Sniffing Android app's HTTPS traffic from Fiddler fails with only 'Tunnel To' entries in Fiddler
I am trying to capture HTTPS traffic from my rooted Android device (4.4.4) to analyze an undocumented protocol of an app. I've set up my Fiddler as a proxy and enabled HTTPS sniffing. I've installed the Fiddler's generated root certificate on my device. I've set up my proxy for my Wifi on my Android device.
When I run my browser and navigate to any HTTP or HTTPS site, Fiddler can capture traffic successfully.
When I run some apps (e.g. my own app which uses Parse as its backend), I can see all the HTTPS traffic to the servers, decrypted. So far so good.
When I try to run that particular app, I can't get Fiddler to capture its traffic. Here's all I get on Fiddler:
URLs are some IP addresses:SSL (:443).
I've also tried using ProxyDroid. Interestingly, I was able to capture the traffic once, saw a decrypted HTTPS connection to that app's servers, but after that, it never captured again. I know that the app uses HTTPS, and not an unknown/other protocol.
How can I capture HTTPS traffic successfully, and why would Fiddler once work for that app, and suddenly stop working?
Answer
"Apps that target API Level 24 and above no longer trust user or admin-added CAs for secure connections, by default"
If you are targeting API >=24 or running on a >= 24 device, create an xml resource with the following:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<debug-overrides>
<trust-anchors>
<!-- Trust user added CAs while debuggable only -->
<certificates src="user"/>
</trust-anchors>
</debug-overrides>
</network-security-config>
Name it "network_secutrity_config.xml" or something like that and add id as a reference to your manifest with the android:networkSecurityConfig tag.
You can read a bit more here (it helped me):
https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html