Intercepting app https traffic on Android device

0
votes

I'd like to view the https traffic from my app.

I installed fiddler on my pc and downloaded the certificate to the device and can view https traffic from the browser.

But when I try my app - I get javax.net.ssl.sslhandshakeexception java.secirity.cert.CertPathVelidatorException Trust anchor for certification path not found.

I believe the fiddler setup is correct as I can view https traffic from my phone browser.

Any help?

or other ways of doing the same.

I know from running java apps on the desktop - you can specify the proxy ip+port to the java vm - maybe something similar needs to be done on the device.

I was able to set up the emulator for http traffic - but https doesn't work - I installed the fiddler cert on the emulator also. Using Android 29.

1
androidfiddler
I believe that javax.sslhandshakeexception states that your SSL certificate is not valid. Try setting it up again. - n3dx
I can view https traffic from my phone's browser - so I assume the fiddler cert is installed properly no? - dashman

1 Answers

0
votes

Installing the certificate into the system trust store on the device that is running Android 6 or newer requires root permissions to work properly in all apps.

Without root permissions you can only install the certificate into the "user" trust store, which is ignored by apps that have a targetSdkVersion set to 23 and higher.

Fortunately in your case we are talking about your own app which opens up a door to intercept traffic with Fiddler without root permissions:

In your app you have to provide an Network Security configuration file.

In that file you have two options:

Explicitly trusts the user trust store:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config>
        <trust-anchors>
            <certificates src="system" />
            <certificates src="user" />
        </trust-anchors>
    </base-config>
</network-security-config>

Include your Fiddler root CA certificate

You can include the Fiddler root CA certificate into your app and define that it should be trusted in debug builds (add the Fiddler root CA certificate file as raw resource debug_fiddler_root):

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <debug-overrides>
        <trust-anchors>
            <certificates src="@raw/debug_fiddler_root"/>
        </trust-anchors>
    </debug-overrides>
</network-security-config>