Rank 1
Hi,
I am a newbie in using fiddler. I was trying to capture the HTTPS traffic from android app. I have installed the fiddler root certificate successfully on my android device but not able to capture the https traffic but i see http calls going through tunnel.
Fiddler version : v5.0.20192.25091
Android OS version : 8.1.0
Please see the attached image for the fiddler settings applied and let me know if needed any more information.
Thanks
1 Answer, 1 is accepted
After Andoird 7, a new feature was implemented that ignored all user-installed certificates which means Android will not trust the Fiddler root certificate. For more details see the Using Fiddler with iOS 10 and Android 7 blog post.
Note that this is a platform-level issue which leaves us with no way to alleviate this.
Please let me know if you need any additional information and thank you for using Fiddler.
Regards,
Eric R
Progress Telerik
Rank 1
Hi Eric,
You are right. I tried with Android os version 7.0 and iphone 8 with os version 11.4.1, it worked fine and i can capture https traffic.
Thanks for the reply and link to the post.
Rank 1
Hi Eric,
Occasionally, i am seeing that i was not able to capture logs specifically from android (with os version <=7).
But with IOS, it connects immediately with no issues.
Please let me know what information i can help you with to debug this on android
Note :
1. No Firewalls enabled.
2. Fiddler certificate installation also looks fine.
Thank you
Are you seeing the sessions but are some encrypted or are you just not seeing some sessions?
I recommend reviewing the Specific Traffic is Missing documentation. Additionally, could you provide a screenshot of what you are referring to?
Thank you and I look forward to your reply.
Regards,
Eric R
Progress Telerik
Rank 1
Hi Eric
1. I have seen the documentation but did not find a solution. But observed a point regarding custom rules and found that when i launch the application i am seeing that customrule.js is loaded statement. I don't know if this is expected behavior but wanted to mention here and also i never had my hands on modifying custom rules. (If i click on clear cache then this statement disappears)
2. Coming to your question on Http sessions, After connecting to fiddler from android i can see all the desired calls/sessions but are going to tunnel.
please see the attached screenshots for reference.
Thanks
Awaiting your reply.
For number 1, this is expected behavior. In order to restore the default rules, they are located in the ~/Program Files/Fiddler2/Scripts/SampleRules.js folder. For more information see the Restore Default Rules documentation.
For number 2, this is probably due to certificate pinning. Some applications will only allow communication with a specific certificate. In this case, the traffic cannot be decrypted using the Fidldler's root certificate. More information is available at the CertPinning documentation.
Please let me know if you need any additional information. Thank you.
Regards,
Eric R
Progress Telerik
Rank 1
Hi Eric,
Thanks for the post.
I hope this certificate pinning issue is not in my case. Because, It fails to capture https traffic only some times.
And i just got to give a trail in other machine. It perfectly did well.
But when trying in my machine, i am still having issues.
I can help you giving any info required in debugging to getting this sorted, please.
Thanks
Looking at the earlier screenshot, most of the 3rd-party apps with Tunnel To in the Host column would indicate Certificate Pinning. For example, Outlook and Google Play would use this.
Although, it does look like there is some relevant traffic available to inspect.
To provide more information provide the following items:
1. - Identify which session you are inspecting.
2. - Attach the Session Archive Zip (SAZ) file and Fiddler Log Tab output.
Once I receive the above information, I can investigate further on my end.
Please let me know if you need any additional information. Thank you and I look forward to your reply.
Regards,
Eric R
Progress Telerik
Rank 1
Hello Eric,
I'm new to Fiddler and would really appreciate your help in capturing HTTPS traffic from a mobile app using my tablet (Android 4.2 OS). After reading the other posts in this thread, I am still unable to capture HTTPS traffic. I see the tunnels, though.
The Fiddler cert is installed on the device. Please see the attachment.
Thanks for your help!
Hi M,
Thank you for providing the screenshot. If you see tunnels, this means the traffic is using Certificate Pinning which is a security measure implemented by the site owner. Fiddler won't be able to provide any way around that without having access to the web server.
For more details see the Capture Android Traffic with Fiddler and Certificate Pinning StackExchange posts.
Please let me know if you need any additional information. Thank you for using the Fiddler Forums.
Regards,
Eric R | Senior Technical Support Engineer
Progress Telerik
Our thoughts here at Progress are with those affected by the outbreak.
Rank 1
Eric,
Thanks for your prompt reply.
Cert Pinning makes sense. I've been unable to reproduce another auditor's scans from last year. I'm using the same Android OS, but I'm scanning a newer version of the app. It makes sense that the mobile app owner implemented security measures in this newer app version which would explain why I can't see HTTPS traffic.
Thank you, Eric. I really appreciate your help.
Rank 1
Hi Eric,
Looks like I need to pick your brain some more. I have an upcoming meeting where I need to have all my ducks in a row for this issue.
Do you think it's possible that it's something other than Cert Pinning? I took a look at the Fiddler logs and there are a lot of these:
!SecureClientPipeDirect failed: System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < An unknown error occurred while processing the certificate for pipe (CN=*.bubadu.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com).
So I tried the following:
- I forced handshakes by following the instructions in the link below, then scanned the app. https://docs.telerik.com/fiddler/Configure-Fiddler/Troubleshooting/HTTPSTimeout
- I deleted and reinstalled the Fiddler certs, restarted Fiddler, then scanned the app.
- I downloaded the APK file of the app version that I'm trying to reproduce the scans for, inserted code into the manifest xml file to force the app to trust user-added certs, then scanned the app.
- Under Options, HTTPS tab, I added tls1.3 to the existing list of protocols, so I now have: <client>;ssl2;ssl3;tls1.0;tls1.1;tls1.2;tls1.3 -- Again, restarted Fiddler and scanned the app.
Sadly, none of these gave me any HTTPS traffic. Any other ideas?
Thanks in advance!
Hi M,
After performing those additional steps and a failed error is still being received means that Certificate Pinning is most likely the cause.
There are alternatives if you own the Android application and the web server. Can you confirm this is the case?
Thank you and I look forward to your reply.
Regards,
Eric R | Senior Technical Support Engineer
Progress Telerik
Our thoughts here at Progress are with those affected by the outbreak.
Rank 1
Hi Eric,
Thanks for your quick reply. I don't own the app, but I've been tasked to debug and scan for third-party activity. My colleague was able to see HTTPS traffic by scanning the same app with the same Android OS (earlier than Android 7), so it must be an error on my side.
I attended Progress Telerik's webinar this morning: How to Debug iOS and Android Mobile Apps with Fiddler, and there were details mentioned that I was not aware of. Once I receive the video link, I'll follow the steps carefully, and I bet I'll see the HTTPS traffic.
Although the video should be published somewhere on the Progress Telerik website, I can share the link here once I receive it. That way it can help other newbies reading this thread.
Rank 1
As promised, here is the link to the webinar: How to Debug iOS and Android Mobile Apps with Fiddler
Android details start at 35:44
https://www.telerik.com/campaigns/fiddler/webinar-debugappsfiddler/thank-you?utm_medium=email&utm_source=eloqua&utm_campaign=fdlr_webinar_6_DebugAppsFiddler&elqTrackId=d3b4fd95d5f546dabacfecbe276305e3&elq=db1c4456db8240ba90823edfd7c682cf&elqaid=20896&elqat=1&elqCampaignId=20613