Decrypting SSL from apps on Android P DP2

11 posts, 0 answers
  1. Khangaroo
    Khangaroo avatar
    6 posts
    Member since:
    May 2018

    Posted 20 May 2018 Link to this post

        Apparently, Google made some changes in later versions of Android that prevent the usage of user certificates in apps. Is there any way to bypass this? I am rooted, by the way.
  2.
  3. Simeon
    Admin
    Simeon avatar
    195 posts

    Posted 22 May 2018 Link to this post

    Hello,

    Could you, please, elaborate on what your user scenario is. Are you using the FiddlerOrchestra client for Android? What is the Android version which you target?

    Regards,
    Simeon
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  5. Khangaroo
    Khangaroo avatar
    6 posts
    Member since:
    May 2018

    Posted 22 May 2018 in reply to Simeon Link to this post

    The app I'm debugging is not mine, and I'm not sure what the FiddlerOrchestra client for Android is. I've just been using regular Fiddler 4 on Windows as a reverse proxy.
  7. Khangaroo
    Khangaroo avatar
    6 posts
    Member since:
    May 2018

    Posted 22 May 2018 Link to this post

    Actually, I upgraded to 5 and downloaded the APK for Fiddler Orchestra, but the app gets stuck on connecting now. I tried connecting through the Windows client and that worked fine.
  8.
  9. Khangaroo
    Khangaroo avatar
    6 posts
    Member since:
    May 2018

    Posted 22 May 2018 in reply to Khangaroo Link to this post

    (by app, I mean Fiddler. Too bad there's no edit function!)
  11. Simeon
    Admin
    Simeon avatar
    195 posts

    Posted 28 May 2018 Link to this post

    Hello,

    the app gets stuck on connecting now could mean that there is a network connectivity problem. For example, the FiddlerOrchestra and the Android app could be in different IP networks without connectivity or the port which you are using by FiddlerOrchestra could be blocked by the router.

    Regards,
    Simeon
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  13. Denis
    Denis avatar
    3 posts
    Member since:
    Jul 2018

    Posted 24 Jul 2018 Link to this post

    Hi guys,

    I have the same problem with Fiddler (v5.0) app and Android 8.0 (there is no problem with Android 5 and lower).

    I tried to sniffer web traffic from smartphone but could not. Fiddler can sniffer only 'Tunnel to' connections.

    The phone and PC works in the same IP network.

    So is there any solution to fix this?

    Thanks

  14.
  15. Alexander
    Admin
    Alexander avatar
    383 posts

    Posted 30 Jul 2018 Link to this post

    Hello,

    Did you turn on the "Decrypt HTTPS traffic" option in Tools -> Options -> HTTPS?

    Regards,
    Alexander
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  17. Denis
    Denis avatar
    3 posts
    Member since:
    Jul 2018

    Posted 02 Aug 2018 in reply to Alexander Link to this post

    Hello Alexander,

    yes sure I did it.

    I installed Fiddler app on my PC. I also have two mobile phones (one with Android v5, another with Android v8).

    I installed the same certificate for both phones. And I set the same proxy settings to them.

    I can see all requests for the phone with Android v5.

    But I don't see requests for the phone with Android v8. There are only 'Tunnel to' connections.

     

    It seems I found the answer for this problem:

    "In Android 7 all apps that target API Level 24 and later will ignore all user-installed root certificates by default. I cannot find information if this changed in Android 8 so I assume it is still valid. Only app developers can override this behavior for their app only and from what I'm reading the app you are trying to debug is yours. You can find more information about how to do it here."

    https://www.telerik.com/forums/unable-to-capture-only-https-traffic-of-android-mobile-application

     

    Does it mean I cannot use Fiddler with Android 7 and higher?

    Thanks

  19. Alexander
    Admin
    Alexander avatar
    383 posts

    Posted 02 Aug 2018 Link to this post

    Hello Denis,

    Rather unfortunately, it seems so. At least with the described apps (API 24 and up). I assume that it is somehow possibe to workaround this using rooting, but I haven't came across to any solution yet.

    Regards,
    Alexander
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  21. Denis
    Denis avatar
    3 posts
    Member since:
    Jul 2018

    Posted 02 Aug 2018 in reply to Alexander Link to this post

    OK,

    Thank you Alexander!

Back to Top