0

I am going to capture an app's HTTPS request to get its Login API.

I am using Fiddler. When inputting the username and password and pressing sign in, the app is working. But in Fiddler, I can not find the HTTPS request for login.

I tried with Charles Proxy too, the same problem

Also, I did with some more apps, but getting the same problem in some apps.

How to solve it?

Andrew T.
  • 15,988
  • 10
  • 74
  • 123
goofy
  • 1
  • Most likely it is not HTTP but HTTPS traffic. Intercepting HTTPS traffic using a proxy like Fiddler or Charles does no longer work on Android since Android 7 unless you modify the app or have a rooted device. – Robert Apr 05 '21 at 11:51
  • @Robert i have rotted device , what to do ? any resource ? – goofy Apr 05 '21 at 11:54
  • 1
    Then you can manually install the Fiddler/Charles root CA certificate as shown here: https://android.stackexchange.com/a/232051/2241 (se second part of the answer). When using Fiddler before installing te root CA cert make sure that you have installed the addon "CertMaker for iOS and Android" (BCertMaker shown on HTTPS options page). – Robert Apr 05 '21 at 12:16
  • @Robert done. i can get access to https://valid-isrgrootx1.letsencrypt.org/ , without error . also . app working without error . i can do login in app . but not showing htpp/s request in fiddler . If the problem was a certificate. So the program should not have worked for me. But this is not the case – goofy Apr 05 '21 at 12:39
  • 1
    Then the app is using certificate pinning. If it is a "standard SSL/TLS pinning mechanism" you may be able to defeat it by using Frida+Objection or (ed)Xposed+TrustMeAlready plugin. – Robert Apr 05 '21 at 16:21
  • i did bro . certificate bypassed , someone told me app using native lib , that is why i cant capture , right ? – goofy Apr 05 '21 at 17:11

0 Answers0