
Charles Proxy now available on iOS - eddyg
https://www.charlesproxy.com/documentation/ios/
======
miles
This is awesome! The first thing I discovered was how much network noise
crashlytics.com was causing. Used AdBlock's[0] DNS proxy feature to black-hole
the offending domain (they even mention blocking crashlytics.com in their
FAQ[1]).

Note that both AdBlock and Charlex rely on iOS's VPN feature, and only one can
be enabled at a time.

[0]
[https://itunes.apple.com/us/app/adblock/id691121579?mt=8http...](https://itunes.apple.com/us/app/adblock/id691121579?mt=8https://itunes.apple.com/us/app/adblock/id691121579?mt=8)

[1] [https://www.adblockios.com/privacy/](https://www.adblockios.com/privacy/)

~~~
tzahola
Hm, I thought Apple cracked down [0] on VPN-based adblockers. Or is AdBlock
running a _real_ VPN? I.e. your traffic goes through their servers.

[0]
[https://www.google.hu/amp/s/www.macrumors.com/2017/07/14/app...](https://www.google.hu/amp/s/www.macrumors.com/2017/07/14/apple-
ad-blocking-app-crackdown/amp/)

~~~
hrrsn
Looks like this app is the one mentioned in that article. They appear to do
both Safari content blocking and use the VPN profiles to block DNS requests
(as in no traffic hits their servers).

------
yodon
Genuine question here: How is it not absolutely terrifying that an iOS App
Store app can man in the middle HTTPS communications made by other apps? Is
there some way in which this isn’t poking a hole in exactly the sort of
security sandbox that iOS tends to be good at? (And yes there probably is some
part of what’s going on that I don’t understand, that’s why I’m asking the
question)

~~~
simcop2387
Can't say much about the security, but I suspect it's working by pretending to
be a VPN provider and then proxying the traffic. It's then able to install a
CA root to generate any certs it needs to MITM traffic. Cert pinning will
prevent this from working, but that's the only thing that will.

~~~
yodon
Supposed sandboxing against malicious apps is precisely why I run iOS rather
than Android. I get that Charles isn’t malicious, but what’s keeping any
random free game app from doing the same thing? (Again, intended as a real
question not a rhetorical one)

~~~
tzahola
1\. You have to turn on VPN in the system settings.

2\. You have to trust the Charlesproxy root certificate; again, in the system
settings.

~~~
eddieroger
1a. This requires your passcode, and any time a system is asking for your
permission to do something is worth questioning. Even my least technosavvy
friends and family have learned that if something is asking for your password
and you don't know why, abort.

------
evan_
I use the desktop product daily so I picked this up. I frequently proxy my
phone through my desktop but I figured this would be fun to play with if
nothing else.

I turned it on for literally one second and the first thing it captured was
traffic from an app I used briefly several years ago and not since. Cool!

~~~
manmal
That sounds like a great tool for enhancing battery life, if you delete all
the „overzealous“ apps.

Charles could show a list of recommended apps to delete.

~~~
evilduck
This sounds pretty far outside the realm of what Charles does (it's a web dev
tool, not a system scrubber).

But something like "Little Snitch for iOS" would fit the bill.

------
olliepop
Charles can already be used as an http/https proxy on iPhone via
[https://www.charlesproxy.com/documentation/faqs/using-
charle...](https://www.charlesproxy.com/documentation/faqs/using-charles-from-
an-iphone/)

I generally would only be needing to inspect requests when developing at my
workstation, so how is this native app providing additional value beyond what
the Charles Mac software already provides?

Big fan of Charles over here, I just don't understand the use case for the
native app.

~~~
trevor-e
Straight from the announcement:

"Running Charles on your iOS device means you no longer need to fiddle with
WiFi network proxy settings. It also means that you can capture and measure
network traffic that goes over the Mobile / Cellular data network.

Measuring networking performance over Mobile data is especially important for
your mobile apps (as that is how a lot of users experience your app), and it
can reveal large or slow requests, as well as opportunities to increase
perceived performance by parallelising network calls."

AFAIK before this you could only inspect traffic over WiFi connections since
you had to set the proxy address via WiFi network settings.

------
nick873s
If you are a developer, consider the free alternative
[https://www.github.com/kasketis/netfox](https://www.github.com/kasketis/netfox)
;)

~~~
derwildemomo
Came here to say the same thing: If you're interested in seeing the traffic
caused by your own app (and also making that info accessible to other
stakeholders during dev time), netfox is the way to go. Super easy to
integrate and provides usually enough info. Also no tinkering with the system
settings or third party apps required.

------
cstuder
How widespread is certificate pinning nowadays in iOS apps? Does anybody have
any experiences?

~~~
illuminati1911
I'm working at a European bank in their iOS team. We use cert pinning for all
of our apps, but I have never heard or seen teams using it outside of this
project.

I guess it's mostly used if the application is doing something critical like
money transactions etc.

~~~
iampims
Cert pinning seems to be gaining momentum in the US several high profile apps
are using it now.

------
nstj
Sucks that more and more 3rd party apps are adding pinning to their code so
you can't sniff their traffic. This is a great tool for first party debugging
though :) Nice work Charles!

~~~
saagarjha
Of course, pinning is trivially defeated if you have debug-level access to the
app because you could just intercept any network call.

~~~
nstj
Could you go about describing how this would work for a 3rd party app like
Uber for example?

~~~
saagarjha
I've never done this personally, but I'm pretty sure there is no way to
protect against hooking and/or patching functions in Secure Transport (iOS's
low-level TLS stack), since all network traffic goes through these APIs. I'm
sure there's something similar in Android.

~~~
ce4
You're not forced to use system facilities for TLS on Android. Back when you
needed up to date TLS support for your app on older Android versions you would
use e.g. BouncyCastle instead of the system's TLS facilities. Probably the
same for iOS.

~~~
saagarjha
So just figure out which library they’re using and patch that.

~~~
ce4
That's right, there are many ways. I just wanted to point out that you could
roll your own tls.

------
tomduncalf
Awesome news. Charles has been such a helpful debugging tool over the years.
Less so for web stuff in these days of browser dev tools being so advanced,
but the ability to inspect traffic system wide is still really useful outside
webdev, and sometimes it can be useful to verify something dev tools tell you.

All developers should get this for iOS, it’s bound to be useful and if not it
will at least be interesting to see what you’d phone is getting up to online!

------
cstrat
I'm trying to get it to work but whenever I have the VPN enabled all network
traffic fails (HTTP and HTTPS).

Anyone else have this issue? The website isn't giving me much insight :(

edit: I'm on the latest iOS beta. Could that be why? funny that I'm
troubleshooting an app which is largely meant for troubleshooting apps...

~~~
theothertom
I found that it didn't work on WiFi networks that block client-to-client
connections, if that gives you any pointers.

~~~
cstrat
Damn I didn't even try disabling wifi.

Yeah it works once I disable it, kind of an important pointer the app could
alert users to...

I was originally thinking that maybe the MITM VPN IP clashes with my LAN
subnet.

------
Operyl
Wish I could get a more consistent way of intercepting websocket traffic from
iOS (specifically, wss traffic).

~~~
evilduck
Charles for the desktop can intercept secure websocket traffic.

~~~
Operyl
Yes, but the problem with Charles (well, iOS related at least) is that iOS
websockets don't go through the HTTP Proxy configured. They're just considered
a raw socket. Thus, even on desktop Charles, it's a nogo.

~~~
evilduck
I don't know about intercepting iOS apps, but I definitely do this exact thing
for web app development targeting iPads using Charles for the desktop.

Be sure that your default proxy port doesn't conflict with the default WSS
port.

Edit: for reference I'm on Charles 4.2.1

~~~
Operyl
It works in Safari and Webviews, but definitely not in any native apps. That's
what I'm referring to.

------
cbrevik
I like this a lot, but most of the time I use Charles for more than recording
traffic. For example, checking how my apps behaves if I throttle certain
endpoints, or rewrite responses. Hoping those features makes it into a future
version!

~~~
rimliu
Maybe it is worth mentioning that iOS has the ability to throttle the network
itself—it's under "Settings"->"Developer"->"Network Link Conditioner". There
is also a pref pane in Addition tools download for Xcode which allows to do
the same on the Mac.

------
joshenders
mitmproxy has worked on iOS and Android for years now and is OSS and easy to
use

~~~
ReverseCold
This runs on the device itself.

~~~
rimliu
And the desktop version allows to intercept the traffic of the machine it runs
on. Mitmproxy cannot do that afaik.

~~~
majewsky
What do you mean? This has been working since way before 1.0.

~~~
rimliu
Ok, I need to clarify, I had macOS in mind and this note in the mitmproxy
documentation:

    
    
      > Note that the rdr rules in the pf.conf given above
      > only apply to inbound traffic. This means that
      > they will NOT redirect traffic coming from the box
      > running pf itself. We can’t distinguish between an
      > outbound connection from a non-mitmproxy app, and
      > an outbound connection from mitmproxy itself - if
      > you want to intercept your OSX traffic, you should
      > use an external host to run mitmproxy. Nonetheless,
      > pf is flexible to cater for a range of creative
      > possibilities, like intercepting traffic emanating
      > from VMs. See the pf.conf man page for more.
    

That's for transparent mode only though, maybe that had me confused.

------
stef25
Awesome tool, picked this up immediately. Amazing what things you can discover
with it.

------
verelo
This is much easier than the proxy option we used to need to go through!

------
husted
It's neat that it works on the device itself, that will come in handy when
during field testing.

However I'll continue to use wireshark for debugging my network code when at
the office.

------
feelin_googley
Imagine if the user could compile their own kernels for iOS^W^W [edit] that
can control an iPhone. She enables IP forwarding in the kernel configuration.
Maybe she can also disable some crucial bits for interacting with the
baseband. She only wants wifi to work.

Then she uses this phone with the custom kernel (phone #1) as a gateway for
another phone (phone #2). She can easily block ads and other undesired traffic
destined for phone #2, using a variety of methods of her choosing (firewalls,
dns, proxies, etc.).

She does not use phone #1 for anything other than being a gateway for phone
#2. There does not have to be any data of any value to an advertiser
generated, sent from, or stored on phone #1 (e.g, logs). It is just a gateway.

Cant do this, but imagine if she could.

~~~
saagarjha
You're free to compile XNU yourself; it's just the part where you load it onto
your iPhone that doesn't work.

~~~
yjftsjthsd-h
...then how does it help that you can compile xnu?

~~~
saagarjha
Uh, you can put it on another phone maybe?

