I cannot decode https traffic from a specific ios application

0 Answers 85 Views
Fiddler Classic Fiddler Everywhere iOS
John
Top achievements
Rank 2
Iron
Iron
Veteran
John asked on 24 Oct 2022, 06:02 PM

There's a 3rd party ios app that i want to capture traffic from, and i'm not having any luck in doing so.  It is specifically the Twinkly app.  My web requests from the browser seem to be getting decoded and i did not expect the apple apps to be decoded, due to certificate pinning, but I really would like to get this working for a 3rd party app.  I installed a bouncy castle certificate and tried that, and I also set up a trial of Fiddler Everywhere and started over, with no luck.  Any ideas?  I am willing to jump through any kind of hoop necessary to get this to work, including jailbreaking the phone.

 

Nick Iliev
Telerik team
commented on 25 Oct 2022, 06:43 AM

We are unaware of how the specific application is making its request and if it is using additional security techniques. Suppose traffic is not captured (including non-secure HTTP tunnels) when the application is making its request. In that case, that can indicate that the app is not using HTTP/HTTPS or is not respecting the proxy configuration. If the app is only capturing the HTTP Connect tunnels but returning errors when making HTTPS requests, that most likely indicates that the application is not trusting the Fiddler certificate (which can be caused by a cert pinning or other security limitations).
John
Top achievements
Rank 2
Iron
Iron
Veteran
commented on 26 Oct 2022, 02:41 PM | edited

As far as i can determine based on your clues, it's most likely certificate pinning.    I was unaware of this existing with 3rd party apps when i asked this question, but it makes sense as the android version of their app uses okhttp which also refuses to trust the telerik certificate.  I had to patch the app to capture traffic in that case.

No answers yet. Maybe you can help?

Tags
Fiddler Classic Fiddler Everywhere iOS
Asked by
John
Top achievements
Rank 2
Iron
Iron
Veteran
Share this question
or