Capture and Inspect Android Traffic with Fiddler Everywhere

Environment

Product Fiddler Everywhere
Product Version 1.0.2 and above

Description

Fiddler Everywhere can be used to capture and inspect traffic that comes from Android devices.

Prerequisites

  • Fiddler Everywhere client installed on your machine.
  • The computer (that holds Fiddler Everywhere) and the Android device should be discoverable on the same network.

Configure Fiddler Everywhere

  1. Enable the remote connections in Fiddler Everywhere client via Settings > Connections > Allow remote computers to connect
  2. Remember the IP address of the machine on which Fiddler Everywhere is running. You can use built-in OS tools to obtain the IP address (like ipconfig on Windows or ifconfig on Linux) or the Fiddler Everywhere popup status on the bottom right part of the client. For demonstration purposes, let's assume that the local IP used by the machine (which runs Fiddler Everywhere) is 192.168.0.101

Configure Android Device

  1. Check Android device IP address
    • Open the connected Wifi and tap on Settings.
    • Extended Advanced Settings.
    • Get the IP address of the device. For demonstration purposes, let's assume the device IP is 192.168.0.222
  2. Modify Android device Proxy
    • Open the connected Wifi and tap on Settings.
    • Press Edit and expand Advanced Settings. You might have to do a long-press on the connected network name on older Android versions and then tap on Modify and expand Advanced Settings.
    • On Proxy select Manual proxy.
    • As IP address put the address of the computer (on which Fiddler Everywhere client is running), for example, 192.168.0.101
    • As port use the port set in Fiddler Everywhere client. The default port is 8866 (it could be changed from the Fiddler Everywhere connections settings).
    • Tap Save.
  3. Install the trust certificate on the Android device.
    • Open a browser on the device and type the Fiddler echo service address: http://ipv4.fiddler
    • Tap the option to download the certificate.
    • In the prompt windows, enter a certificate name and press Save.

Inspect Browser Traffic

With all of the above done, you can immediately monitor HTTP/HTTPS traffic from mobile browsers. For example, open a Chrome browser on your Android device, type an address of your choice and observe the traffic being captured in the Live Traffic section of Fiddler Everywhere.

Inspect Android Application Traffic

You will be able to monitor traffic from apps that are in active development (application for which you have access to the codebase). For Android API 24 and above, an additional code needs to be introduced to the app as follows:

  • Put in Android/src/main/res/xml/network_security_config.xml
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config>
        <trust-anchors>
        <!-- Trust preinstalled CAs -->
        <certificates src="system" />
        <!-- HERE: Additionaly trus user added CAs -->
        <certificates src="user"/>
    </trust-anchors>
    </base-config>
</network-security-config>
  • Then in the AndroidManifest.xml file, add the above as reference via a parameter in the application tag
android:networkSecurityConfig="@xml/network_security_config"

For example:

    <application
        android:name="com.tns.NativeScriptApplication"
        android:allowBackup="true"
        android:icon="@drawable/icon"
        android:networkSecurityConfig="@xml/network_security_config">
  • rebuild the app, and you can start monitoring its HTTP/HTTPS traffic

Note: Want to learn more about using Fiddler Everywhere to debug mobile apps? Check out our webinar on mobile app debugging with Fiddler!

In this article