Sniffing Android app's HTTPS traffic from Fiddler fails with only 'Tunnel To' entries in Fiddler

Can Poyrazoğlu picture Can Poyrazoğlu · Sep 17, 2015 · Viewed 7.9k times · Source

I am trying to capture HTTPS traffic from my rooted Android device (4.4.4) to analyze an undocumented protocol of an app. I've set up my Fiddler as a proxy and enabled HTTPS sniffing. I've installed the Fiddler's generated root certificate on my device. I've set up my proxy for my Wifi on my Android device.

  • When I run my browser and navigate to any HTTP or HTTPS site, Fiddler can capture traffic successfully.

  • When I run some apps (e.g. my own app which uses Parse as its backend), I can see all the HTTPS traffic to the servers, decrypted. So far so good.

  • When I try to run that particular app, I can't get Fiddler to capture its traffic. Here's all I get on Fiddler:

enter image description here

URLs are some IP addresses:SSL (:443).

I've also tried using ProxyDroid. Interestingly, I was able to capture the traffic once, saw a decrypted HTTPS connection to that app's servers, but after that, it never captured again. I know that the app uses HTTPS, and not an unknown/other protocol.

How can I capture HTTPS traffic successfully, and why would Fiddler once work for that app, and suddenly stop working?

Answer

TalMihr picture TalMihr · Oct 22, 2018

"Apps that target API Level 24 and above no longer trust user or admin-added CAs for secure connections, by default"

If you are targeting API >=24 or running on a >= 24 device, create an xml resource with the following:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <debug-overrides>
        <trust-anchors>
            <!-- Trust user added CAs while debuggable only -->
            <certificates src="user"/>
        </trust-anchors>
    </debug-overrides>
</network-security-config>

Name it "network_secutrity_config.xml" or something like that and add id as a reference to your manifest with the android:networkSecurityConfig tag.

You can read a bit more here (it helped me):

https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html