How to use Fiddler Everywhere to inspect Android network traffic to troubleshoot SAML authentication issues

Recently Telerik would release Fiddler Everywhere, a free web debugging proxy, for macOS. Previously, Fiddler was native to Windows, and macOS users would have to resort to using Charles, or using Fiddler in Wine on their macOS. While Charles is great, it also wasn't free. With Fiddler Everywhere being a free offering, it has quickly cemented itself as a must-have tool for developers. 

Thanks Telerik, my Hawaii vacation / retirement fund just grew by $50.

Today, we're going to cover how to use Fiddler Everywhere to capture network traffic from an Android device. This is useful if you need to review SAML responses when troubleshooting authentication. But before we proceed to the fun stuff....

Wailea, Ulua Beach, Maui
Requirements:
  1. Telerik Fiddler Everywhere
    https://www.telerik.com/fiddler-everywhere
  2. Computer connected to network
  3. Android device connected to the same network as the computer
    • Android device must have no Workspace ONE profiles installed that manage:
      • Restrictions (limiting device network connectivity modifications)
      • Google Chrome application configuration (forcing device traffic to a proxy specified in the application configuration)

Steps to capture traffic:
  1. Open 'System Preferences' on your macOS. If using a Windows operating system, navigate to 'Control Panel'
  2. Open 'Network' on your macO. If using a Windows operating system, navigate to 'Network and Sharing Center'

  3. Locate the RFC1918 IP Address of your computer, mine is 192.168.0.111. If using a Windows operating system; click on the connection, and in the new window that appears, click on 'Details'.
  4. Write this IP Address down, it will be used later
  5. Download and install Fiddler Everywhere, or Fiddler if using a Windows operating system. 
  6. Open Fiddler Everywhere

  7. Ensure that Fiddler is capturing traffic

  8. Click the gear icon in the upper right corner to open 'Settings'
  9. In the 'HTTPS' tab, Ensure the 'Capture HTTPS traffic' checkbox is selected


  10. In the 'Connections' tab, specify a unused port to listen for traffic on. Ensure both 'Act as system proxy on startup' and 'Allow remote computers to connect' checkboxes are selected


  11. Click 'Save' and close 'Settings'
  12. Test that Fiddler Everywhere is running by navigating your localhost:port that you specified in 'Connections'. For my test, this will be;
    http://192.168.0.111:8866/
  13. If Fiddler Everywhere is running, you will see the following web page. If it is not running, reset your Fiddler settings, ensure there are no firewalls prohibiting traffic, and reconfigure Fiddler Everywhere settings

  14. Grab your Android tablet.
  15. Open VMware Workspace ONE Hub


  16. Tap 'This Device', and then 'Profiles'. Remove 'Restrictions' profiles, in addition to profiles managing Google Chrome's Application Configuration


  17. Tap 'Settings', followed by 'Connections'


  18. Tap the Wi-Fi network you are connected to


  19. Tap the Wi-Fi Network you are connected to in the new window that appears

  20. Tap 'Advanced' in the next window that appears


  21. In the 'Proxy' drop-down, change it from 'None' to 'Manual'

  22. Enter the IP Address of your computer in the 'Proxy host name' form field
  23. Enter the port number Fiddler Everywhere is listening on in the 'Proxy port' form field;


  24. Tap 'Save'
  25. Open Google Chrome on the Android device
  26. Type in the HTTP Address that Fiddler Everywhere is listening on. In my example, this is http://192.168.0.111:8866


  27. If the URL is not accessible, verify your Android device is not connected to a VPN
  28. Tap the link to download the 'FiddlerRoot certificate'
  29. Click 'Continue'


  30. Enter your device PIN (or other form of authentication previously setup)
  31. In the new window that appears, name the certificate. In this example I will name it 'Fiddler-Test'


  32. Tap 'Ok'
  33. Prior to this, Fiddler would have been capturing HTTP traffic already


  34. Now that the Fiddler root certificate is installed on the device, HTTPS traffic is also being captured
  35. To verify HTTPS traffic is captured, we can test this by navigating to a web site. I will navigate to https://news.ycombinator.com/


  36. Open Fiddler Everywhere, and you will now be able to see all the HTTP Requests and HTTP Responses, including HTTPS traffic;



  37. Click on a entry and review the HTTP Headers, Text, Cookies, JSON, and XML

  38. Now you can proceed to test your service requiring authentication
  39. Review the HTTPS Request/Responses when authenticating
  40. Look for the SAMLRequest. To decode the SAML Request, OneLogin has a free tool to decrypt it. This tool is available at https://www.samltool.com/decrypt.php

     

OptimalIDM does a great job summarizing a SAML flow;
  • The user requests an access to a relying party
  • The user is redirected to the Identity Provider (IdP) with a SAML 2.0 authentication request
  • The user then authenticates at the IdP
  • A SAML 2.0 authentication response is then posted to the relying party



For more helpful tools to troubleshoot SAML, decode SAML messages, and more; OneLogin has compiled a set of tools that are a huge help.


For more information on Fiddler Everywhere, you can also check out these resources;
How to Debug iOS & Android Mobile Apps with #Fiddler - YouTube, Progress Telerik, Rob Lauer


Progress Fiddle Everywhere Documentation - https://docs.telerik.com/fiddler-everywhere/introduction



Mahalo,
Ryan Pringnitz

Comments

Popular posts from this blog

Zimperium Delivery and Activation on Android Enterprise with Workspace ONE UEM Product Provisioning

Setup Single Sign-On with Workspace ONE & ServiceNow (Mobile Flows Series - Part 1)

Digital Workspace Mobile Threat Detection & Response with Workspace ONE & Zimperium - Integrating zConsole