Intercept a Secured Endpoint (HTTPS) and a Mobile Device
Interception — A terminology widely used in computer security. As testers, if it rings a bells it could be mostly Security Testing or Penetration Testing.
The attempt is to use interception as a loophole to trace down all the bits and bytes between mobile back-end and server to simulate functionalities from an automation script later on.
Interception is not a challenge with the use of Fiddler, Burp or Charles as long as the endpoints are NOT secured with HTTPS, even if its from your web browser or from an mobile device (iOS device/Android device).
But when its secured (HTTPS), that is where an special approach is needed to intercept the secured communication.
With the use of Fiddler and a ‘Simple Trick’, each request and response can be record and save against business-flows/scenarios or functionalities from the mobile device.
As a best practice the recorded steps are always better to check manually from Postman or by Fiddler as a Reissue Request to ensure the communication between the secured endpoint.
To intercept the calls made for an secured endpoint from the mobile device (regardless of iOS or Android) and retrieve the payload get the Fiddler installed and FiddlerCertMaker add-on installed successfully in the local machine.
Since the calls made from a mobile device to an endpoint(regardless of secured or not) is needed to be intercept make sure the device and the local machine is connected to the same wireless network.
Recipe to create and apply the ‘Simple Trick’ as follows;
Configure the local IP address as the proxy by pass access point in your mobile device and define the port in your mobile define for proxy by passing as 8888.[8888 can be customized, but it is the default port defined for Fiddler itself]
Local IP can be traced from Fiddler or from Command-Prompt.
Access to the Fiddler Echo Service page from the mobile browser with service URL (http://<local-ip>/8888) and get the Fiddler Certificate (FiddlerRoot.cer) downloaded to the mobile device and installed.
Given below is the example of iOS, and it is same the for the Android.
To intercept the secured endpoint, install the secured endpoint certificates for the Windows Certification Manager aka cert-mgr. (On a windows machine, enter ‘certmgr.msc’ on Run to get the cert-mgr)
On cert-mgr, import the Secured Endpoint certificate from the stored location from the file tree.
Enable the Capture HTTPS Connects and Decrypt HTTPS Traffic by applying a tick on the check-boxes in-front of each of Fiddler Settings.
Afterwards the requests and the responses made between the mobile device (iOS or Android) and the secured endpoint (HTTPS) can be intercepts using the Fiddler.
Feel free to leave your feedback and comments, which can lead us for a friendly discussion below.