Need help reading https traffic from android app

3 posts, 0 answers
  1. dies
    dies avatar
    2 posts
    Member since:
    Dec 2014

    Posted 12 Dec 2014 Link to this post

    Hello Eric, i've been racking my brains for the last few days figuring out why i cant sniff my twitter android app traffic anymore!

    Basically what worked before was that i had simply installed fiddler proxy on my PC, exported the root certificate (and added it to my android devices CA storage), then i installed cydia's mobile substrate and Android-SSL-TrustKiller because apparently the twitter apk uses certificate pinning that needs to be bypassed in order to properly MitM the app. I set my android wifi proxy settings to the same ip:port as the machine that fiddler is listening on.

    Unfortunately this does not work anymore and im left unable to properly read twitters app traffic, whereas googleplay, facebook, instagram, etc etc all work fine. It had worked fine until a few days ago. I hadn't updated my twitter app either so im just not sure how it could have broke itself.

    I tried proxydroid (which uses iptables i believe), and fiddler showed attempts at connecting to one of twitters ip, but it never goes through (i believe this is an issue with the IP not resolving to the host-name correctly, which causes certificate name mismatch errors)

    With standard wifi proxy tuned to fiddler, i dont see ANY requests.  With proxydroid, i see this
    (tones of CONNECTS and cert mismatches, despite having imported fiddlerroot into CA storage.

    I'm incredibly vexed...i need someone who can help me properly diagnose and fix this issue.

    If it helps, im on a SGS3 android version 4.1.2 (I even tried genymotionemulator, yielding the same results).
  2. Eric Lawrence
    Eric Lawrence avatar
    832 posts

    Posted 15 Dec 2014 Link to this post

    Installing Fiddler's root certificate will not help with certificate name mismatch errors. When you use iptables to reroute Android traffic, you need to set the SetCNFromSNI preference: so that Fiddler knows what server it's talking to (rather than just its IP address).

    In the other scenario, where you don't even see a CONNECT request, this is a sign that there's a bug somewhere in the client application or your jailbreaking/trustbreaking software, since Fiddler obviously can't screw anything up if you're not even sending it traffic. :-)

    Eric Lawrence

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

  3. dies
    dies avatar
    2 posts
    Member since:
    Dec 2014

    Posted 07 Feb 2015 in reply to Eric Lawrence Link to this post

    Thanks for the response, Eric. 

    I have tried both methods (setting SNI preference to true, which did not affect this particular twitter APP but DID affect "fix" instagram app), and manually correcting the mismatches on the once-off basis (I repeated this for all of the ~20 ip's that twitter uses)

    Still no cigar.
Back to Top