Home > Uncategorized > Intercept HTTPS requests made by a live #iOS app using @Telerik #Fiddler

Intercept HTTPS requests made by a live #iOS app using @Telerik #Fiddler

fiddler

If you want to debug an iOS app that’s installed on a iPhone, to determine what network calls it is making, then if you have a Windows PC, then you can use Telerik’s Fiddler to intercept requests between any iOS app and whatever back-end API it is using, even over HTTPS.

Make sure your PC and iPhone are on the same WIFI network before starting.

First, Install the Telerik Fiddler Application, and make sure your firewall allows connections on port 8888. Now, go Settings > Wifi > (i) > Configure proxy > Manual

Get the IP address of your PC using ipConfig, Mine was 192.168.0.22, yours may be different.

IMG_6739.PNG

Enter the port as 8888 and press Save. Now, Fiddler should be able to capture HTTP (insecure) requests.

To Capture Secure Requests (HTTPS), you will need to install a certificate on your iPhone. To Do so, you can download it from your iPhone from here http://www.javatiger.com/fiddler/FiddlerRoot.cer

Or use the Camera app on your iPhone to scan this QR code:

qr-code

IMG_6741

When asked to chose a device, select iPhone

IMG_6742

This downloads the cert, but you need to install it and activate it.

Open your settings app, and click “Profile Downloaded” then “Install”

IMG_6743

then enable the cert

By pressing settings – general – about – certificate trust settings

Make sure that In Fiddler, you have selected Tools > Options > HTTPS > Decrypt HTTPS traffic, and then restart Fiddler.

fiddler

I also added extra TLS protocols amd selected the Ignore server cert errors.

Hopefully now, if you operate your iPhone, you should see both HTTP and HTTPS requests appearing in Fiddler.

Certain apps, like the App store (for example) will not work, since they are smart enough to notice that there is a “Man-In-The-Middle” attack going on – and this does highlight the importance of Certificate pinning, which you should do, if you are handling financial data in apps.

 

 

 

Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: