If you’ve ever wondered what specific
HTTP requests a mobile app installed on your phone is making, then wonder no more. In this brief tutorial I’ll show you how to configure your cell phone and fiddler so you can see the requests (some potentially insecure) being by apps on your phone.
Open up Fiddler and head over to the tools tab, select options in the drop down menu after which you should see this dialog box.
In the options dialog box, select the connections tab. There are two important configurations to take note of here. First is the
port number that fiddler will listen on. It is usually set to
8888 by default. Remember this number, we’ll need it when when we’re configuring the proxy on the cell phone.
The next thing we need to do is check the box
Allow remote computers to connect. By doing this we give permission to fiddler to route requests from a remote device i.e cell phone through to fiddler. You’ll need to restart fiddler once this is done.
Lookup IP address on machine
The next thing we’ll do is to look up your computers IP address. Open up a command prompt and type in
Make a note of the
IPv4 Address which is
192.168.32.53 in this case
Configure Proxy on Phone
It’s now time to configure a proxy on your phone so that
HTTP requests will be routed through fiddler. For the purposes of this demonstration I’ll be using an IPhone but any phone will work.
Go to Settings and select Wi-Fi on the page.
Click on the information icon to give you more options. At the bottom of the page you’ll see a section for HTTP Proxy. Set the proxy to manual and then enter the IP address (
Your IP ADDRESS) and port number (
8888) in the fields below.
Make sure that your phone and the computer are on the same wireless network
NOTE : The port number should match what you set in fiddler, 8888 and your IP address should be your IP address from the ipconfig lookup.
Intercept Requests in Fiddler
It’s time for the fun to begin. Now that we have everything configured, let’s spin up a mobile app, say Chrome and type in the URL
https://www.samuelnmensah.com . In fiddler we should be able to see requests coming through via the mobile app.
In the fiddler window I’ve filtered the results to show only requests to the site
www.samuelnmensah.com The user agent string in the
inspectors window confirms that this request came from an iphone.
With this information you can open up any mobile application on your phone and inspect the requests coming that the app is making.