I've spent countless hours trying to decrypt Android SSL traffic via Fiddler for HttpsUrlConnection with very little success. How do I reliably configure Fiddler to decrypt SSL traffic from an Android app using HttpsUrlConnection?
Here are my steps
The above works. The problem is that non-browser android traffic shows up in Fiddler as connect tunnels. My initial research suggested the issue was due to how certs were trusted via HttpsUrlConnection so I made sure to trust all certs based on this article https://secure.mcafee.com/us/resources/white-papers/wp-defeating-ssl-cert-validation.pdf
Unfortunately trusting all certs didn't work for me with HttpsUrlConnection so I stopped investigating. A few days later I decided to try again and was surprised to find that fiddler traffic was being decrypted for HttpsUrlConnection! Unfortunately I didn't make any further changes to fix this so I'm not entirely sure why it started working. The device it works with is an LG-Optimus L9 Android version 4.0.4 and is rooted.
Now I'm trying to configure this for a Nexus 7 Android Version 4.2.2 (not rooted) but alas all I see in fiddler are the connect tunnels. Since the cert on both devices has the same serial and the app I'm testing is identical I'm stumped as to why I can't configure Fiddler with another Android device.
To summarize
Enable HTTPS traffic decryptionClick Tools > Options > HTTPS. Click the Decrypt HTTPS Traffic box.
Decryption is possible with a text-based log containing encryption key data captured when the pcap was originally recorded. With this key log file, we can decrypt HTTPS activity in a pcap and review its contents.
Fiddler is a free web debugging proxy that logs all HTTP/HTTPS traffic between your web application and the Internet.
My research shown that there is a bug in HttpsUrlConnection pipeling implementation.
To solve a problem you need to perform following steps in Fiddler:
In Fiddler click "Rules->Customize Rules";
In opened script and find function OnBeforeResponse
In the function body add following code:
if (oSession.oRequest["User-Agent"].indexOf("Dalvik") > -1 && oSession.HTTPMethodIs("CONNECT")) {
oSession.oResponse.headers["Connection"] = "Keep-Alive";
}
4.Save file and restart Fiddler
Here is a workaround.
Assuming the hostname I'm sending my https requests to is myHostName.com add the following to Fiddler's CustomRules.js
if (!oSession.isHTTPS && !oSession.HTTPMethodIs("CONNECT") && (oSession.HostnameIs("myHostName"))
{
oSession.oRequest.headers.UriScheme = "https";
}
Then in Android code update the URL to use http instead of https.
Now the client will communicate to Fiddler without SSL and all the request/response traffic will be visible.
The obvious downside to this approach is that the URLs must be modified in the client to use http. I haven't used this approach long enough to discover any additional drawbacks.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With