I have a certain iOS app that's not publicly available so you won't be able to fully troubleshoot, however I can explain the behavior I'm experiencing.
When I attempt to use the app when 'Decrypt HTTPS Traffic' is disabled, the app works, but the data is encrypted and Fiddler prompts me to configure the settings.
When I enable 'Decrypt HTTPS Traffic' the app does not let me do anything and simply says 'network unavailable.'
I did install the iOS certificate. I tested on several other apps and don't appear to be experiencing the same problem. Any ideas on how I can further troubleshoot this?
Thank you.
2 Answers, 1 is accepted
This:
- I receive a certificate error on the device but it works if I proceed and the traffic appears to be properly captured by Fiddler.
...indicates that the client device doesn't trust Fiddler's certificate. One possibility is that you're using a legacy "makecert" generated certificate which cannot be used with iOS devices.
Inside Tools > Fiddler Options > HTTPS, what does the "Certificates Generated by" link at the right say? If it says "MakeCert", please do the following:
1> Change it to CertEnroll.
2> Follow the steps here: http://textslashplain.com/2015/10/30/reset-fiddlers-https-certificates/
3> Remove the root certificate from the iOS device.
4> Put the new certificate on the device
5> Verify that traffic from https://bayden.com/ is captured without any warnings.
Regards,
Eric Lawrence
Telerik
Rank 1
Hi Eric,
Thanks for that. You were spot on! I followed the steps in that link to reset all my certificates on Fiddler and then installed it on the device.
bayden.com then worked without any problems......and much to my amazement the app started working as well! Fiddler properly displayed the decrypted data in plaintext. It was set to CertEnroll but I guess it was the 'cleaning out' of the old certificates that solved it! So, it was not a 'certificate pinning' problem after all.
It's a real credit to Fiddler that you're personally involved in these forums as there is no way I would have solved this without you.
Thanks again.
Rank 1
Please, try following the steps in this tutorial.
Regards,
Alexander
Progress Telerik
Rank 1
Hi Alexander,
That is the tutorial I followed the first time. I went through again and made sure I followed all the steps, including installing the Certificate Maker plugin. However, iOS still refuses to connect to HTTPS sites when using Fiddler as a proxy.
Which version of iOS are you using? Also, can you see HTTP traffic in Fiddler?
Regards,
Alexander
Progress Telerik
Rank 1
I see traffic in Fiddler. But all traffic is encrypted. Looks like "Tunnel to http://81.19.104.63:443" I have tried Cert Enroll and addon certmaker.dll certificate engines.
Since iOS 10.3 one have to enable full trust manually after importing certificate. You can find more information here.
Regards,
Alexander
Progress Telerik
Rank 1
FOLLOW THE STEPS-
Configure Fiddler
Click Tools > Fiddler Options > Connections.
Click the checkbox by Allow remote computers to connect.
Restart Fiddler.
Ensure your firewall allows incoming connections to the Fiddler process, and that it's not blocking all incoming connections, including those in the list of allowed apps.
Hover over the Online indicator at the far right of the Fiddler toolbar to display the IP addresses assigned to Fiddler's machine.
Verify client iOS device can reach Fiddler by navigating in the browser to http://FiddlerMachineIP:8888. This address should return the Fiddler Echo Service page.
For iPhone: Disable the 3g/4g connection.
Rank 1
Iron
Hi, I have the same issue.
When I turn on a financial app on my iPhone it says shows greyed out initial request with type of CONNECT and no additional information within request itself.
And the app itself says it is an error with login. So basically it is not only HTTPS traffic although port is 443, but in general with turn on fiddler the app does not work.
Could it be connected to so called "Certificate pinning" as this is a financial app? And will it mean never be able to see that traffic?
It's either a certificate pinning (the app expecting and trusting only a specific CA), or you have not installed and trusted the Fiddler's CA. Most bank/financial applications use cert pinning and other security techniques to prevent MITM attacks, so the first possibility is always on the table. However, it would be difficult to say without knowing which application we are discussing.
Q: And will it mean never being able to see that traffic?
Yes. That would most likely be the case if we discuss certificate pinning.
Rank 1
Iron
To be clear, do you see HTTPS traffic in plaintext in Fiddler from those other applications? How about if you visit e.g. https://bayden.com/ in Safari?
When this app fails to connect, is there any text of interest in Fiddler's Log tab?
> "not publicly available"
Can you tell me anything about this app? Did you write it? If not, is it an app for which Certificate Pinning may be in use?
Regards,
Eric Lawrence
Telerik
Thanks for the response once again.
1 - I am able to view HTTPS traffic from other apps in plaintext. I tested with an app I've used in the past and it works as it always has.
2 - bayden.com - I receive a certificate error on the device but it works if I proceed and the traffic appears to be properly captured by Fiddler.
3 - I did not write the app, I'm unsure if it's using 'certificate pinning.' How can I find out?
I will add something further.
This app is an 'enterprise app' which means it's distributed directly from the creator and was not obtained through the app store.
Furthermore, there is an entry on the iphone under settings>profile showing that this app is 'trusted on this iphone.' This is the same place on the phone where Fiddler installs an iOS cert if downloaded.
After a bit of reading, it does seem like this might be a network pinning issue. I don't know with certainty but it's clear that when 'decrypt' is enabled the app cannot preform any network functions. When 'decrypt' is disabled, it works just fine on the device - but the Fiddle traffic is decrypted.