NickName:Steven Ask DateTime:2013-06-01T01:39:41

Fiddler - Decrypt Android HttpsUrlConnection SSL traffic

I've spent countless hours trying to decrypt Android SSL traffic via Fiddler for HttpsUrlConnection with very little success. How do I reliably configure Fiddler to decrypt SSL traffic from an Android app using HttpsUrlConnection?

Here are my steps

Run Fiddler on PC (With proper settings: capture HTTPS Connect, decrypt HTTPS traffic, allow remote computers to connect)
Configure wireless connection on Android device to proxy through pc running fiddler
From android device open browser to http://[ip of pc running fiddler]:8888 and download "FiddlerRoot certificate". Name and install it.
Open https://www.google.com in android browser and view decrypted traffic in Fiddler on PC.

The above works. The problem is that non-browser android traffic shows up in Fiddler as connect tunnels. My initial research suggested the issue was due to how certs were trusted via HttpsUrlConnection so I made sure to trust all certs based on this article https://secure.mcafee.com/us/resources/white-papers/wp-defeating-ssl-cert-validation.pdf

Unfortunately trusting all certs didn't work for me with HttpsUrlConnection so I stopped investigating. A few days later I decided to try again and was surprised to find that fiddler traffic was being decrypted for HttpsUrlConnection! Unfortunately I didn't make any further changes to fix this so I'm not entirely sure why it started working. The device it works with is an LG-Optimus L9 Android version 4.0.4 and is rooted.

Now I'm trying to configure this for a Nexus 7 Android Version 4.2.2 (not rooted) but alas all I see in fiddler are the connect tunnels. Since the cert on both devices has the same serial and the app I'm testing is identical I'm stumped as to why I can't configure Fiddler with another Android device.

To summarize

Fiddler can decrypt SSL traffic from the LG Optimus but only shows connect tunnels from Nexus 7
Both devices are running the same app which uses HttpsUrlConnection for network requests
Both devices have the same fiddler cert installed (serials match) and no other user cert installed.
Don't think these matter but...
- Rooted device (LG Optimus Android 4.0.4) uses Proxy Droid to point to PC running fiddler
- Non rooted device (Nexus 7 Android 4.2.2) using built in "modify network" to point to PC running fiddler

Copyright Notice：Content Author:「Steven」，Reproduced under the CC 4.0 BY-SA copyright license with a link to the original source and this disclaimer.
Link to original article：https://stackoverflow.com/questions/16862916/fiddler-decrypt-android-httpsurlconnection-ssl-traffic

Answers

AlexM 2014-01-16T02:10:57

My research shown that there is a bug in HttpsUrlConnection pipeling implementation.\n\nTo solve a problem you need to perform following steps in Fiddler: \n\n\nIn Fiddler click \"Rules->Customize Rules\"; \nIn opened script and find function OnBeforeResponse \nIn the function body add following code: \n\nif (oSession.oRequest[\"User-Agent\"].indexOf(\"Dalvik\") > -1 && oSession.HTTPMethodIs(\"CONNECT\")) { \n oSession.oResponse.headers[\"Connection\"] = \"Keep-Alive\"; \n} \n\n\n\n4.Save file and restart Fiddler",

Steven 2013-08-28T03:36:29

Here is a workaround.\n\nAssuming the hostname I'm sending my https requests to is myHostName.com add the following to Fiddler's CustomRules.js\n\nif (!oSession.isHTTPS && !oSession.HTTPMethodIs(\"CONNECT\") && (oSession.HostnameIs(\"myHostName\"))\n{\n oSession.oRequest.headers.UriScheme = \"https\";\n}\n\n\nThen in Android code update the URL to use http instead of https.\n\nNow the client will communicate to Fiddler without SSL and all the request/response traffic will be visible.\n\nThe obvious downside to this approach is that the URLs must be modified in the client to use http. I haven't used this approach long enough to discover any additional drawbacks.",