Infopulse - Expert Software Engineering, Infrastructure Management Services
Send message Request a call
Send message Please fill in this quick form and we will send you a free quote shortly.
* Required fields
Request a call Please fill in this quick form and we will call you back shortly.
* Required fields
Subscribe to Infopulse Newsletter Please fill in this quick form to be among the first to receive our updates.
* Required fields
Send an email to Volodymyr Korniichuk Please fill in this quick form to contact our expert directly.
* Required fields
Read the rest of the Case Study Don't miss the most interesting part of the story!
Submit this quick form to see the rest and to freely access all case studies on our website.
* Required fields

Interception of HTTPS Traffic between Android Device and External Server

Sometimes it’s interesting to see what different Android applications exchange through HTTP and HTTPS protocols. Sometimes, when developing one’s own software it’s convenient to see the whole traffic in real time. To solve these tasks many different and good applications have been developed, e.g. Charles or Fiddler2. In fact, they are more numerous, but only the two mentioned allow seeing not only HTTP but also HTTPS.

Troubles appear in the interception of traffic between an Android device and an external server. With encoded (HTTP) traffic all is rather obvious (here’s a guide) — external links are allowed with Fiddler2, in Android the address of our machine with Fiddler2 is set as a server — and voila, all is up and running. But it took me a bit longer to set up HTTPS traffic interception.

Theory

So, what’s the trouble? The trouble is that using HTTPS the client verifies by default whether the server it connects to is the right one. For this purpose certificates are used. So, the real server has, of course, a real certificate that matches the open URL, while our proxy does not have one. To deal with the problem in desktop OS, Fiddler2 offers a possibility to generate a fake certificate and import it to the trusted ones — now the client will always believe that connection to Fiddler2 is quite safe. Unfortunately, mobile devices did not buy this dummy.

Primarily, it is impossible to import certificates in Androids older than v.4.0. There are some doubtful options with routed devices but they don’t suit us. Secondly, it is impossible to import a Fiddler2 certificate even in Android 4.0. The thing is the certificate generated by default fails to meet some security criteria of Android and can’t be installed. It should be generated in a special way. Finally, we can’t take it for granted that all applications will trust a fake certificate. There are some niceties.

Usage

  1. Take an Android 4.0 or higher device. No, a 2.3 device won’t suit. Yes, a 4.0 emulator will suit.
  2. Install the latest version of Fiddler2 on your PC.
  3. Install special libraries to generate Android-compatible safety certificates (here).
  4. Export the security certificate from Fiddler2 («Tools > Fiddler Options > HTTPS > Export root certificate to Desktop»). Save it on your flash drive, into the root directory (or in your emulator, if you’re using one).
  5. Add the security certificate to the trusted ones in Android («Settings > Security > Install from SD card»)
  6. Export security certificate

  7. Start Fiddler2, allow remote connections in Options.
    Add certificate to the trusted
  8. Enter the address of the PC with Fiddler2 as the proxy in network settings of Android.
  9. Edit access point

  10. Open browser on Android, enter google.com, and observe the request and response in the Fiddler2 window.
    Observe the request and response

So, it worked with the browser, but, unfortunately, not all applications are as trustful as the browser. E.g. my software, where I use Apache HTTP Client, didn’t buy it the Apache client couldn’t care less about the OS trusted certificates. In this case I had to disable this verification manually as follows:

Protocol.registerProtocol("https", new Protocol("https", new EasySSLProtocolSocketFactory(), 443));

where EasySSLProtocolSocketFactory allows trusting any certificates.

Not safe! For debugging only!

After that the traffic of my application became successfully seen in Fiddler2.

Share this blog article:
Subscribe to our Newsletter