WingNews logo WingNews GitHub [2]
top | item 16694670

Charles Proxy now available on iOS

252 points| eddyg | 8 years ago |charlesproxy.com | reply

108 comments

order
[+] miles|8 years ago|reply
This is awesome! The first thing I discovered was how much network noise crashlytics.com was causing. Used AdBlock's[0] DNS proxy feature to black-hole the offending domain (they even mention blocking crashlytics.com in their FAQ[1]).

Note that both AdBlock and Charlex rely on iOS's VPN feature, and only one can be enabled at a time.

[0] https://itunes.apple.com/us/app/adblock/id691121579?mt=8http...

[1] https://www.adblockios.com/privacy/

[+] rem1313|8 years ago|reply
Could be that Charles itself uses the crashlytics? How to tell which app is it?
[+] yodon|8 years ago|reply
Genuine question here: How is it not absolutely terrifying that an iOS App Store app can man in the middle HTTPS communications made by other apps? Is there some way in which this isn’t poking a hole in exactly the sort of security sandbox that iOS tends to be good at? (And yes there probably is some part of what’s going on that I don’t understand, that’s why I’m asking the question)
[+] jawngee|8 years ago|reply
Except on iOS you get:

- Prompt to allow app to act like VPN

- Having to enter your passcode after said prompt

It's impossible for apps to MITM silently.

[+] simcop2387|8 years ago|reply
Can't say much about the security, but I suspect it's working by pretending to be a VPN provider and then proxying the traffic. It's then able to install a CA root to generate any certs it needs to MITM traffic. Cert pinning will prevent this from working, but that's the only thing that will.
[+] zeveb|8 years ago|reply
It's your phone. Of course software you installed should be allowed to do anything you want.

The fact that Android has recently made it impossible to MITM apps is really making me consider switching. I don't think I will, because in many other ways Android is still more open, but the analysis is no longer as lopsidedly in Android's favour.

[+] evan_|8 years ago|reply
I use the desktop product daily so I picked this up. I frequently proxy my phone through my desktop but I figured this would be fun to play with if nothing else.

I turned it on for literally one second and the first thing it captured was traffic from an app I used briefly several years ago and not since. Cool!

[+] manmal|8 years ago|reply
That sounds like a great tool for enhancing battery life, if you delete all the „overzealous“ apps.

Charles could show a list of recommended apps to delete.

[+] robterrell|8 years ago|reply
Literally the same thing happened to me. I am deleting apps aggressively now.
[+] olliepop|8 years ago|reply
Charles can already be used as an http/https proxy on iPhone via https://www.charlesproxy.com/documentation/faqs/using-charle...

I generally would only be needing to inspect requests when developing at my workstation, so how is this native app providing additional value beyond what the Charles Mac software already provides?

Big fan of Charles over here, I just don't understand the use case for the native app.

[+] trevor-e|8 years ago|reply
Straight from the announcement:

"Running Charles on your iOS device means you no longer need to fiddle with WiFi network proxy settings. It also means that you can capture and measure network traffic that goes over the Mobile / Cellular data network.

Measuring networking performance over Mobile data is especially important for your mobile apps (as that is how a lot of users experience your app), and it can reveal large or slow requests, as well as opportunities to increase perceived performance by parallelising network calls."

AFAIK before this you could only inspect traffic over WiFi connections since you had to set the proxy address via WiFi network settings.

[+] dc3k|8 years ago|reply
>I just don't understand the use case for the native app.

I can't use Charles to inspect traffic from my device at work because of network restrictions. Now I can.

[+] eridius|8 years ago|reply
You can't use the Mac app to inspect any requests that go over the cellular connection.

Using the Mac app also requires being able to connect to your Mac from your iPhone (in order to use it as a proxy), which is not doable on many setups. For example, at work we use a different wifi network for mobile devices than we do for laptops.

[+] dsl|8 years ago|reply
I've had to do audits of apps that required you to be connected to a specific Wifi AP (usually with a dev server instance attached) to function.
[+] nick873s|8 years ago|reply
If you are a developer, consider the free alternative https://www.github.com/kasketis/netfox ;)
[+] derwildemomo|8 years ago|reply
Came here to say the same thing: If you're interested in seeing the traffic caused by your own app (and also making that info accessible to other stakeholders during dev time), netfox is the way to go. Super easy to integrate and provides usually enough info. Also no tinkering with the system settings or third party apps required.
[+] cstuder|8 years ago|reply
How widespread is certificate pinning nowadays in iOS apps? Does anybody have any experiences?
[+] illuminati1911|8 years ago|reply
I'm working at a European bank in their iOS team. We use cert pinning for all of our apps, but I have never heard or seen teams using it outside of this project.

I guess it's mostly used if the application is doing something critical like money transactions etc.

[+] nstj|8 years ago|reply
Sucks that more and more 3rd party apps are adding pinning to their code so you can't sniff their traffic. This is a great tool for first party debugging though :) Nice work Charles!
[+] saagarjha|8 years ago|reply
Of course, pinning is trivially defeated if you have debug-level access to the app because you could just intercept any network call.
[+] reagan83|8 years ago|reply
Can you describe what this means?
[+] tomduncalf|8 years ago|reply
Awesome news. Charles has been such a helpful debugging tool over the years. Less so for web stuff in these days of browser dev tools being so advanced, but the ability to inspect traffic system wide is still really useful outside webdev, and sometimes it can be useful to verify something dev tools tell you.

All developers should get this for iOS, it’s bound to be useful and if not it will at least be interesting to see what you’d phone is getting up to online!

[+] cstrat|8 years ago|reply
I'm trying to get it to work but whenever I have the VPN enabled all network traffic fails (HTTP and HTTPS).

Anyone else have this issue? The website isn't giving me much insight :(

edit: I'm on the latest iOS beta. Could that be why? funny that I'm troubleshooting an app which is largely meant for troubleshooting apps...

[+] theothertom|8 years ago|reply
I found that it didn't work on WiFi networks that block client-to-client connections, if that gives you any pointers.
[+] Operyl|8 years ago|reply
Wish I could get a more consistent way of intercepting websocket traffic from iOS (specifically, wss traffic).
[+] evilduck|8 years ago|reply
Charles for the desktop can intercept secure websocket traffic.
[+] cbrevik|8 years ago|reply
I like this a lot, but most of the time I use Charles for more than recording traffic. For example, checking how my apps behaves if I throttle certain endpoints, or rewrite responses. Hoping those features makes it into a future version!
[+] rimliu|8 years ago|reply
Maybe it is worth mentioning that iOS has the ability to throttle the network itself—it's under "Settings"->"Developer"->"Network Link Conditioner". There is also a pref pane in Addition tools download for Xcode which allows to do the same on the Mac.
[+] joshenders|8 years ago|reply
mitmproxy has worked on iOS and Android for years now and is OSS and easy to use
[+] ReverseCold|8 years ago|reply
This runs on the device itself.
[+] chrisweekly|8 years ago|reply
... besides which, mitmproxy (and its partner mitmdump) are scriptable and extensible in ways Charles simply isn't.
[+] stef25|8 years ago|reply
Awesome tool, picked this up immediately. Amazing what things you can discover with it.
[+] verelo|8 years ago|reply
This is much easier than the proxy option we used to need to go through!
[+] husted|8 years ago|reply
It's neat that it works on the device itself, that will come in handy when during field testing.

However I'll continue to use wireshark for debugging my network code when at the office.

[+] feelin_googley|8 years ago|reply
Imagine if the user could compile their own kernels for iOS^W^W [edit] that can control an iPhone. She enables IP forwarding in the kernel configuration. Maybe she can also disable some crucial bits for interacting with the baseband. She only wants wifi to work.

Then she uses this phone with the custom kernel (phone #1) as a gateway for another phone (phone #2). She can easily block ads and other undesired traffic destined for phone #2, using a variety of methods of her choosing (firewalls, dns, proxies, etc.).

She does not use phone #1 for anything other than being a gateway for phone #2. There does not have to be any data of any value to an advertiser generated, sent from, or stored on phone #1 (e.g, logs). It is just a gateway.

Cant do this, but imagine if she could.

[+] Mononokay|8 years ago|reply
At that point of paranoia, wouldn't it be better to just compile the XNU kernel for a different brand of phone?
[+] saagarjha|8 years ago|reply
You're free to compile XNU yourself; it's just the part where you load it onto your iPhone that doesn't work.
[+] matthewmacleod|8 years ago|reply
Sending all traffic over a VPN to a server of your choosing essentially accomplishes the same thing. It's true that there could be some kind of code in there that overrides this choice, but the implications would be pretty severe.
[+] ktta|8 years ago|reply
Looks like she wants Android, specifically, something like LineageOS, or even CopperheadOS for better security.