Almost every time I’m working on network stuff in iOS or Android, I immediately open up Fiddler. I know that there’s also Charles Proxy for OS X which does just as well as Fiddler, but the majority of the time, my Windows VM is running anyway, so I just haven’t been able to justify the $50 for Charles Proxy when Fiddler is free.
When I’m working on networking stuff in iOS or Android, I don’t like treating networks as a black box. I do my web request and even if everything is giving me 200’s and looks like it’s working, it’s still a good idea to check the connection to be absolutely positive that you’re sending and receiving what you expect. If all goes well, you spend a few extra minutes looking at network transactions and pat yourself on the back for a job well done. But if things aren’t going perfectly, it makes things a whole lot easier to debug.
So here’s the steps I use to get things set up to be able to look at http/https traffic from my mobile devices. You can also easily extrapolate the steps to allow any device to go through your Fiddler install.
Even if you have Fiddler installed, you should still read this section because there’s more too it than you may expect.
Head over to Fiddler’s download page to get the latest version. Download the .Net 4 version. I have never had to download the .Net 2 version of Fiddler, and unless you are working in the stone age, you shouldn’t need it either. -Note: I’m sorry if I offended you if you are living in the stone age. But seriously, Windows XP is dead. What kind of person is trying to debug iOS/Android web traffic and is still running Windows XP?
Once you download and install Fiddler, there’s 1 more step. Fiddler’s default certificate maker doesn’t work out too well with iOS or Android devices. If you don’t care about decrypting https traffic, then there’s really no need to worry, but you might as well set things up completely to begin with. If you never have to decrypt https traffic then lucky you, but now days as a developer you’ll probably have to do it at least some time.
Fiddler has a wide array of Add-ons. Some of them are pretty nice, so I recommend taking a moment to glance at the page, but the only one that you need is CertMaker for iOS and Android. Here’s the direct download, but you should probably still head over to their site to make sure you get the latest version. Simply download it and run the executable to install the CertMaker.
Now that we’ve got Fiddler and the CertMaker installed, we need to do a little bit of setup.
Open up Tools->Fiddler Options…
On the HTTPS tab, make sure the box for “Capture HTTPS CONNECTs” and “Decrypt HTTPS traffic” are both checked. The first time you do this, Fiddler will prompt you to make sure you want to trust the Fiddler Root certificate. Then Windows will prompt you, then Fiddler will prompt you again, then the certificate will finally be installed. You will need to say Yes on every one of those prompts. If you say No, then Fiddler won’t be able to decrypt your https traffic.
The reason for so many prompts is because allowing https traffic to be decrypted is a slight security hole. I’ve never had any issues with it in the years that I’ve been decrypting my own https traffic. If you are a particularly paranoid individual, you can uncheck “Decrypt HTTPS traffic” and then click the button labeled “Remove Interception Certificates” and that will remove the Fiddler Root certificate. Doing this, you could install the certificate only while you need it installed, and then remove it when you’re done decrypting your traffic. I don’t personally do this, but you are welcome to.
NOTE: on newer versions of Fiddler, there is an “Actions” button on the right side of this dialog, if you click on it has options to get Fiddler to install/uninstall the Fiddler root certificate. If you’re not interested in snooping your own traffic, you don’t really have to install the certificate, but its easier to just install it so you never have to go back and set it up later.
Next, go to the Connections tab. And check the box that says “Allow remote computers to connect”
Now you’ll need to restart Fiddler.
On your iOS device, open up Safari (you must use Safari) and navigate to
This will bump you into settings with a window to install the Fiddler certificate.
Ignore that the name of the certificate is “DO_NOT_TRUST_FiddlerRoot” you really can trust it. Press install, then install again, then type in your pin for your device.
Now you need to go to your wifi settings and go to the properties for your network
And finally, set the proxy settings for the network
Now all of the https traffic on your iOS device will proxy though Fiddler.
Unfortunately for Android, the setup can vary from device to device. And on some devices, the OEM has made modifications to the OS to disallow user defined root certificates. The Sony Xperia is one we had particular trouble with at work. The basic steps (regardless of the platform) are:
- Install the Fiddler Root certificate onto your device to allow Fiddler to decrypt https traffic
- Set the proxy settings for your network
Some Android devices require you to jump through hoops to install the Fiddler Certificate, and all Android devices I’ve found require you to set a PIN or Pattern or what not in order to install the Fiddler Certificate.
Open up a browser, on Android it shouldn’t have to be a specific one, and navigate to:
If you’re lucky, you won’t have to jump through any hoops to install the certificate. You’ll be presented with a prompt to name/install the certificate
Name the certificate something useful, make sure its set to VPN and apps for the credential usage and then tap OK. Once you tap OK, you may get some additional prompts from Android about a PIN or something, every Android device is different.
If visiting the URL to get the certificate downloads the certificate, but doesn’t start trying to install the certificate, don’t worry. It downloaded the certificate, it just didn’t try to install it.
- Open Settings
- Go to Security
- Scroll way down and tap on ‘Install from SD card’ or ‘Install from External Storage’ or whatever it says
This should open the same prompt as above. If it doesn’t you will need to consult with Google (good luck).
Once you’ve got the certificate installed
- Go to your wireless settings
- Long press on your network
- Select ‘Modify network’ from the modal dialog that opens
- Check ‘Show Advanced options’
- Fill out the proxy settings
In the image below, Save is disabled because I did not enter a proper hostname
Now all of the https traffic on your Android device will proxy though Fiddler.