Http/s sniffing doesn't work in some app

6 posts, 0 answers
  1. Rieqy
    Rieqy avatar
    4 posts
    Member since:
    Aug 2015

    Posted 16 Aug 2015 Link to this post

    I have fiddler certificate installed on my android phone. then when i open some native app like facebook, youtube, kaskus, gmail, webbrowser, all http/s requests of them are captured by fiddler. 
    http://i.imgur.com/j9ikFif.png

    but when i open certain native app like twitter,g+,paypal,etc all requests not captured by fiddler. only CONNECT request that captured by fiddler. after that, the http/s request not captured. 

    http://i.imgur.com/zrpYJmH.png

    but strangely when i open instagram, the all http/s requests not captured by fiddler at all, but instagram works properly. I wonder why,,

    so, anybody can explain me why fiddler doesn't captured the requests, and give me the solution ?
    thanks before 

  2. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 17 Aug 2015 Link to this post

    Hi, Rieqy--

    This is discussed in the Fiddler Book: (http://fiddlerbook.com)
    ----

    Certificate Pinning

    A very small number of HTTPS client applications support a feature known as “Certificate Pinning” whereby the client application is hardcoded to accept only one specific certificate. Even if the connection uses a certificate that chains to a root that is otherwise fully-trusted by the operating system, such applications will refuse to accept an unexpected certificate.

    To date, some Twitter and Dropbox apps include this feature, and Windows 8 Metro apps may opt-in to requiring specific certificates rather than relying upon the system’s Trusted Root store. Firefox’s automatic browser update feature will silently fail when Fiddler is decrypting its traffic. The Microsoft Security toolkit named EMET can enable pinning in any application for certain “high-value” sites (including Windows Live). The Chrome browser supports pinning, but it exempts locally-trusted roots like Fiddler’s.

    When a Certificate-Pinned application performs a HTTPS handshake through a CONNECT tunnel to Fiddler, it will examine the response’s certificate and refuse to send any further requests when it discovers the Fiddler-generated certificate.

    Unfortunately, there is no general-purpose workaround to resolve this; the best you can do is to exempt that application’s traffic from decryption using the HTTPS tab or by setting the x-no-decrypt Session flag on the CONNECT tunnel. The flag will prevent Fiddler from decrypting the traffic in the tunnel and it will flow through Fiddler uninterrupted.
    ----

    As for your question about Instagram-- that behavior suggests that the application is simply buggy and does not respect Android's system proxy setting.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  3. Rieqy
    Rieqy avatar
    4 posts
    Member since:
    Aug 2015

    Posted 17 Aug 2015 in reply to Eric Lawrence Link to this post

    thanks for your comment, admin. I found the tutorial about bypass ssl pinning : http://opentechnotes.blogspot.sg/2015/01/intercept-all-http-ssl-android-traffic.html

    is the tutorial can be applied with fiddler ? 

  4. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 17 Aug 2015 Link to this post

    Yes, if you jailbreak/root the device you can typically cause it to accept certificates regardless of pinning. It is still *possible* for an application to perform pinning, but most pins can be broken in this way.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  5. Rieqy
    Rieqy avatar
    4 posts
    Member since:
    Aug 2015

    Posted 17 Aug 2015 in reply to Eric Lawrence Link to this post

    thanks for your help. i was helped by you, btw i wonder,,, does Telerik also develop the tool for bypassing ssl pinning ?

  6. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 18 Aug 2015 Link to this post

    No, Telerik does not build jailbreaking or pinning-bypass tools.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Back to Top