Unable to capture only HTTPS traffic of android mobile application

2 Answers 844 Views
Mobile
lenin
Top achievements
Rank 1
lenin asked on 04 Mar 2015, 09:10 AM
Hi Eric,

I am trying to capture the traffic of a mobile banking application installed in an Android device using Fiddler

Exactly followed the instructions on http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureForAndroid , 
but I do not to see any HTTPS  calls after capturing the traffic ; I can only see the HTTP calls captured.


1) Even after installing "Fiddler Root Certificate" on device Trusted Credentials, why HTTPS calls did get captured ?

2) Do I need to speak with Dev. for a work around ? If so , can you please guide me what exactly has to done by Dev. at server/application level ?


Got stuck with these issues for long time.Appreciate your help please.

Regards
Lenin
Eric Lawrence
Telerik team
commented on 05 Mar 2015, 05:30 PM

Which HTTP calls do you see specifically? Do you see HTTP calls from the application, or only other apps?

If you do see HTTP calls from the app, do any of those requests show "Tunnel to" in the HOST column in Fiddler's Session list?

Which HTTPS calls *don't* you see, specifically? Do you see HTTPS traffic from other apps?

Regards,
Eric Lawrence
Telerik
 

Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

 
cool
Top achievements
Rank 1
commented on 18 May 2015, 04:12 PM

Hello,

 

I am having the same as the OP.

 

Basically, one of the apps on the Nexus 7 android device is not being properly monitored by Fiddler.

 

Other apps on the tablet with HTTPS traffic are working fine.

 

Fiddler is showing "Tunneling to" and no further communication from that app, while the app on the tablet fails to continue working.

 

Please advise.

Eric Lawrence
Telerik team
commented on 19 May 2015, 11:06 AM

Hello, "cool"--

You haven't provided enough information to go on; for instance, telling us what application you're talking about might allow us to help you.

Without further information, my guess is that the application is something like DropBox which uses Certificate Pinning, and cannot be intercepted without first jailbreaking the device.

Regards,
Eric Lawrence
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
cool
Top achievements
Rank 1
commented on 19 May 2015, 11:13 PM

Hello Eric,

 Thanks for the reply. I suspect certificate pinning but I have not looked at it yet.

 

Meanwhile, to answer you, the application is "Basis Peak" mobile app.

You should be able to check / repro the problem without the hardware. Just try to login (even w/o valid credentials) and the app won't be able to contact the server and authenticate.

 

Thanks!

VSCT
Top achievements
Rank 1
commented on 10 Aug 2017, 02:49 PM

Hi, everyone 

 

I have the same problem.

I use a NEXUS 6P and even if my certificat is install I can't see the HTTPS traffic of my application. I can see HTTP traffic and Tunnel, I can contact the server and use the app normally but can't see HTTPS. I can see HTTPS of others applications on the device but not this one.

With an other device I don't have the problem. But I need to check HTTPS traffic in this specific device.

 

I'm an amateur in Fiddler and certificate so I prefer to ask.

(sorry my english is not ... good ^^")

Thanks

Alexander
Telerik team
commented on 15 Aug 2017, 03:16 PM

Hi,

What version of Android is the Nexus 6P using? Also how did you install the root certificate?

Regards,
Alexander
Progress Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
VSCT
Top achievements
Rank 1
commented on 16 Aug 2017, 10:27 AM

Hi Alexander and thanks for your answer

 

So the version of Android is 8.0.0. And to install the root certificate is process like this :

1- start fiddler

2- open chrome on the device

3- download the certificate with the url : myipadress:8888/fiddlerroot.cer

4- install directly from the cetificate by click on it 

 

2 Answers, 1 is accepted

Sort by
0
Alexander
Telerik team
answered on 23 Aug 2017, 12:44 PM
Hello,

In Android 7 all apps that target API Level 24 and later will ignore all user-installed root certificates by default. I cannot find information if this changed in Android 8 so I assume it is still valid. Only app developers can override this behavior for their app only and from what I'm reading the app you are trying to debug is yours. You can find more information about how to do it here.

Regards,
Alexander
Progress Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
VSCT
Top achievements
Rank 1
commented on 24 Aug 2017, 01:13 PM

Hello,

 

For sure this is the reason ! 

Well thank you so much ! I will explain this to my developpers so !

Daniel
Top achievements
Rank 1
commented on 09 Nov 2017, 10:30 PM

Hi all,

I experience the same issue when trying to decrypt app HTTPS traffic on Android 8 (Oreo).

 

Just for my understanding of the latest posts: There is currently no other way to get Fiddler running (for https traffic) than implementing the changes which are described here https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html?

 

Thanks and best regards,

Daniel

Srinath
Top achievements
Rank 1
commented on 01 May 2019, 03:58 AM

Yes I see, tunnel to in my session list how to over come this
0
Quoc
Top achievements
Rank 1
answered on 11 Jul 2019, 05:15 PM

Still apply on Android 9. I added my cert to /system/etc/security/cacerts and reboot but still not work

Tutorial here https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/

Tags
Mobile
Asked by
lenin
Top achievements
Rank 1
Answers by
Alexander
Telerik team
Quoc
Top achievements
Rank 1
Share this question
or