, Apple traffic is captured, but only if I use the order mentioned above (Apple TV first, Fiddler later).
I appreciate your help
T.
1 Answer, 1 is accepted
Hello Tomas,
The observed behavior is expected because Apple uses different security techniques to prevent MITM proxies from intercepting traffic from Apple-related applications and services (including Apple TV). The most common technique used is certificate pinning, which means that the client (in your case, the Apple TV client) and the server expect a specific certificate and will reject a request signed by a third-party certificate authority. When Fiddler is in the middle as a TLS proxy, it effectively uses its own CA, and as a result, all requests from Apple TV will fail due to the client and server not recognizing and trusting Fiddler's CA.
Adding the Apple endpoints to the Fiddler's Bypass list means that the Apple application will work as expected (as they would with no proxy in the middle), but of course, their traffic will go directly through the upstream and won't be captured by Fiddler. Removing the endpoints from the bypass list means that the traffic will go through Fiddler - changing the startup application order only means that you will experience the issue after the Apple TV application has started and won't change the behavior if a new request to the Apple endpoints is made afterward (after Fiddler is set as MITM proxy).
Below are the endpoints that you can effectively bypass to ensure that no Apple-related application or service goes through the Fiddler proxy
*.apple.com;*.cdn-apple.com;*.apple-cloudkit.com;*.icloud.com;*.itunes.com;*.mzstatic.com;*
All of the above said, there is no effective solution to force an Apple service to use an MITM proxy and user-installed CA.
Regards,
Nick Iliev
Progress Telerik
Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.
Rank 1
Thank you for your quick and comprehensive answer.
So, my guess was correct. But I found a workaround to get it done in a limited way.
Thanks again!