This is a migrated thread and some comments may be shown as answers.

Fiddler Everywhere failing to show HTTPS traffic for a mobile Application

1 Answer 503 Views
MacOS
This is a migrated thread and some comments may be shown as answers.
Bhagyasree
Top achievements
Rank 1
Bhagyasree asked on 04 Feb 2021, 10:58 PM

Fiddler Everywhere is failing with below error if HTTPS traffic is enabled.

 

Did the below:

1) Trusted Fiddler root certificate on my PC and mobile

2) Configured manual proxy over my Wi Fi to route network traffic from my mobile application to fiddler on desktop

3) Enabled capture HTTPS traffic 

4) The app I am trying to debug network traffic is blink for home.

 

But all the requests are failing with the below error in the image. please help.

 

1 Answer, 1 is accepted

Sort by
0
Nick Iliev
Telerik team
answered on 08 Feb 2021, 07:36 AM

Hello Bhagyasree,

 

For Fiddler (or Fiddler Everywhere) to capture traffic from a mobile application, the root certificate needs to be installed and enabled in the iOS as described in this documentation article. However, that doesn't mean that you will capture all secure traffic as some servers are using the so-called certificate pinning. Basically, this is a security technique where the server will allow a secured connection only if he recognizes the root certificate that the browser or application (that is making the request) is using. When Fiddler is a MITM proxy, it is installing a different certificate, and all connections will be actively refused with an error similar to the one you are receiving.


That said, I am not entirely sure what security techniques are used by the mobile app Blink for Home but based on this article, it looks like that the security is tight. If you are the developer behind the Blink for Home mobile application, the only solution would be to temporarily disable the certificate pinning and allow the app to use 3rd-party certificates (specifically the Fiddler certificate) so that you could use Fiddler for debugging. If you don't own the app and don't have access to the codebase, then there is no out-of-the-box solution, and you won't be able to capture the secure traffic from that application.


 

 

Regards,
Nick Iliev
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Tags
MacOS
Asked by
Bhagyasree
Top achievements
Rank 1
Answers by
Nick Iliev
Telerik team
Share this question
or