Testing HTTPS In Native APPs

Over on Twitter, Paul asks how to verify that a native application is using TLS.

For a PC, it’s pretty simple, just run Fiddler and watch the traffic. If you see any HTTP requests (other than those labeled “Tunnel to”, indicating a HTTP tunnel used for HTTPS traffic) from the Process of interest, that traffic is insecure and could be intercepted.

Macs and Mobile Devices

For Mac, iOS, Android, Windows Phone, Windows RT or other devices, the first step is to install Fiddler on a Windows or Linux PC (or Virtual Machine) and configure its proxy to point at the Fiddler instance (e.g. that machine’s IP address, port 8888). For now, don’t add the Fiddler root certificate to the device. Launch the application in question and see whether you see insecure HTTP requests. If not, then look to see whether you see any HTTPS requests. If you see only Tunnel to requests but no HTTPS requests, then the app is using HTTPS securely and isn’t willing to accept just any old certificate (like some insecure apps), only a trusted certificate will be accepted. (If you don’t see any traffic at all, try the default browser to make sure you’ve set up the proxy settings properly).

Using Fiddler’s TextView inspector at the top-right of the debugger, you can examine the CONNECT request (“Tunnel to”) Fiddler captured to see which TLS version the client offered, as well as the list of ciphers and extensions the client supports.

If you’d like to see the plaintext of the HTTPS requests, then install the Fiddler root certificate on the device. If you can now see the decrypted requests, the device has a reasonable HTTPS configuration where HTTPS traffic must be signed by a trusted root certificate.

Certificate Pinning

However, if after trusting the root certificate, you can see HTTPS traffic from the device’s primary browser but not the application in question (you still only see only Tunnel to requests) that implies that the app is using Certificate Pinning, whereby only specific certificates (or certificates that have a specific ancestor certificate in their chain) are accepted. To debug the HTTPS traffic from such an application, you’ll need to jailbreak the device and use a tool like the iOS SSL Kill Switch to thunk the HTTPS APIs to allow any certificate. Certificate Pinning is a good security technique, but it can make your application unusable in certain environments.

The one exception to this heuristic for detecting certificate pinning logic is Chrome on iOS; that app ignores the iOS trusted root store due to limitations in the platform APIs. Update: In Chrome 48, Chrome for iOS stopped using its own network stack and began using the WkWebView component, which means it uses the iOS native network stack and HTML renderer.

Configuration Quality

Beyond the scenarios described above, you should test your browsers’ and servers’ TLS support using the great tools at SSLLabs.com.

You can more exhaustively test a client (by installing a local agent) using this Linux application, and you can read about why validation of HTTPS certificates in non-browser software is considered “the most dangerous code in the world.”


Published by ericlaw

Impatient optimist. Dad. Author/speaker. Created Fiddler & SlickRun. PM @ MSFT '01-'12, and '18-, working on Office, IE, Edge, and Web Protection. My words are my own, I do not speak for any other entity.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: