Decrypting SSL from apps on Android P DP2

Hello,

Could you, please, elaborate on what your user scenario is. Are you using the FiddlerOrchestra client for Android? What is the Android version which you target?

Regards,
Simeon
Progress Telerik

The app I'm debugging is not mine, and I'm not sure what the FiddlerOrchestra client for Android is. I've just been using regular Fiddler 4 on Windows as a reverse proxy.

Actually, I upgraded to 5 and downloaded the APK for Fiddler Orchestra, but the app gets stuck on connecting now. I tried connecting through the Windows client and that worked fine.

(by app, I mean Fiddler. Too bad there's no edit function!)

Hello,

the app gets stuck on connecting now could mean that there is a network connectivity problem. For example, the FiddlerOrchestra and the Android app could be in different IP networks without connectivity or the port which you are using by FiddlerOrchestra could be blocked by the router.

Regards,
Simeon
Progress Telerik

Hi guys,

I have the same problem with Fiddler (v5.0) app and Android 8.0 (there is no problem with Android 5 and lower).

I tried to sniffer web traffic from smartphone but could not. Fiddler can sniffer only 'Tunnel to' connections.

The phone and PC works in the same IP network.

So is there any solution to fix this?

Thanks

Hello,

Did you turn on the "Decrypt HTTPS traffic" option in Tools -> Options -> HTTPS?

Regards,
Alexander
Progress Telerik

Hello Alexander,

yes sure I did it.

I installed Fiddler app on my PC. I also have two mobile phones (one with Android v5, another with Android v8).

I installed the same certificate for both phones. And I set the same proxy settings to them.

I can see all requests for the phone with Android v5.

But I don't see requests for the phone with Android v8. There are only 'Tunnel to' connections.

 

It seems I found the answer for this problem:

"In Android 7 all apps that target API Level 24 and later will ignore all user-installed root certificates by default. I cannot find information if this changed in Android 8 so I assume it is still valid. Only app developers can override this behavior for their app only and from what I'm reading the app you are trying to debug is yours. You can find more information about how to do it here."

https://www.telerik.com/forums/unable-to-capture-only-https-traffic-of-android-mobile-application

 

Does it mean I cannot use Fiddler with Android 7 and higher?

Thanks

Hello Denis,

Rather unfortunately, it seems so. At least with the described apps (API 24 and up). I assume that it is somehow possibe to workaround this using rooting, but I haven't came across to any solution yet.

Regards,
Alexander
Progress Telerik

OK,

Thank you Alexander!