Android Security by Chris Laplante

Debugging Android HTTPS traffic with Fiddler and Connectify

[OUTDATED – It has been a while since I looked at this, so it’s probably very outdated.]

If you’re trying to debug an app (or website) on Android that is using HTTPS, then this short guide might be for you. I’ll show you how to set up Fiddler and Connectify Me so that you can view your device’s encrypted communications.

Requirements

  • Computer with internet access and WiFi
  • Android device that supports WiFi proxies (Honeycomb or later – older devices might require a proxy app, though I can’t guarantee it will work)

 

Instructions

  1. Install Connectify Hotspot (the free version works fine) and start your hotspot. Side note: Don’t pick a stupid password for your hotspot; you probably don’t want world+dog hopping on your connection.
  2. Connect your Android device to your hotspot (via WiFi settings) and ensure you can access the internet using the connection.
  3. Install Fiddler (but don’t open it yet.)
  4. Install this certificate maker plugin (seems to have moved to here). It replaces the default certificate plugin in Fiddler so that the certificates will be compatible with Android.
  5. Open Fiddler and follow these configuration steps:
    1. Go to Tools | Fiddler Options… | General tab. Uncheck “Show a message when HTTP protocol violations are encountered”
    2. Switch to the HTTPS tab. Check “Capture HTTPS CONNECTS” and then “Decrypt HTTPS traffic”. Click Yes twice on the two dialogs that pops up.
    3. Click the “Export Root Certificate to Desktop” button.
    4. Switch to the Connections tab and check “Allow remote computers to connect”. Click Ok on the dialog.
    5. Take note of the port listed next to “Fiddler listens on port:”. We’ll need it soon.
    6. Close the options dialog.
  7. Exit Fiddler and then reopen it.
  8. On this website, upload the certificate that was exported to your desktop. Then, on your Android device, navigate to the URL the page produces to install the certificate.
  9. Determine the IP address of your computer (using ipconfig at the command line) on the ad-hoc WiFi connection that Connectify Hotspot has created.
  10. Using the instructions on this page (halfway down), configure the WiFi connection on your phone to use the following proxy information:
    1. IP address: What you found in step 9.
    2. Port: From step 5.e.

 

Test it out

Let’s see if everything works. Make sure Fiddler is open on your screen. On your Android device, browse to a random page. You should see the connections on the left-hand side of the Fiddler screen. If all of our HTTPS configurations worked, you should also see HTTPS communications decoded and dumped as well.

It’s possible that not all HTTPS communications will be shown, since some apps might reject the Fiddler root certificate. There’s nothing that can be done about that, unfortunately.

Note that Fiddler will also have changed the proxy settings for your entire computer. Connections from your desktop browser, email clients, etc. will be shown side-by-side with those from your Android device.

Cleanup

When you’re done, you’ll want to do a few things to revert your Android device and computer back to how they were.

  1. Undo the proxy configurations on your Android device.
  2. Uncheck the “Allow remote computers to connect” option in the Fiddler settings
  3. Uninstall Fiddler’s root certificates from both your computer (Google for instructions) and Android device (under settings | Security)

9 thoughts on “Debugging Android HTTPS traffic with Fiddler and Connectify”

  1. Thanks a lot, worked great for me! I’ve been searching all over for this solution. Do you know if this would work on iOS?

    Reply

    1. Hi Marcel,

      Glad it worked for you! For iOS: It depends on if the operating system/specific app would reject the invalid SSL certificate that Fiddler generates (as it should, in a perfect world). If it does validate the certificate, then it won’t work. I don’t have experience working with iOS, so that’s my best guess.

      Thanks for writing!

      Reply

  3. from Android,
    http://hostname:2978/ worked
    http://IP:2987/ didnt work (tried both IPs)

    I am able to browse any website from any android app 🙂

    But after I set IP:8888 in Wirelss configuration, I get “Authentication via proxy server was unsuccessful.” in native browser. Please help.

    I am sure I followed all steps correctly (Used Windows 7 64 bit, Installed cracked Connectify 3.7 Pro version, and Android ICS 4.0.x)

    Reply

    1. Hi Rekham,

      Sorry, but I’m not sure what is wrong with your setup, especially if you followed my steps. I have not encountered that error before, though I suspect it is a certificate error. It is possible that whatever phone/flavor of Android you are using doesn’t work with the certificate you generated. Just guessing; really not sure.

      On a side note, if you are going to use Connectify Pro, please purchase a license for it instead of using a cracked version. Looks like they have a 50% off sale running now. No, I’m not affiliated with them.

      Reply

Leave a Reply