Capture and monitor http(s) traffic from Android device through Fiddler using Wi-Fi and ProxyDroid

Developing your own application or making a security assessment of 3rd party application – it is very important to know, what traffic flows from an Android application? There are several ways to do it. We may use different proxies, we may utilize a real device or an emulator, and we might intercept air traffic or direct it through USB cable.

It is often that we need to intercept and analyze traffic from a real device and want to use Wi-Fi for that.
Here is how we may do that using Fiddler.


For this method to work you need a rooted Android device and an infrastructure which allows you to perform socket connections from your phone to your PC – Wi-Fi connection and an ordinary laptop with Wi-Fi module with would do just fine.

2. FIDDLER

Download the free version of Fiddler from Telerik. When running it the first time, make sure you allow Fiddler to accept network connections from the intra- or internet, depending on your infrastructure setup.

Configure Fiddler for incoming connections by going to Tools - Fiddler options... - Connections.. Set the following properties:

• Fiddler listens on port: 8888 or any other port not in use at your computer
• Allow remote computers to connect: on

Hit OK and restart Fiddler. 

2. PROXY DROID

Download Proxy Droid to your Android phone. Run it and configure it to point at your Fiddler instance by entering the IP of your computer and its port (8888 by default). Note that you must use the local IP address (often starting with 192.168.* or 10.*).

To test if your PC is reachable from your phone, you may simply ping it using ADB, given that it is connected with USB and have developer mode enabled. Example:
adb shell ping 192.168.1.6
(You need to have enabled reply to ICMP pings in your firewall for this to work. Fiddler may still work even if you get no ping replies)

You can also ping your phone from your PC. Acquire its IP address through this command:
adb shell netcfg

Usually the device eth0 will have the IP address you need.

3. TESTING

Simply start your favorite Android browser and navigate to a random web page. You should get the page presented normally in the browser, and see the HTTP requests line up in Fiddler. All apps will use this proxy now – not only the web browser. 

Fiddler with HTTP traffic log from the device

Whether you’re using this for policing other apps, or for debugging your own applications or 3rd party APIs, this is a technique that should be in every Android developer’s toolbox.


4. TROUBLESHOOTING

And what if the traffic from the targeted Android Applicaion is SSL encrypted?
It might be a very serious problem, if it uses its own SSL infrastructure (i.e. SSL pinning).

However, it might also be an issue with Android HttpsUrlConnection pipeline implementation - and Fiddler, happily, may fix it!
See a recipe in my previous post: How to decrypt SSL traffic from an Android app

How to decrypt SSL traffic from an Android app using Fiddler

There are plenty of tutorials on how you can intercept HTTP(s) traffic from Android using Fiddler.
Try this one: http://docs.telerik.com/fiddler/configure-fiddler/tasks/configureforandroid 

 However, it will fail when you try to intercept and decrypt Android SSL traffic coming from an application, and not from a browser.

 It might be that the application uses a certificate pinning – and you are probably cannot decipher this connection. Lost cause!
But more probably, the reason is a bug in the HttpsUrlConnection pipeline implementation.

 To solve the issue, please proceed with the following steps:

1 In Fiddler click "Rules->Customize Rules";
2 Find function OnBeforeResponse in the script
3 Add following code to the function body:

if (oSession.oRequest["User-Agent"].indexOf("Dalvik") > -1 && oSession.HTTPMethodIs("CONNECT")) { oSession.oResponse.headers["Connection"] = "Keep-Alive"; }

4 Save the file and restart Fiddler.