Fiddler - Decrypt Android HttpsUrlConnection SSL traffic

Asked 31/5, 2013 at 17:39 Answered 16/1, 2014 at 2:10

Solved android fiddler httpsurlconnection

I've spent countless hours trying to decrypt Android SSL traffic via Fiddler for HttpsUrlConnection with very little success. How do I reliably configure Fiddler to decrypt SSL traffic from an Android app using HttpsUrlConnection?

Here are my steps

Run Fiddler on PC (With proper settings: capture HTTPS Connect, decrypt HTTPS traffic, allow remote computers to connect)
Configure wireless connection on Android device to proxy through pc running fiddler
From android device open browser to http://[ip of pc running fiddler]:8888 and download "FiddlerRoot certificate". Name and install it.
Open https://www.google.com in android browser and view decrypted traffic in Fiddler on PC.

The above works. The problem is that non-browser android traffic shows up in Fiddler as connect tunnels. My initial research suggested the issue was due to how certs were trusted via HttpsUrlConnection so I made sure to trust all certs based on this article https://secure.mcafee.com/us/resources/white-papers/wp-defeating-ssl-cert-validation.pdf

Unfortunately trusting all certs didn't work for me with HttpsUrlConnection so I stopped investigating. A few days later I decided to try again and was surprised to find that fiddler traffic was being decrypted for HttpsUrlConnection! Unfortunately I didn't make any further changes to fix this so I'm not entirely sure why it started working. The device it works with is an LG-Optimus L9 Android version 4.0.4 and is rooted.

Now I'm trying to configure this for a Nexus 7 Android Version 4.2.2 (not rooted) but alas all I see in fiddler are the connect tunnels. Since the cert on both devices has the same serial and the app I'm testing is identical I'm stumped as to why I can't configure Fiddler with another Android device.

To summarize

Fiddler can decrypt SSL traffic from the LG Optimus but only shows connect tunnels from Nexus 7
Both devices are running the same app which uses HttpsUrlConnection for network requests
Both devices have the same fiddler cert installed (serials match) and no other user cert installed.
Don't think these matter but...
- Rooted device (LG Optimus Android 4.0.4) uses Proxy Droid to point to PC running fiddler
- Non rooted device (Nexus 7 Android 4.2.2) using built in "modify network" to point to PC running fiddler

Fascine answered 31/5, 2013 at 17:39 Comment(2)

On the Nexus, does Chrome traffic get decrypted? Do the network requests that are not shown failing or simply working without their traffic being shown? Are you using the default Certificate Maker or the Certificate Maker Plugin? – Wormhole 31/5, 2013 at 19:50

Chrome traffic is decrypted fine along with any other webview based traffic on both devices. Network requests on Nexus via HttpsUrlConnection fail and all I see in Fiddler are the connect tunnels. Regarding cert maker question HTTPS option in Fiddler says "Certificates generated using CertMaker.BCCertMaker from C:\Program Files(x86)\Fiddler2\CertMaker.dll". I'm not sure if that's the default cert or a plugin. – Fascine 1/6, 2013 at 23:7

My research shown that there is a bug in HttpsUrlConnection pipeling implementation.

To solve a problem you need to perform following steps in Fiddler:

In Fiddler click "Rules->Customize Rules";
In opened script and find function OnBeforeResponse

In the function body add following code:

if (oSession.oRequest["User-Agent"].indexOf("Dalvik") > -1 && oSession.HTTPMethodIs("CONNECT")) {  
   oSession.oResponse.headers["Connection"] = "Keep-Alive";     
}

4.Save file and restart Fiddler

Swedish answered 16/1, 2014 at 2:10 Comment(10)

Thanks but when I try that and send a request fiddler throws and error saying: There was a problem with your FiddlerScript. Object reference not set to an instance of an object. at Fiddler.HTTPHeaders.set_Item(String HeaderName, String value) at Fiddler.ScriptNamespace.Handlers.OnBeforeRequest(Session oSession) at Fiddler.FiddlerScript.DoBeforeRequest(Session oSession) – Fascine 29/1, 2014 at 17:3

It looks like you added code into OnBeforeRequest not OnBeforeResponse – Swedish 29/1, 2014 at 17:30

You're exactly right, my mistake. Thanks this code snippet works like a charm! I really appreciate it spent way too long trying to get this working. FYI you may want to update your code snippet for anyone referencing this, I had to change the second Session to oSession – Fascine 30/1, 2014 at 18:29

Great solution - thank you. As an addition, when making GoogleAuthUtil calls from Android, the user agent is "GoogleAuth/1.4", so if you want this same solution to be able to decrypt these calls as well, add the additional user agent string: if ((oSession.oRequest["User-Agent"].indexOf("Dalvik") > -1 || oSession.oRequest["User-Agent"].indexOf("GoogleAuth") > -1) && oSession.HTTPMethodIs("CONNECT")) { oSession.oResponse.headers["Connection"] = "Keep-Alive"; } – Hebraism 6/7, 2014 at 11:42

I have such error after i try do that: FiddlerScript Compiler error --------------------------- Type string' does not contain a definition for indexOf' and no extension method indexOf' of type string' could be found. Are you missing an assembly reference? Line: 284 – Brochure 22/11, 2014 at 10:16

i replace cod for if (oSession.HTTPMethodIs("CONNECT")) { oSession.oResponse.headers["Connection"] = "Keep-Alive"; } - no error on startup but also trafic is tuneling – Brochure 22/11, 2014 at 10:30

The advice helped me a lot. However, when you switch to Android 5 (actually, I tested it on Android 5.1) - there is no need for this patch anymore. Fiddler works just fine out-of-the-box now! – Mythify 27/4, 2015 at 10:10

Originally I had the same symptoms as the original poster and this answered solved my problems. A few weeks later I was having similar symptoms (or so it seemed), though I believe it may actually have been somewhat unrelated. Ultimately resetting the Fiddler certificate did the trick (Tools > Fiddler Options... > HTTPS > Actions > Reset All Certificates). Probably doesn't hurt to try this if you feel stuck. – Flavia 20/2, 2016 at 19:58

IndexOf must be used. But it doesn't solve the issue for me anyway (( – Gardening 15/3, 2016 at 17:39

tested on Android 4.2.2 and Android 5.0 Genymotion emulator - Fiddler doesn't work on Linux, tunnels https traffic. Switched to Charles proxy, installed its root certs and everything works from the box. It's not free though... – Gardening 15/3, 2016 at 18:38

Here is a workaround.

Assuming the hostname I'm sending my https requests to is myHostName.com add the following to Fiddler's CustomRules.js

if (!oSession.isHTTPS && !oSession.HTTPMethodIs("CONNECT") && (oSession.HostnameIs("myHostName"))
{
  oSession.oRequest.headers.UriScheme = "https";
}

Then in Android code update the URL to use http instead of https.

Now the client will communicate to Fiddler without SSL and all the request/response traffic will be visible.

The obvious downside to this approach is that the URLs must be modified in the client to use http. I haven't used this approach long enough to discover any additional drawbacks.

Fascine answered 28/8, 2013 at 3:36 Comment(0)

Having the device rooted is the key. At least in my scenario.

I unrooted the LG Optimus Android 4.0.4 and it upgraded to 4.1.2. I tried fiddler will all of the same steps but only the connect tunnels showed.

I rooted the LG Optimus again and immediately I can see all the requests/responses via fiddler.

I assume rooting the N7 will allow it to work as well.

Fascine answered 30/8, 2013 at 16:30 Comment(0)

Recommended topics

Hot tags