I'm using Fiddler to analyze an Android app. It communicates with the server through HTTPS, Fiddler has no problems to decrypt the traffc when using its root certificate.But the authentification of the app works using OAuth on a Cloudflare server and it seems to detect Fiddler's root certificate (the MITM).
I need to deactivate Capture HTTPS CONNECTs to make it work - it's not enough to deactivate Decrypt HTTPS traffic.
I wrote a small FiddlerScript, but it also doesn't work, since it deactives the decrypting only, not the capturing. Is there a hack for this?
1.
if
(oSession.uriContains(
"/oauth/"
) || oSession.uriContains(
"/bd/"
)) {
2.
oSession[
"x-no-decrypt"
] =
"do not care."
;
3.
oSession[
"ui-color"
] =
"red"
;
4.
}
This only occures on some Android apps. Sometime seem to have a weaker setting in Cloudflare and let the Fiddler root certificate pass through.