Fiddler 2: Protecting Your App from Sniffing & Reverse Engineering

TL;DR

Yes, a sniffer like Fiddler 2 *can* eavesdrop on your application’s traffic and potentially help with reverse engineering. However, you can significantly reduce this risk by using HTTPS (SSL/TLS) correctly and implementing code obfuscation techniques.

Understanding the Threat

Fiddler 2 is a free web debugging proxy that sits between your application and the internet. If your app communicates over HTTP (unencrypted), Fiddler can easily intercept all data sent and received. Even with HTTPS, vulnerabilities in configuration or implementation can allow sniffing.

Steps to Protect Your Application

1. Always Use HTTPS: This is the most important step. Encrypt all communication between your app and your server using SSL/TLS.
   • Ensure you have a valid SSL certificate from a trusted Certificate Authority (CA).
   • Force redirects from HTTP to HTTPS on your server.
2. Certificate Pinning: Prevent man-in-the-middle attacks by pinning your server’s certificate or public key within your application.
   • This verifies that the server you’re connecting to is actually who it claims to be.
   • Implementation varies depending on your platform (Android, iOS, etc.). For example, in Android:

     // Example of certificate pinning in Android using OkHttp

3. Mutual TLS Authentication: Require the client (your app) to present a valid certificate to the server. This adds an extra layer of security.
4. Implement Code Obfuscation: Make it harder for attackers to reverse engineer your application’s code.
   • Obfuscation renames classes, methods, and variables to meaningless names.
   • Tools like ProGuard (Android) or similar tools on other platforms can help with this.
   • Example using ProGuard in Android:

     #proguard-rules.pro
     -keep class com.example.myapp.** {*
         public *;
     }
     

5. Root/Jailbreak Detection: Detect if the app is running on a rooted (Android) or jailbroken (iOS) device.
   • These devices are more susceptible to tampering and sniffing.
   • Consider limiting functionality or displaying a warning message if detected.
6. Tamper Detection: Implement checks within your application to detect if the code has been modified.
   • This can involve checksums, hashing algorithms, or other integrity checks.
7. Secure Data Storage: Protect sensitive data stored on the device (e.g., API keys, user credentials).
   • Use encryption and secure storage mechanisms provided by your platform.
8. Regular Security Audits: Conduct regular security audits of your application’s code and infrastructure.
   • Identify potential vulnerabilities before attackers do.

Fiddler 2 Specific Considerations

While Fiddler can be used maliciously, it’s also a valuable debugging tool. Users may legitimately use it to inspect traffic.

• HTTPS Decryption: Fiddler requires configuration to decrypt HTTPS traffic. This usually involves installing its certificate as a trusted root CA on the system.
  • Educate users about the risks of trusting unknown certificates.
  • Monitor for unauthorized certificate installations.
• Fiddler Everywhere: Fiddler offers a paid version (Fiddler Everywhere) with more advanced features and cross-platform support.