Login to start a new topic

Fail to decode https traffic from a mobile app

Hello,


I tried to get the https traffic with fiddler as the proxy for a mobile app. But the https traffic can't be decoded. I copied the https response content as below. Do you know how to track what the problem could be? Thanks a lot!


fiddler.network.https> HTTPS handshake to xxx.xxx.com (for #101) failed. System.Security.Authentication.AuthenticationException Authentication failed, see inner exception. < SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.




Hello Wykevin,



You could only capture secure traffic from a mobile application that is under development and for which you could apply the steps described in this documentation section


Hi Nick, thanks so much for your reply. Can we say that even though we installed the fiddler CA on the device, the app don't use that. So the hand shake between the fiddler and app failed. Maybe the app specified a particular CA file for its server. Is that right?

That's correct - Android applications for API24 and above are using the system security certificate unless there is an explicit security configuration that says otherwise. Without having the custom certificate added in the code base, your only other option is to have a rooted device.


See more in the official Android documentation https://developer.android.com/training/articles/security-config

HI Nick, I have a rooted device. Could you give me some suggestion for how to proceed? Or do you have any doc for that? Really many thanks! 

You need to install the Fiddler trust certificate as a system certificate (which is not possible if the device is not rooted). Check this SO thread where potential solutions are suggested via 3rd-party tools. 

Login to start a new topic