Because of how https works as the following picture explains I would assume fiddler acts like a middle-man, intercept the requests from mobile, decrypt and re-encrypt to the real servers, then decrypt and re-encrypt the responses to mobile. Otherwise how can it capture all the https traffic?
I face a problem that fiddler can only capture the https traffic for an app I am developing from my iPhone but fails to capture from my android. My android app always complains "The server returns invalid data" for the very first https request. I would assume the server here means fiddler. I have not figured why that happened. And I tried many times on my android, occasionally fiddler can capture traffic but when it worked I did not figured out what I did differently. So I have 2 questions here.
Does my assumption about fiddler acting as middle-man correct ? Otherwise how can fiddler (or any other app) capture https traffic ?
Has anyone experienced the android error I hit? Any idea how to fix it?
I search SO and find this one Some androids apps won't connect through fiddler may be related to my question. The answer there said
The main problem is that if you install the Fiddler root CA certificate in Android it is marked as user certificate (not system certificate). And unless explicitly configured in an app those user certificates are not trusted.
I did remember after I installed the fiddler CA on my iPhone I need to full trust it to make it work. But on Android I can't find a place to trust the CA. But that also can't explain why it works occasionally.
