How Facebook, SnapChat, or Gmail iOS apps prevent Fiddler decrypting their https traffic?

Question

I tried to use Fiddler to capture some iOS apps traffic, ex: Facebook, SnapChat, Gmail, and Instagram.

Instagram is not using https so I can get all the traffic and see

Answer 1

The way in which Fiddler can decrypt HTTPS traffic is by using their own certificate. However, when Facebook/Snapchat/Gmail detects that the certificate is not trusted by the system (and in cases will be more strict and limit the certificates within the trusted, so a third party trusted cert might be rejected), it will refuse to connect with the cert.

Fiddler can generate certs for the iOS to accept and install onto the system, but you first need to follow these instructions:

1. Install CertMaker
2. Generate the certificate from fiddler, it should then be on your desktop
3. Visit the certificate from your Safari browser (Safari only, others will not work)
4. Install the certificate

From this, you should then be able to sniff traffic from these applications.

So to answer the question again, it's not that they're preventing, it's common for SSL applications to deny responses from the server if the server provides an untrusted certificate. What Fiddler does, is spoof the part of the certificate with its so that when you are communicating over SSL, Fiddler can then use its cert to decrypt your traffic.

To answer the second part of your question, please check out this question for details. Essentially, you can force the user to use a specific certification and thus prevent the user from using installed certs.

However, they can still get around this -- just in a bit more sneaky way, but guided, this is on the client side, anything goes.