How To Easily Capture Android HTTPS Mobile Traffic

Nowadays, applications are accessible on multiple platforms—desktop PCs, tablets, smartphones, etc. While inspecting and analyzing HTTPS traffic and web app performance from a desktop is an easy task, that wasn’t so much the case for mobile traffic.

Until now! With Fiddler Everywhere, you can capture, debug, inspect and even modify your mobile traffic with ease in a few simple steps!

Why Do I Need Fiddler Everywhere? What Is the Real-Life Value of Capturing Mobile Traffic?

More and more products are providing cross-platform support for their web applications. The Android OS has approximately 40% of the global market share across all operating systems on all platforms (https://gs.statcounter.com/os-market-share). Ignoring how your application works on a mobile device is no longer an option!

You might ask, but why do I need Fiddler Everywhere as a proxy? Here are three reasons right off the bat:

1. There are relatively few mobile or web applications that are not using an online connection (except maybe some calculator apps), and most of them are making network requests through HTTPS. In most cases, a web app or mobile application sends the data, receives a response and uses the response data to change the UI/visualize the output. Using a proxy like Fiddler Everywhere allows you to test the above efficiently in a single environment.
2. You can optimize your development and testing processes while using a single proxy setup on multiple different operating systems (macOS, Linux, Windows, Android and iOS).
3. Through Fiddler Everywhere, you can also simulate different server behaviors without having to touch the server itself (or even having any access to it) and without making changes depending on the development environment. Nothing will change if your client application uses Angular, React, native Android or anything else. That greatly simplifies the testing efforts and the time spent.

There are many more real-life use cases. Some other possible scenarios where Fiddler Everywhere will lend a helping hand:

• Inspecting and testing different UX and UI scenarios based on simulated real-life conditions (like delayed responses, wrong input from users, malformed requests, etc.).
• Inspecting different HTTPS requests and responses for flaws that an attacker could exploit to impact data confidentiality, integrity or availability.
• Using Fiddler Everywhere as a reverse proxy to test the client app against different server setups.
• Extracting and inspecting technical, statistical and analytical data.
• Easy collaboration with team members or other developers, support engineers or quality assurance engineers.

Straightforward Configuration

Before diving into some real use-case demonstrations, we need to configure your Android device to see and trust the Fiddler Everywhere proxy.

Almost all modern mobile applications and all mobile browsers use encryption to exchange data online, and, usually, we are talking about TLS protocol and HTTPS traffic. The proxy and its certificate authority need proper configuration, which differs depending on the operating system type and version.

Step 1: Install Fiddler Everywhere and enable HTTPS capturing (https://docs.telerik.com/fiddler-everywhere/installation-and-update/installation-procedure#getting-started-guides)

Step 2: Enable “Allow remote computers to connect” option (https://docs.telerik.com/fiddler-everywhere/traffic/configure-android#configuring-fiddler-everywhere )

Step 3: Set the Fiddler Everywhere proxy and trust certificate on the Android device/emulator (https://docs.telerik.com/fiddler-everywhere/traffic/configure-android#configuring-the-android-device )

Voila! You are ready to start capturing the HTTPS traffic from your mobile browser.

Use Cases

The most powerful features of Fiddler Everywhere are the ability to visualize the Live Traffic captured traffic in a handy format within the Inspectors tab, to show analytical and statistical data as a summary in the Overview tab, and to modify requests and responses through the Rules tab (mocking server and user behavior).

Live Traffic

We will use Fiddler Everywhere’s own documentation page to make an introductory demonstration. Let’s open the documentation landing page and see what happens while Live Traffic actively captures inbound and outbound traffic. The captured traffic will look like the image below (note that, for clarity, we’ve used URL column filtering based on the term “telerik.com”).

Immediately, a few things become apparent:

• The documentation endpoint at docs.telerik.com/fiddler-everywhere uses a redirect status 301 Moved permanently and then lands on https://docs.telerik.com/fiddler-everywhere/introduction.
• The site uses HTTP version 1.1.
• We can immediately see that the largest size is the session that accesses a specific web font (column number 6236 in the above screenshot). We can use this information as an option to optimize the site for slower networks (for example, by replacing that font with one with a smaller size or adding a CDN option).

The columns provide structured session information about returned status code, used HTTP method (GET, POST, etc.), size in bytes, used HTTP version, remote IP address, time stamps, content type and multiple other fields. Each captured session contains a lot of helpful information that we can use straight away and has built-in immediate actions that we can apply through the context menu (marking, filtering, sharing, replays, adding a new rule, etc.).

Overview Tab

Through the Overview tab, we can select multiple sessions of interest and analyze their statistical data to find possible deviations or bottlenecks in the user experience. The good thing here is that we can quickly test real-life behavior on different mobile devices and see how our web application acts in different environments (like slower hardware, network delays, testing unavailability of some resources, etc.).

It’s worth noticing that the Overview tab will adapt its UI when a single session is selected. This way, we can examine the specific HTTP requests and responses of any session.

Inspectors

The traffic inspections naturally continue through the Inspectors tab. Double-click on a single session to let Fiddler Everywhere load the most appropriate Inspector, or use single-click to preserve the last loaded Inspector type. The latter is beneficial when you need to investigate specific data like the Headers of multiple sessions, and you want to prevent loading the default Inspector type.

The Inspectors are the backbone of Fiddler Everywhere. Each session consists of a request and response inspector, and each inspector has multiple UI types that we can use to extract valuable information.

Some basic examples:

• We can use the Headers inspector to obtain an authorization token that we can easily reuse in our development process
• We can use the Body inspector to get essential information about the encryption and certificate authority used.
• We can use the Preview inspector to test how our UI would look with different rules applied.

Rules

We can use the Rules tab to create a rule that intentionally breaks the web font request to visualize what would happen with our site if the preferred font does not load. Do you remember the large web font icons request we observed in our initial capturing? Why not test what would happen if we explicitly applied a rule that breaks it (QA engineers celebrating in the background)?

What About HTTPS Capture From My Android Applications?

So far, the use case was depicting a scenario where we were testing a web page accessible through a mobile browser (or any other type of browser). You might wonder if Fiddler Everywhere is suitable for testing your HTTPS request sent directly from an API within your Android application?

Yes, you can use Fiddler Everywhere to capture, inspect and debug any HTTPS traffic from an Android application in development. The last part is essential—the Android applications are configured to reject any user-installed certificate authorities by default. That means that you can capture HTTPS traffic from an Android application explicitly configured (by the app’s developers) to trust user-installed CA.

Learn more about using a real device or an Android virtual device of your choice and configure your application to trust the Fiddler Everywhere root certificate.

Final Words

Fiddler Everywhere is a modern tool built on solid foundations (Fiddler Classic was first published in 2003). The tool constantly grows and adds features like cloud collections, rules builder, extended collaboration, multiple export and import formats, multiple inspectors, statistical information, HTTP/2 support, WebSocket support, support for mobile devices, native support for Windows, macOS and Linux, and many more.

The mobile story for both Android and iOS (did I mention that we do support iOS capturing?!) is strong. It provides an excellent opportunity to improve your team’s development and testing abilities against the rapidly evolving mobile application market.

Do you need more context, have specific technical questions or request a demo? Please do not hesitate to contact us!

Try Fiddler Everywhere