Fiddler - Decrypt Android HttpsUrlConnection SSL traffic

20
votes

I've spent countless hours trying to decrypt Android SSL traffic via Fiddler for HttpsUrlConnection with very little success. How do I reliably configure Fiddler to decrypt SSL traffic from an Android app using HttpsUrlConnection?

Here are my steps

  1. Run Fiddler on PC (With proper settings: capture HTTPS Connect, decrypt HTTPS traffic, allow remote computers to connect)
  2. Configure wireless connection on Android device to proxy through pc running fiddler
  3. From android device open browser to http://[ip of pc running fiddler]:8888 and download "FiddlerRoot certificate". Name and install it.
  4. Open https://www.google.com in android browser and view decrypted traffic in Fiddler on PC.

The above works. The problem is that non-browser android traffic shows up in Fiddler as connect tunnels. My initial research suggested the issue was due to how certs were trusted via HttpsUrlConnection so I made sure to trust all certs based on this article https://secure.mcafee.com/us/resources/white-papers/wp-defeating-ssl-cert-validation.pdf

Unfortunately trusting all certs didn't work for me with HttpsUrlConnection so I stopped investigating. A few days later I decided to try again and was surprised to find that fiddler traffic was being decrypted for HttpsUrlConnection! Unfortunately I didn't make any further changes to fix this so I'm not entirely sure why it started working. The device it works with is an LG-Optimus L9 Android version 4.0.4 and is rooted.

Now I'm trying to configure this for a Nexus 7 Android Version 4.2.2 (not rooted) but alas all I see in fiddler are the connect tunnels. Since the cert on both devices has the same serial and the app I'm testing is identical I'm stumped as to why I can't configure Fiddler with another Android device.

To summarize

  • Fiddler can decrypt SSL traffic from the LG Optimus but only shows connect tunnels from Nexus 7
  • Both devices are running the same app which uses HttpsUrlConnection for network requests
  • Both devices have the same fiddler cert installed (serials match) and no other user cert installed.
  • Don't think these matter but...
    • Rooted device (LG Optimus Android 4.0.4) uses Proxy Droid to point to PC running fiddler
    • Non rooted device (Nexus 7 Android 4.2.2) using built in "modify network" to point to PC running fiddler
3
androidfiddlerhttpsurlconnection
On the Nexus, does Chrome traffic get decrypted? Do the network requests that are not shown failing or simply working without their traffic being shown? Are you using the default Certificate Maker or the Certificate Maker Plugin?EricLaw
Chrome traffic is decrypted fine along with any other webview based traffic on both devices. Network requests on Nexus via HttpsUrlConnection fail and all I see in Fiddler are the connect tunnels. Regarding cert maker question HTTPS option in Fiddler says "Certificates generated using CertMaker.BCCertMaker from C:\Program Files(x86)\Fiddler2\CertMaker.dll". I'm not sure if that's the default cert or a plugin.Steven

3 Answers

25
votes

My research shown that there is a bug in HttpsUrlConnection pipeling implementation.

To solve a problem you need to perform following steps in Fiddler:

  1. In Fiddler click "Rules->Customize Rules";

  2. In opened script and find function OnBeforeResponse

  3. In the function body add following code: 

    if (oSession.oRequest["User-Agent"].indexOf("Dalvik") > -1 && oSession.HTTPMethodIs("CONNECT")) {  
   oSession.oResponse.headers["Connection"] = "Keep-Alive";     
}

4.Save file and restart Fiddler

1
votes

Here is a workaround.

Assuming the hostname I'm sending my https requests to is myHostName.com add the following to Fiddler's CustomRules.js

if (!oSession.isHTTPS && !oSession.HTTPMethodIs("CONNECT") && (oSession.HostnameIs("myHostName"))
{
  oSession.oRequest.headers.UriScheme = "https";
}

Then in Android code update the URL to use http instead of https.

Now the client will communicate to Fiddler without SSL and all the request/response traffic will be visible.

The obvious downside to this approach is that the URLs must be modified in the client to use http. I haven't used this approach long enough to discover any additional drawbacks.

0
votes

Having the device rooted is the key. At least in my scenario.

I unrooted the LG Optimus Android 4.0.4 and it upgraded to 4.1.2. I tried fiddler will all of the same steps but only the connect tunnels showed.

I rooted the LG Optimus again and immediately I can see all the requests/responses via fiddler.

I assume rooting the N7 will allow it to work as well.