Cannot see HTTPS communication of Android app in Fiddler

1 Answer 2976 Views
Fiddler Classic Mobile
s
Top achievements
Rank 1
s asked on 13 Apr 2022, 01:27 PM

Fiddler Classic v5.0.20211.51073 for .NET 4.6.1 and Android 9.

  1. install Fiddler.
  2. Install "CertMaker for iOS and Android".
  3. open Fiddler.
  4. Check "Decrypt HTTPS traffic" in Option.
  5. Install the certificate when the install dialog box appears.
  6. set "Protocols" to "<client>;ssl3;tls1.2".
  7. add the following code to the end of "static function OnBeforeRequest(oSession: Session)" in "Fiddler Script".
        if (oSession.HTTPMethodIs("CONNECT"))
        {
            oSession["https-DropSNIAlerts"] = "yup";
            FiddlerApplication.Log.LogString("Legacy compat applied for request");
        }
  1. Restart Fiddler.
  2. set Android proxy settings to the Fiddler address.
  3. access Fiddler's website with an Android browser and download the certificate.
  4. Install the certificate.
  5. move the converted certificate in /data/mics/user/0/cacerts-added/ to /system/etc/security/cacerts/.
  6. set the owner and group of the moved file to root and set permissions to rw-r--r--.
  7. Remove the first installed certificate
  8. Restart Android.
  9.  

When I access an HTTPS site with Chrome after following these steps, I get the message "NET::ERR_CERT_AUTHORITY_INVARID" and cannot access the site. Fiddler just comes up with CONNECT. At the stage of just installing in the user area in 11., I am able to access the HTTPS site from Chrome and it is decrypted in fiddler. However, when I move it to the system area, I am having trouble communicating with it. The list of trusted credentials for the system in the settings app reflects it correctly and I can view the information inside by tapping on it. Why is there an error?

PS: When I run Chromium Edge on a PC running Fiddler and look at the serial number of the root certificate for the certificate to the https site and compare it to the serial number in the CA certificate list installed on the Android system, it matches. The former does not cause an error, but the latter does.

Pren
Top achievements
Rank 1
commented on 15 Apr 2022, 06:58 PM

The question you asked is very good. I read it carefully but could not find anyone to help me understand it. Anyone can describe it correctly here https://www.telerik.com/forums/cannot-see-https-communication-10eloto-of-android-app-in-fiddler

1 Answer, 1 is accepted

Sort by
0
Nick Iliev
Telerik team
answered on 13 Apr 2022, 02:46 PM

Hello,

 

You need to install the Fiddler certificate as a user certificate and not as a system one simply because it is not a system one.

The trusted credentials settings are divided into two sections: 

The system section provides a list of trusted certificate authorities that come with your device. 
The user section lists all trusted certificate authorities that have been installed by you or an app. It may be blank if you didn’t install any CA certificate not already included with the device. 
I believe that the only way to "trick" Android to accept Fiddler as a system certificate (and to actually use it) is to have your device rooted.


Regards,
Nick Iliev
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.

s
Top achievements
Rank 1
commented on 13 Apr 2022, 02:55 PM

Thank you for your answer.
As mentioned in the question text, it works fine at the stage of installation on the user list, but when I move it to the system, it stops working.
I want to analyze the communication of the app, not the browser, so we need to install it on the system.
The device is rooted.
In fact, I used to be able to set it up and was able to analize app communications until just the other day but, when I updated the fiddler certificate and I am trying to install it again but I forgot how to do it.
Nick Iliev
Telerik team
commented on 14 Apr 2022, 10:31 AM

Perhaps, you can check if the application is not looking for a pinned certificate.

Apart from that, it seems that on your side the Fiddler certificate is not recognized as root CA even on Chrome so it is likely that you are not successfully adding it as a system certificate. Have you explicitly mounted the system directory and then rebooted the device (see examples and details here https://techstarspace.engineer/2019/12/02/move-android-user-installed-certificates-to-system-ca-store/ and here https://gist.github.com/pwlin/8a0d01e6428b7a96e2eb )?

s
Top achievements
Rank 1
commented on 14 Apr 2022, 12:31 PM

I don't think it is pinned because I can't open a site I have not seen before.
The file was copied using the root file explorer app and restarted.
The file has been added to the Certificate Authority list in the Settings app.
Is this not the way to do it?
Nick Iliev
Telerik team
commented on 15 Apr 2022, 07:21 AM

 

Have you explicitly mounted the /system/etc/security/cacerts folder (to enable read/write capability)?

As a disclaimer, I have not used a rooted phone and can't confirm the exact steps to make a user certificate a system one. Supporting rooted devices is not a feature that is officially supported by Fiddler Classic, but that said if the certificate is properly installed as a system one, the proxy will use it so you should be able to capture and decrypt HTTPS traffic. Being able to capture only the CONNECT requests indicates that you are capturing only non-secure HTTP traffic.

s
Top achievements
Rank 1
commented on 15 Apr 2022, 11:19 AM

I was able to move the files in root file explorer, so I think it is ok, but I tried to remount in rw mode and move the files with the command to try, but unfortunately it did not resolve the error.
Nick Iliev
Telerik team
commented on 18 Apr 2022, 12:56 PM

It's a long shot but have you tried the same with Fiddler Everywhere?

It is hard to say what might be causing your issue, apart from the certificate is not recognized. So again it is either that the application is expecting a specific certificate or that the certificate is not properly/entirely installed in the OS (Android).

Tags
Fiddler Classic Mobile
Asked by
s
Top achievements
Rank 1
Answers by
Nick Iliev
Telerik team
Share this question
or