Inspecting mobile application APIs using Fiddler

If you’ve ever wondered what specific HTTP requests a mobile app installed on your phone is making, then wonder no more. In this brief tutorial I’ll show you how to configure your cell phone and fiddler so you can see the requests (some potentially insecure) being by apps on your phone.

Install Fiddler

You’ll need to head over to www.telerik.com where you can download fiddler .

Configure Fiddler

Open up Fiddler and head over to the tools tab, select options in the drop down menu after which you should see this dialog box.

In the options dialog box, select the connections tab. There are two important configurations to take note of here. First is the port number that fiddler will listen on. It is usually set to 8888 by default. Remember this number, we’ll need it when when we’re configuring the proxy on the cell phone.

The next thing we need to do is check the box Allow remote computers to connect. By doing this we give permission to fiddler to route requests from a remote device i.e cell phone through to fiddler. You’ll need to restart fiddler once this is done.

Lookup IP address on machine

The next thing we’ll do is to look up your computers IP address. Open up a command prompt and type in ipconfig

Make a note of the IPv4 Address which is 192.168.32.53 in this case

Configure Proxy on Phone

It’s now time to configure a proxy on your phone so that HTTP requests will be routed through fiddler. For the purposes of this demonstration I’ll be using an IPhone but any phone will work.

Go to Settings and select Wi-Fi on the page.

Click on the information icon to give you more options. At the bottom of the page you’ll see a section for HTTP Proxy. Set the proxy to manual and then enter the IP address (Your IP ADDRESS) and port number (8888) in the fields below.

Make sure that your phone and the computer are on the same wireless network

NOTE : The port number should match what you set in fiddler, 8888 and your IP address should be your IP address from the ipconfig lookup.

Intercept Requests in Fiddler

It’s time for the fun to begin. Now that we have everything configured, let’s spin up a mobile app, say Chrome and type in the URL https://www.samuelnmensah.com . In fiddler we should be able to see requests coming through via the mobile app.

In the fiddler window I’ve filtered the results to show only requests to the site www.samuelnmensah.com The user agent string in the inspectors window confirms that this request came from an iphone.

With this information you can open up any mobile application on your phone and inspect the requests coming that the app is making.