iOS app not allowing me to connect when 'Decrypt HTTPS Traffic' is enabled

6 posts, 1 answers
  1. Mark
    Mark avatar
    7 posts
    Member since:
    Dec 2015

    Posted 16 Dec 2015 Link to this post

    I have a certain iOS app that's not publicly available so you won't be able to fully troubleshoot, however I can explain the behavior I'm experiencing. 

    When I attempt to use the app when  'Decrypt HTTPS Traffic' is disabled, the app works, but the data is encrypted and Fiddler prompts me to configure the settings.

    When I enable 'Decrypt HTTPS Traffic' the app does not let me do anything and simply says 'network unavailable.' 

    I did install the iOS certificate. I tested on several other apps and don't appear to be experiencing the same problem. Any ideas on how I can further troubleshoot this?

     

    Thank you.

     

     

     

  2. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 16 Dec 2015 Link to this post

    > I tested on several other apps and don't appear to be experiencing the same problem. 

    To be clear, do you see HTTPS traffic in plaintext in Fiddler from those other applications? How about if you visit e.g. https://bayden.com/ in Safari?

    When this app fails to connect, is there any text of interest in Fiddler's Log tab?

    > "not publicly available"

    Can you tell me anything about this app? Did you write it? If not, is it an app for which Certificate Pinning may be in use

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  3. Mark
    Mark avatar
    7 posts
    Member since:
    Dec 2015

    Posted 16 Dec 2015 in reply to Eric Lawrence Link to this post

    Thanks for the response once again.

    1 - I am able to view HTTPS traffic from other apps in plaintext. I tested with an app I've used in the past and it works as it always has.

    2 - bayden.com - I receive a certificate error on the device but it works if I proceed and the traffic appears to be properly captured by Fiddler.

    3 - I did not write the app, I'm unsure if it's using 'certificate pinning.' How can I find out? 

     

  4. Mark
    Mark avatar
    7 posts
    Member since:
    Dec 2015

    Posted 16 Dec 2015 in reply to Mark Link to this post

    I will add something further.

    This app is an 'enterprise app' which means it's distributed directly from the creator and was not obtained through the app store.

    Furthermore, there is an entry on the iphone under settings>profile showing that this app is 'trusted on this iphone.' This is the same place on the phone where Fiddler installs an iOS cert if downloaded.

    After a bit of reading, it does seem like this might be a network pinning issue. I don't know with certainty but it's clear that when 'decrypt' is enabled the app cannot preform any network functions. When 'decrypt' is disabled, it works just fine on the device - but the Fiddle traffic is decrypted.

     

  5. Answer
    Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 17 Dec 2015 Link to this post

    Hi, Mark--

    This:

    - I receive a certificate error on the device but it works if I proceed and the traffic appears to be properly captured by Fiddler.

    ...indicates that the client device doesn't trust Fiddler's certificate. One possibility is that you're using a legacy "makecert" generated certificate which cannot be used with iOS devices. 

    Inside Tools > Fiddler Options > HTTPS, what does the "Certificates Generated by" link at the right say? If it says "MakeCert", please do the following:

    1> Change it to CertEnroll.
    2> Follow the steps here: http://textslashplain.com/2015/10/30/reset-fiddlers-https-certificates/
    3> Remove the root certificate from the iOS device.
    4> Put the new certificate on the device
    5> Verify that traffic from https://bayden.com/ is captured without any warnings.


    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  6. Mark
    Mark avatar
    7 posts
    Member since:
    Dec 2015

    Posted 17 Dec 2015 in reply to Eric Lawrence Link to this post

    Hi Eric,

    Thanks for that. You were spot on! I followed the steps in that link to reset all my certificates on Fiddler and then installed it on the device.

    bayden.com then worked without any problems......and much to my amazement the app started working as well! Fiddler properly displayed the decrypted data in plaintext. It was set to CertEnroll but I guess it was the 'cleaning out' of the old certificates that solved it! So, it was not a 'certificate pinning' problem after all.

    It's a real credit to Fiddler that you're personally involved in these forums as there is no way I would have solved this without you.

    Thanks again.

Back to Top