Wednesday, January 9, 2013

Using Fiddler with an iPhone/iPad

If you have ever user Fiddler to debug a web application, you know what a invaluable tool it can be. If you have also tried to debug that application from an iPhone or iPad, you also know how difficult it can be to figure our what's going wrong from the web server logs. Below I will explain how to configure Fiddler to proxy the iPhone/iPad.


HTTP Traffic


First, you need to enable connections from remote devices. Start Fiddler, and choose Fiddler Options from the Tools menu. Make note of the "Fiddler listens on port". You will need this in the next step. Now, select the "Allow remote computers to connect" option and click OK. You be asked to restart Fiddler.


When you restart Fiddler, Windows Firewall will ask permission to allow incoming connections to Fiddler. If you are using another firewall, you may need to configure this manually. Also, if you're doing this at work, and your company has a centrally managed firewall, they may not allow you to make changes at all. BTW: when you're done debugging, you should disable this option.



Now that Fiddler is listening, you need to configure the iPhone/iPad to use the proxy server. Go into Settings and click Wi-Fi. Then click on the little circle with the arrow next to the active connection. Scroll down to the bottom and change the HTTP Proxy to manual. Now enter the IP address of your Windows box and the port that Fiddler is listening. See the image below. BTW: if you're using a VPN connection, you need to configure the proxy settings on the VPN configuration page.


Now open the browser on your device and you should see the traffic in Fiddler on your Windows box.


HTTPS Traffic


At this point you can examine HTTP traffic, but not HTTPS. Fiddler can be configured to do this, but the default Fiddler root certificate is not compatible with iPhone/iPad. To replace the default certificate with one that the iPhone/iPad will trust, download and run the certificate maker utility from the fiddler web site: http://www.fiddler2.com/dl/FiddlerCertMaker.exe

In order to see HTTPS traffic, you need to configure Fiddler to decrypt HTTPS. You can do this by choosing Fiddler Options from the Tools menu. Choose the HTTPS tab and ensure that "Decrypt HTTPS traffic" is enabled. If it is already enabled, I suggest that you disable it, click the "Remove Interception Certificates", and then enable it again. This will clean out the existing certificates and make it easier to find the new certificate in the steps below. Before you close the options dialogue click the "Export Root Certificate to Desktop" button.


Now you should be able to examine HTTPS URLS, but you will get a warning message similar to the one below each time you access a new URL. If you're debugging a web application and don't mind clicking continue now and then, feel free to stop reading here.



Eliminating the "Cannot Verify Server" warning


If your debugging an app that makes web service calls, you may not have the option to accept the warning above. In order to eliminate the error, you are going to need to import the Fiddler root certificate. In order to do this, you are going to need the iPhone Configuration Utility. You can download it from here: http://support.apple.com/kb/DL1466


Once you download and install it, launch the iPhone Configuration Utility. Choose Configuration Profiles and Click New. Configure the general options as shown below.



Now, go to the credentials tab and click Configure. Find the certificate issued to DO_NOT_TRUST_FiddlerRoot. If you have updated fiddler a few times, there may be more than one. If so, open each certificate and compare the certificates serial number to the one you exported above.

Now connect your device and find it in the iPhone Configuration Utility under DEVICES. Chose the Configuration Profiles tab , and push the Install button next to the new profile you just created. A message will appear on the device, click install (you may need to enter your pin).


Now you should be able to debug web applications that make AJAX calls as well as native apps. Good luck and feel free to post questions below.

11 comments:

  1. Clear and concise instructions. Now I will be more confident fiddling with fiddler in the iphone5.

    ReplyDelete
  2. I'm getting my first ever Apple product, the iPhone 4S and I guess I would be needing something like this or probably an Apple handbook for Dummies so I can navigate it well. Just kidding. I'm just really excited.

    ReplyDelete
  3. Hey, I'm using Fiddler. It is freeware and can debug traffic from virtually any application that supports a proxy, including Internet Explorer, Google Chrome, Apple Safari, Mozilla Firefox, Opera, and thousands more. You can also debug traffic from popular devices like Windows Phone, iPod/iPad, and others. To debug applications you've written in Java, .NET, or using WinHTTP. thanks~ Sarah

    ReplyDelete
  4. Thanks this article was super helpful for me. I've always been able to view web traffic from phones but never been able to get the iOS app traffic to work through fiddler until now! If you have any knowledge on getting Android app traffic to work through fiddler please let me know as it's my last hurdle to fully use fiddler with iOS/Android development.

    ReplyDelete
  5. Hi, i have question. Do all apps on ios can only communicate through http/https? Or they can specify any port they want on their server?

    Thanks

    ReplyDelete
  6. I did used fiddler for hiding iOS HTTPs calls on my iPhone, actually I was using fiddler as proxy. It worked well but lot of issues were there which were quite hard to tackle with. It took me long way to solve this.

    ReplyDelete
  7. How can I download fiddler in iPad note that is the first time I'm trying to use it I wanted for a game please help

    ReplyDelete
  8. A special thanks for this informative post. I can't remember the last time I purchased a mobile phone to actually be used as a phone . Great stuff ...

    ReplyDelete
  9. Excellent post on iOS mobile apps development!!! The future of mobile application development is on positive note. You can make most it by having in-depth knowledge on mobile application development platform and other stunning features.

    ReplyDelete
  10. Hyperfox is a security tool for proxying and recording HTTP and HTTPs communications on a LAN.Hyperfox is capable of forging SSL certificates on the fly using a root CA certificate and its corresponding key (both provided by the user). If the target machine recognizes the root CA as trusted, then HTTPs traffic can be succesfully intercepted and recorded.
    Networking Certification in Chennai

    ReplyDelete
  11. Is this compulsory for using fiddler to hide ios https on my iphone? Is ios9 vpn setting is different then other? and according to the vpnranks which is the best vpn?

    ReplyDelete