Do you fancy investigating any traffic being sent in and out of your Windows Phone 7 device? Aside from the more involved method of using a packet sniffer on your phone or capturing the data over a wireless connection and decrypting it, a member of the Microsoft Developer Network (MSDN) has gone ahead and given some extremely straight forward steps on how to set up a man-in-the-middle proxy to capture and store all HTTP and HTTPS traffic. How it works is very simple – Fiddler, a web debugging proxy, is run on a Windows PC and acts as an intermediary gateway to the outside world, once you configure your device to pass information through it, Fiddler will capture, display and allow you to modify the passing traffic.
What legitimate use case could this have? Well it’s useful for developers who are writing apps, however it’s especially useful for enterprising hackers, do-it-yourselfers and anybody else who is concerned about the information that apps are uploading. Microsoft does have very stringent rules for allowing applications into the Marketplace, but as we’ve seen before with the Apple AppStore and the Android Market, sometimes things either slip through the cracks or are obfuscated enough that the QA team is fooled which allows the malicious code to go live. With Fiddler, you can see full HTTP streams and if you do choose to install the SSL certificate – all HTTPS encrypted traffic can be re-signed using the cert and then decrypted at will.
While most developers will be using the emulator to do the majority of their development work, when it comes to real deployment and users who want to get started in monitoring their device traffic, they should visit the post on the MSDN Blog by Eric Lawrence and follow the provided instructions.