How do I bypass certificate pinning for Apple services in Fiddler

Bypass Fiddler for Specific Endpoints

1. Open Fiddler Everywhere: Launch Fiddler on your machine.

2. Access Settings: Go to `Settings > Connections`.

3. Bypass List: In the `Bypass Fiddler for URLs that start with:` field, add the following endpoints to prevent Fiddler from intercepting their traffic:

   *.apple.com, *.itunes.com, *.mzstatic.com
   

This configuration allows Apple services to bypass Fiddler and use the default connection directly, thus avoiding SSL errors caused by certificate pinning.

4. Save Changes: Click `Save` to apply the changes.

Skipping Decryption for Specific Sessions

If you want to capture traffic but skip decryption for certain endpoints:

1. Use Rules: In Fiddler, go to the `Rules` tab and select the action called Do Not Decrypt. This will allow traffic to flow through without attempting to decrypt it, which is useful for certificate-pinned applications.

2. Add to Bypass List on the Fly: While capturing traffic, you can right-click on a session that you want to bypass and select `Bypass > Add <*.domain.xxx> to Bypass List`.

Additional Considerations

- Jailbreaking: For more advanced users, jailbreaking the iOS device can allow for the removal of certificate pinning checks, but this approach carries security risks and is not recommended for general use.

- Using the Real Certificate: If you have access to the server's actual private keys, you can configure Fiddler to use the real server certificate, which would avoid certificate pinning issues altogether.

By following these steps, you can effectively bypass certificate pinning for Apple services while using Fiddler, allowing for the capture of relevant traffic without SSL errors[1][4][5].