-5

I am new in pentesting so I don't know what to expect. I am intercepting HTTPS requests of Android apps in my phone through Fiddler for pentesting purposes. I have installed the Fiddler certificate on my Android phone so that I can intercept HTTPS requests.

I can see the HTTPS requests from and to my phone in clear text in Fiddler. Is it a bug of the Android app or is it normal to see HTTPS requests in clear text?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Akshansh Shrivastava
  • 439
  • 1
  • 4
  • 10
  • 6
    Isn't this the expected behavior? You just said you installed the Fiddler certificate. – Azteca Aug 16 '17 at 22:18
  • @Azteca I am not sure what behaviour I should expect. i.e I asked the question in the first place – Akshansh Shrivastava Aug 16 '17 at 22:31
  • 1
    This is the expected behavior for any app that does not have specific certs pinned. – Xander Aug 17 '17 at 01:40
  • 9
    I'm voting to close this question because the OP seems to be using a setup explicitly designed to intercept HTTPS traffic without having any idea what this actually means, i.e. getting access to the plain text. And then the OP wonders why he got access to the plain text, i.e. exactly the thing the setup was designed for. – Steffen Ullrich Aug 17 '17 at 05:14

1 Answers1

4

If you are using fiddler to intercept the HTTPS connection with a self installed certificate then you are conducting an active, self induced, 'man in the middle' on your connection. This means fiddler is intercepting and decrypting and reencrypting the traffic between the phone and the web server, allowing you to 'see' into the packet.

ISMSDEV
  • 3,272
  • 12
  • 22