iOS app not allowing me to connect when 'Decrypt HTTPS Traffic' is enabled

1 Answer 798 Views
Mobile
Mark
Top achievements
Rank 1
Mark asked on 16 Dec 2015, 10:15 PM

I have a certain iOS app that's not publicly available so you won't be able to fully troubleshoot, however I can explain the behavior I'm experiencing. 

When I attempt to use the app when  'Decrypt HTTPS Traffic' is disabled, the app works, but the data is encrypted and Fiddler prompts me to configure the settings.

When I enable 'Decrypt HTTPS Traffic' the app does not let me do anything and simply says 'network unavailable.' 

I did install the iOS certificate. I tested on several other apps and don't appear to be experiencing the same problem. Any ideas on how I can further troubleshoot this?

 

Thank you.

 

 

 

Eric Lawrence
Telerik team
commented on 16 Dec 2015, 10:21 PM

> I tested on several other apps and don't appear to be experiencing the same problem. 

To be clear, do you see HTTPS traffic in plaintext in Fiddler from those other applications? How about if you visit e.g. https://bayden.com/ in Safari?

When this app fails to connect, is there any text of interest in Fiddler's Log tab?

> "not publicly available"

Can you tell me anything about this app? Did you write it? If not, is it an app for which Certificate Pinning may be in use

Regards,
Eric Lawrence
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Mark
Top achievements
Rank 1
commented on 16 Dec 2015, 11:58 PM

Thanks for the response once again.

1 - I am able to view HTTPS traffic from other apps in plaintext. I tested with an app I've used in the past and it works as it always has.

2 - bayden.com - I receive a certificate error on the device but it works if I proceed and the traffic appears to be properly captured by Fiddler.

3 - I did not write the app, I'm unsure if it's using 'certificate pinning.' How can I find out? 

 

Mark
Top achievements
Rank 1
commented on 17 Dec 2015, 12:44 AM

I will add something further.

This app is an 'enterprise app' which means it's distributed directly from the creator and was not obtained through the app store.

Furthermore, there is an entry on the iphone under settings>profile showing that this app is 'trusted on this iphone.' This is the same place on the phone where Fiddler installs an iOS cert if downloaded.

After a bit of reading, it does seem like this might be a network pinning issue. I don't know with certainty but it's clear that when 'decrypt' is enabled the app cannot preform any network functions. When 'decrypt' is disabled, it works just fine on the device - but the Fiddle traffic is decrypted.

 

1 Answer, 1 is accepted

Sort by
0
Accepted
Eric Lawrence
Telerik team
answered on 17 Dec 2015, 09:28 PM
Hi, Mark--

This:

- I receive a certificate error on the device but it works if I proceed and the traffic appears to be properly captured by Fiddler.

...indicates that the client device doesn't trust Fiddler's certificate. One possibility is that you're using a legacy "makecert" generated certificate which cannot be used with iOS devices. 

Inside Tools > Fiddler Options > HTTPS, what does the "Certificates Generated by" link at the right say? If it says "MakeCert", please do the following:

1> Change it to CertEnroll.
2> Follow the steps here: http://textslashplain.com/2015/10/30/reset-fiddlers-https-certificates/
3> Remove the root certificate from the iOS device.
4> Put the new certificate on the device
5> Verify that traffic from https://bayden.com/ is captured without any warnings.


Regards,
Eric Lawrence
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Mark
Top achievements
Rank 1
commented on 18 Dec 2015, 04:54 AM

Hi Eric,

Thanks for that. You were spot on! I followed the steps in that link to reset all my certificates on Fiddler and then installed it on the device.

bayden.com then worked without any problems......and much to my amazement the app started working as well! Fiddler properly displayed the decrypted data in plaintext. It was set to CertEnroll but I guess it was the 'cleaning out' of the old certificates that solved it! So, it was not a 'certificate pinning' problem after all.

It's a real credit to Fiddler that you're personally involved in these forums as there is no way I would have solved this without you.

Thanks again.

Mitch
Top achievements
Rank 1
commented on 10 Oct 2017, 05:16 AM

Reviving this thread... I'm having the same issue now. When I first connected to the proxy, everything appeared to be working, except that content wouldn't load in one particular app. I disabled and re-enabled the proxy on my iPhone, and now it refuses to load any HTTPS pages even though I have installed the Fiddler root. I tried Eric Lawrence's steps, but in my case they didn't help. Any advice is appreciated.
Alexander
Telerik team
commented on 13 Oct 2017, 11:08 AM

Hello,

Please, try following the steps in this tutorial.

Regards,
Alexander
Progress Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Mitch
Top achievements
Rank 1
commented on 16 Oct 2017, 05:09 AM

Hi Alexander,

That is the tutorial I followed the first time. I went through again and made sure I followed all the steps, including installing the Certificate Maker plugin. However, iOS still refuses to connect to HTTPS sites when using Fiddler as a proxy.

Alexander
Telerik team
commented on 16 Oct 2017, 04:42 PM

Hello Mitch,

Which version of iOS are you using? Also, can you see HTTP traffic in Fiddler?

Regards,
Alexander
Progress Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
A
Top achievements
Rank 1
commented on 23 Oct 2017, 09:48 AM

ios version: 11.0.3

I see traffic in Fiddler. But all traffic is encrypted. Looks like "Tunnel to http://81.19.104.63:443" I have tried Cert Enroll and addon certmaker.dll certificate engines. 
Alexander
Telerik team
commented on 26 Oct 2017, 09:58 AM

Hello,

Since iOS 10.3 one have to enable full trust manually after importing certificate. You can find more information here.

Regards,
Alexander
Progress Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
A
Top achievements
Rank 1
commented on 26 Oct 2017, 02:39 PM

Thanks. Problem solved.
Jamie
Top achievements
Rank 1
commented on 09 Feb 2020, 02:25 PM

FOLLOW THE STEPS-

Configure Fiddler
Click Tools > Fiddler Options > Connections.
Click the checkbox by Allow remote computers to connect.

Restart Fiddler.
Ensure your firewall allows incoming connections to the Fiddler process, and that it's not blocking all incoming connections, including those in the list of allowed apps.
Hover over the Online indicator at the far right of the Fiddler toolbar to display the IP addresses assigned to Fiddler's machine.

Verify client iOS device can reach Fiddler by navigating in the browser to http://FiddlerMachineIP:8888. This address should return the Fiddler Echo Service page.
For iPhone: Disable the 3g/4g connection.

Tags
Mobile
Asked by
Mark
Top achievements
Rank 1
Answers by
Eric Lawrence
Telerik team
Share this question
or