I tried to get the https traffic with fiddler as the proxy for a mobile app. But the https traffic can't be decoded. I copied the https response content as below. Do you know how to track what the problem could be? Thanks a lot!
fiddler.network.https> HTTPS handshake to xxx.xxx.com (for #101) failed. System.Security.Authentication.AuthenticationException Authentication failed, see inner exception. < SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
It is highly possible that the app that fails with the SSL error is using some additional security layer like certificate pinning (expecting a specific certificate and refusing to trust other certificate like the one Fiddler is providing)
Hi Nick, I can install user certificate as a system certificate on my rooted device now. I made a android app without the secure network config. And I can debug the https traffic for it. But for some app on market, there is still handshake error. Seems the error is not caused by the app not trusting the fiddler ca, but there is some problem with the communication between the fiddler and the app's server side. I copied the error message from the fiddler as below.
fiddler.network.https> HTTPS handshake to xx.xx.com (for #279) failed. System.Security.Authentication.AuthenticationException Authentication failed, see inner exception. < SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
The xx.xx.com is the server name. Do you have any suggestion? Thanks so much!
You need to install the Fiddler trust certificate as a system certificate (which is not possible if the device is not rooted). Check this SO thread where potential solutions are suggested via 3rd-party tools.
HI Nick, I have a rooted device. Could you give me some suggestion for how to proceed? Or do you have any doc for that? Really many thanks!
That's correct - Android applications for API24 and above are using the system security certificate unless there is an explicit security configuration that says otherwise. Without having the custom certificate added in the code base, your only other option is to have a rooted device.
See more in the official Android documentation https://developer.android.com/training/articles/security-config
Hi Nick, thanks so much for your reply. Can we say that even though we installed the fiddler CA on the device, the app don't use that. So the hand shake between the fiddler and app failed. Maybe the app specified a particular CA file for its server. Is that right?
You could only capture secure traffic from a mobile application that is under development and for which you could apply the steps described in this documentation section.