Unable to capture only HTTPS traffic of android mobile application

10 posts, 0 answers
  1. lenin
    lenin avatar
    1 posts
    Member since:
    Mar 2015

    Posted 04 Mar 2015 Link to this post

    Hi Eric,

    I am trying to capture the traffic of a mobile banking application installed in an Android device using Fiddler

    Exactly followed the instructions on http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureForAndroid , 
    but I do not to see any HTTPS  calls after capturing the traffic ; I can only see the HTTP calls captured.


    1) Even after installing "Fiddler Root Certificate" on device Trusted Credentials, why HTTPS calls did get captured ?

    2) Do I need to speak with Dev. for a work around ? If so , can you please guide me what exactly has to done by Dev. at server/application level ?


    Got stuck with these issues for long time.Appreciate your help please.

    Regards
    Lenin
  2. Eric Lawrence
    Admin
    Eric Lawrence avatar
    832 posts

    Posted 05 Mar 2015 Link to this post

    Which HTTP calls do you see specifically? Do you see HTTP calls from the application, or only other apps?

    If you do see HTTP calls from the app, do any of those requests show "Tunnel to" in the HOST column in Fiddler's Session list?

    Which HTTPS calls *don't* you see, specifically? Do you see HTTPS traffic from other apps?

    Regards,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  3. cool
    cool avatar
    2 posts
    Member since:
    May 2015

    Posted 18 May 2015 Link to this post

    Hello,

     

    I am having the same as the OP.

     

    Basically, one of the apps on the Nexus 7 android device is not being properly monitored by Fiddler.

     

    Other apps on the tablet with HTTPS traffic are working fine.

     

    Fiddler is showing "Tunneling to" and no further communication from that app, while the app on the tablet fails to continue working.

     

    Please advise.

  4. Eric Lawrence
    Admin
    Eric Lawrence avatar
    832 posts

    Posted 19 May 2015 Link to this post

    Hello, "cool"--

    You haven't provided enough information to go on; for instance, telling us what application you're talking about might allow us to help you.

    Without further information, my guess is that the application is something like DropBox which uses Certificate Pinning, and cannot be intercepted without first jailbreaking the device.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  5. cool
    cool avatar
    2 posts
    Member since:
    May 2015

    Posted 19 May 2015 in reply to Eric Lawrence Link to this post

    Hello Eric,

     Thanks for the reply. I suspect certificate pinning but I have not looked at it yet.

     

    Meanwhile, to answer you, the application is "Basis Peak" mobile app.

    You should be able to check / repro the problem without the hardware. Just try to login (even w/o valid credentials) and the app won't be able to contact the server and authenticate.

     

    Thanks!

  6. VSCT
    VSCT avatar
    3 posts
    Member since:
    Aug 2017

    Posted 10 Aug Link to this post

    Hi, everyone 

     

    I have the same problem.

    I use a NEXUS 6P and even if my certificat is install I can't see the HTTPS traffic of my application. I can see HTTP traffic and Tunnel, I can contact the server and use the app normally but can't see HTTPS. I can see HTTPS of others applications on the device but not this one.

    With an other device I don't have the problem. But I need to check HTTPS traffic in this specific device.

     

    I'm an amateur in Fiddler and certificate so I prefer to ask.

    (sorry my english is not ... good ^^")

    Thanks

  7. Alexander
    Admin
    Alexander avatar
    162 posts

    Posted 15 Aug Link to this post

    Hi,

    What version of Android is the Nexus 6P using? Also how did you install the root certificate?

    Regards,
    Alexander
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  8. VSCT
    VSCT avatar
    3 posts
    Member since:
    Aug 2017

    Posted 16 Aug in reply to Alexander Link to this post

    Hi Alexander and thanks for your answer

     

    So the version of Android is 8.0.0. And to install the root certificate is process like this :

    1- start fiddler

    2- open chrome on the device

    3- download the certificate with the url : myipadress:8888/fiddlerroot.cer

    4- install directly from the cetificate by click on it 

     

  9. Alexander
    Admin
    Alexander avatar
    162 posts

    Posted 23 Aug Link to this post

    Hello,

    In Android 7 all apps that target API Level 24 and later will ignore all user-installed root certificates by default. I cannot find information if this changed in Android 8 so I assume it is still valid. Only app developers can override this behavior for their app only and from what I'm reading the app you are trying to debug is yours. You can find more information about how to do it here.

    Regards,
    Alexander
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  10. VSCT
    VSCT avatar
    3 posts
    Member since:
    Aug 2017

    Posted 24 Aug Link to this post

    Hello,

     

    For sure this is the reason ! 

    Well thank you so much ! I will explain this to my developpers so !

Back to Top