Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Fiddler - Decrypt Android HttpsUrlConnection SSL traffic

Tags:

I've spent countless hours trying to decrypt Android SSL traffic via Fiddler for HttpsUrlConnection with very little success. How do I reliably configure Fiddler to decrypt SSL traffic from an Android app using HttpsUrlConnection?

Here are my steps

  1. Run Fiddler on PC (With proper settings: capture HTTPS Connect, decrypt HTTPS traffic, allow remote computers to connect)
  2. Configure wireless connection on Android device to proxy through pc running fiddler
  3. From android device open browser to http://[ip of pc running fiddler]:8888 and download "FiddlerRoot certificate". Name and install it.
  4. Open https://www.google.com in android browser and view decrypted traffic in Fiddler on PC.

The above works. The problem is that non-browser android traffic shows up in Fiddler as connect tunnels. My initial research suggested the issue was due to how certs were trusted via HttpsUrlConnection so I made sure to trust all certs based on this article https://secure.mcafee.com/us/resources/white-papers/wp-defeating-ssl-cert-validation.pdf

Unfortunately trusting all certs didn't work for me with HttpsUrlConnection so I stopped investigating. A few days later I decided to try again and was surprised to find that fiddler traffic was being decrypted for HttpsUrlConnection! Unfortunately I didn't make any further changes to fix this so I'm not entirely sure why it started working. The device it works with is an LG-Optimus L9 Android version 4.0.4 and is rooted.

Now I'm trying to configure this for a Nexus 7 Android Version 4.2.2 (not rooted) but alas all I see in fiddler are the connect tunnels. Since the cert on both devices has the same serial and the app I'm testing is identical I'm stumped as to why I can't configure Fiddler with another Android device.

To summarize

  • Fiddler can decrypt SSL traffic from the LG Optimus but only shows connect tunnels from Nexus 7
  • Both devices are running the same app which uses HttpsUrlConnection for network requests
  • Both devices have the same fiddler cert installed (serials match) and no other user cert installed.
  • Don't think these matter but...
    • Rooted device (LG Optimus Android 4.0.4) uses Proxy Droid to point to PC running fiddler
    • Non rooted device (Nexus 7 Android 4.2.2) using built in "modify network" to point to PC running fiddler
like image 280
Steven Avatar asked May 31 '13 17:05

Steven


People also ask

How do I enable HTTPS traffic decryption in Fiddler?

Enable HTTPS traffic decryptionClick Tools > Options > HTTPS. Click the Decrypt HTTPS Traffic box.

Can HTTPS traffic be decrypted?

Decryption is possible with a text-based log containing encryption key data captured when the pcap was originally recorded. With this key log file, we can decrypt HTTPS activity in a pcap and review its contents.

Can Fiddler capture HTTPS traffic?

Fiddler is a free web debugging proxy that logs all HTTP/HTTPS traffic between your web application and the Internet.


2 Answers

My research shown that there is a bug in HttpsUrlConnection pipeling implementation.

To solve a problem you need to perform following steps in Fiddler:

  1. In Fiddler click "Rules->Customize Rules";

  2. In opened script and find function OnBeforeResponse

  3. In the function body add following code:

    if (oSession.oRequest["User-Agent"].indexOf("Dalvik") > -1 && oSession.HTTPMethodIs("CONNECT")) {  
       oSession.oResponse.headers["Connection"] = "Keep-Alive";     
    } 
    

4.Save file and restart Fiddler

like image 153
AlexM Avatar answered Sep 23 '22 07:09

AlexM


Here is a workaround.

Assuming the hostname I'm sending my https requests to is myHostName.com add the following to Fiddler's CustomRules.js

if (!oSession.isHTTPS && !oSession.HTTPMethodIs("CONNECT") && (oSession.HostnameIs("myHostName"))
{
  oSession.oRequest.headers.UriScheme = "https";
}

Then in Android code update the URL to use http instead of https.

Now the client will communicate to Fiddler without SSL and all the request/response traffic will be visible.

The obvious downside to this approach is that the URLs must be modified in the client to use http. I haven't used this approach long enough to discover any additional drawbacks.

like image 26
Steven Avatar answered Sep 25 '22 07:09

Steven