Inspecting HTTPS traffic in iOS, on Windows with Fiddler

Some time ago, I've change my Google password. That change logged me out of my Google account on my iPad so Photos, Chrome, and other apps were asking again for my password to log me back in. The only problem was that all I could see, was a blank page instead of the Google login form, or just -- (NSURLErrorDomain: -999) error.

I've restarted the iPad, I've uninstalled all Google apps and reinstalled them back, I've even installed an iOS (now iPadOS) update. I've changed networks, DNS, I've even enabled a VPN. As the last resort, I tried waiting 2 weeks for the problem to fix itself. It didn't.

Nothing helped, still a blank page or that -- (NSURLErrorDomain: -999) error. The Google account was fine elsewhere, I could log in on my desktop and other devices, so I knew it's the iPad. I've found that the -999 error means NSURLErrorCancelled which was great to know but it didn't really help.

I didn't want to do a factory reset because these are time consuming, so instead I did something that probably took me even longer. But I've also learned something.

Curious what the iPad is requesting, what URL (because the error said “URLError”), what's the response, if any. To put it simply, I wanted to sniff my own traffic. When it comes to debugging HTTP(S) traffic, one of my go-to tools is Fiddler, the others are the browser itself and Wireshark. There's also Proxyman and Charles Proxy, both have iOS versions too. Fiddler was originally built by Eric Lawrence, acquired by Telerik in 2012, now owned by Progress Software since 2014.

Fiddler is a web debugging proxy on steroids. It shows you requests, responses, you can replay requests, have it automatically respond with your locally saved file, it is scriptable and supports extensions. You can add or remove headers from responses, simulate slower networks, and do just about anything you'd ever need regarding HTTP requests and responses. Want to see security headers in the session list? No problem.

Fiddler (Classic) runs primarily on Windows, Fiddler Everywhere released earlier this year supports macOS and Linux too but doesn't have all the features of Fiddler Classic. If you want know more Fiddler tips follow its original author (come for the tips, stay for Chrome and Edge internals), or check Eric's answers on StackOverflow.

Fiddler doesn't run on iOS but luckily, it can be used as a remote proxy. So Fiddler Classic running on my Windows computer can inspect my iOS/iPadOS HTTP(S) traffic, which is great.

+--------+        +---------+        +--------+
|        +-------->         +-------->        |
| iPadOS | Cert 2 | Fiddler | Cert 1 | Server |
|        <--------+ (Proxy) <--------+        |
+--------+        +---------+        +--------+
   iPad             Windows            Google

Fiddler can also decrypt and inspect HTTPS traffic and re-encrypt it again. If you'll trust its root certificate, the target app or device will only see a different yet trusted certificate and will have no idea that the traffic is being inspected, unless it allows only a predefined set of certificates (“certificate pinning”). I was pretty sure the Google login form would not load when using an invalid certificate issued by an unknown and untrusted certification authority so this kind of inspection was exactly what I needed to do.

Telerik has published a how-to for configuring Fiddler to capture iOS traffic but there are (or rather, were) a few gotchas that can get in the way:

1. You need to use Safari to download the Fiddler root certificate from http://ipv4.fiddler:8888/
2. You need to enable the Fiddler process in your Windows 10 firewall (Settings > Update & Security > Windows Security > Firewall & network protection > Allow an app through firewall)
3. Make sure the firewall is not blocking all incoming connections (see above how to get to Firewall & network protection again, then click the Domain/Private/Pu­blic network and uncheck Blocks all incoming connections including those in the list of allowed apps and don't forget to enable it once you're done sniffing)

When I've started writing this article, I've intended it to be about inspecting iOS traffic on Windows using Fiddler but instead of writing (and maintaining!) a similar article to what Telerik has already published, I've just submitted improvements to the original Fiddler docs so that everyone can benefit from it. So if you'd like to debug HTTP or HTTPS traffic on iOS, just follow that guide. Click the Improve this article link if there's something that deserves an update.

And what about the Google iPad login? In Fiddler I could see that the iPad sends a request, gets back some HTML to display but it didn't like it for some reason. So the debugging session didn't help much.

Then I found out that instead of doing a full factory reset, you can only reset network settings. So I did that, entered my Wi-Fi password again and tried to sign in to Chrome. And – voilà – Google login form came up.

I don't know what the problem was but if it ever comes back, I know how to fix it.