I have a certain iOS app that's not publicly available so you won't be able to fully troubleshoot, however I can explain the behavior I'm experiencing.
When I attempt to use the app when 'Decrypt HTTPS Traffic' is disabled, the app works, but the data is encrypted and Fiddler prompts me to configure the settings.
When I enable 'Decrypt HTTPS Traffic' the app does not let me do anything and simply says 'network unavailable.'
I did install the iOS certificate. I tested on several other apps and don't appear to be experiencing the same problem. Any ideas on how I can further troubleshoot this?
Thank you.
1 Answer, 1 is accepted
This:
- I receive a certificate error on the device but it works if I proceed and the traffic appears to be properly captured by Fiddler.
...indicates that the client device doesn't trust Fiddler's certificate. One possibility is that you're using a legacy "makecert" generated certificate which cannot be used with iOS devices.
Inside Tools > Fiddler Options > HTTPS, what does the "Certificates Generated by" link at the right say? If it says "MakeCert", please do the following:
1> Change it to CertEnroll.
2> Follow the steps here: http://textslashplain.com/2015/10/30/reset-fiddlers-https-certificates/
3> Remove the root certificate from the iOS device.
4> Put the new certificate on the device
5> Verify that traffic from https://bayden.com/ is captured without any warnings.
Regards,
Eric Lawrence
Telerik
Rank 1
Hi Eric,
Thanks for that. You were spot on! I followed the steps in that link to reset all my certificates on Fiddler and then installed it on the device.
bayden.com then worked without any problems......and much to my amazement the app started working as well! Fiddler properly displayed the decrypted data in plaintext. It was set to CertEnroll but I guess it was the 'cleaning out' of the old certificates that solved it! So, it was not a 'certificate pinning' problem after all.
It's a real credit to Fiddler that you're personally involved in these forums as there is no way I would have solved this without you.
Thanks again.
Rank 1
Please, try following the steps in this tutorial.
Regards,
Alexander
Progress Telerik
Rank 1
Hi Alexander,
That is the tutorial I followed the first time. I went through again and made sure I followed all the steps, including installing the Certificate Maker plugin. However, iOS still refuses to connect to HTTPS sites when using Fiddler as a proxy.
Which version of iOS are you using? Also, can you see HTTP traffic in Fiddler?
Regards,
Alexander
Progress Telerik
Rank 1
I see traffic in Fiddler. But all traffic is encrypted. Looks like "Tunnel to http://81.19.104.63:443" I have tried Cert Enroll and addon certmaker.dll certificate engines.
Since iOS 10.3 one have to enable full trust manually after importing certificate. You can find more information here.
Regards,
Alexander
Progress Telerik
Rank 1
FOLLOW THE STEPS-
Configure Fiddler
Click Tools > Fiddler Options > Connections.
Click the checkbox by Allow remote computers to connect.
Restart Fiddler.
Ensure your firewall allows incoming connections to the Fiddler process, and that it's not blocking all incoming connections, including those in the list of allowed apps.
Hover over the Online indicator at the far right of the Fiddler toolbar to display the IP addresses assigned to Fiddler's machine.
Verify client iOS device can reach Fiddler by navigating in the browser to http://FiddlerMachineIP:8888. This address should return the Fiddler Echo Service page.
For iPhone: Disable the 3g/4g connection.
To be clear, do you see HTTPS traffic in plaintext in Fiddler from those other applications? How about if you visit e.g. https://bayden.com/ in Safari?
When this app fails to connect, is there any text of interest in Fiddler's Log tab?
> "not publicly available"
Can you tell me anything about this app? Did you write it? If not, is it an app for which Certificate Pinning may be in use?
Regards,
Eric Lawrence
Telerik
Thanks for the response once again.
1 - I am able to view HTTPS traffic from other apps in plaintext. I tested with an app I've used in the past and it works as it always has.
2 - bayden.com - I receive a certificate error on the device but it works if I proceed and the traffic appears to be properly captured by Fiddler.
3 - I did not write the app, I'm unsure if it's using 'certificate pinning.' How can I find out?
I will add something further.
This app is an 'enterprise app' which means it's distributed directly from the creator and was not obtained through the app store.
Furthermore, there is an entry on the iphone under settings>profile showing that this app is 'trusted on this iphone.' This is the same place on the phone where Fiddler installs an iOS cert if downloaded.
After a bit of reading, it does seem like this might be a network pinning issue. I don't know with certainty but it's clear that when 'decrypt' is enabled the app cannot preform any network functions. When 'decrypt' is disabled, it works just fine on the device - but the Fiddle traffic is decrypted.