Fiddler Classic v5.0.20211.51073 for .NET 4.6.1 and Android 9.
- install Fiddler.
- Install "CertMaker for iOS and Android".
- open Fiddler.
- Check "Decrypt HTTPS traffic" in Option.
- Install the certificate when the install dialog box appears.
- set "Protocols" to "<client>;ssl3;tls1.2".
- add the following code to the end of "static function OnBeforeRequest(oSession: Session)" in "Fiddler Script".
if (oSession.HTTPMethodIs("CONNECT"))
{
oSession["https-DropSNIAlerts"] = "yup";
FiddlerApplication.Log.LogString("Legacy compat applied for request");
}
- Restart Fiddler.
- set Android proxy settings to the Fiddler address.
- access Fiddler's website with an Android browser and download the certificate.
- Install the certificate.
- move the converted certificate in /data/mics/user/0/cacerts-added/ to /system/etc/security/cacerts/.
- set the owner and group of the moved file to root and set permissions to rw-r--r--.
- Remove the first installed certificate
- Restart Android.
When I access an HTTPS site with Chrome after following these steps, I get the message "NET::ERR_CERT_AUTHORITY_INVARID" and cannot access the site. Fiddler just comes up with CONNECT. At the stage of just installing in the user area in 11., I am able to access the HTTPS site from Chrome and it is decrypted in fiddler. However, when I move it to the system area, I am having trouble communicating with it. The list of trusted credentials for the system in the settings app reflects it correctly and I can view the information inside by tapping on it. Why is there an error?
PS: When I run Chromium Edge on a PC running Fiddler and look at the serial number of the root certificate for the certificate to the https site and compare it to the serial number in the CA certificate list installed on the Android system, it matches. The former does not cause an error, but the latter does.
Rank 1
1 Answer, 1 is accepted
Hello,
You need to install the Fiddler certificate as a user certificate and not as a system one simply because it is not a system one.
The trusted credentials settings are divided into two sections: The system section provides a list of trusted certificate authorities that come with your device. The user section lists all trusted certificate authorities that have been installed by you or an app. It may be blank if you didn’t install any CA certificate not already included with the device.
Regards,
Nick Iliev
Progress Telerik
Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.
Rank 1
As mentioned in the question text, it works fine at the stage of installation on the user list, but when I move it to the system, it stops working.
I want to analyze the communication of the app, not the browser, so we need to install it on the system.
The device is rooted.
In fact, I used to be able to set it up and was able to analize app communications until just the other day but, when I updated the fiddler certificate and I am trying to install it again but I forgot how to do it.
Perhaps, you can check if the application is not looking for a pinned certificate.
Apart from that, it seems that on your side the Fiddler certificate is not recognized as root CA even on Chrome so it is likely that you are not successfully adding it as a system certificate. Have you explicitly mounted the system directory and then rebooted the device (see examples and details here https://techstarspace.engineer/2019/12/02/move-android-user-installed-certificates-to-system-ca-store/ and here https://gist.github.com/pwlin/8a0d01e6428b7a96e2eb )?
Rank 1
The file was copied using the root file explorer app and restarted.
The file has been added to the Certificate Authority list in the Settings app.
Is this not the way to do it?
Have you explicitly mounted the /system/etc/security/cacerts folder (to enable read/write capability)?
As a disclaimer, I have not used a rooted phone and can't confirm the exact steps to make a user certificate a system one. Supporting rooted devices is not a feature that is officially supported by Fiddler Classic, but that said if the certificate is properly installed as a system one, the proxy will use it so you should be able to capture and decrypt HTTPS traffic. Being able to capture only the CONNECT requests indicates that you are capturing only non-secure HTTP traffic.
Rank 1
It's a long shot but have you tried the same with Fiddler Everywhere?
It is hard to say what might be causing your issue, apart from the certificate is not recognized. So again it is either that the application is expecting a specific certificate or that the certificate is not properly/entirely installed in the OS (Android).