Charles Proxy Mobile Traffic Interception

TL;DR

Yes, Charles Proxy can intercept and read all traffic between a mobile app and its server if the root certificate is correctly installed on the device. However, modern apps often employ techniques like certificate pinning or mutual TLS which can prevent interception even with a trusted root certificate. This guide explains how to set up Charles, install the certificate, and troubleshoot common issues.

Setting Up Charles Proxy

1. Download and Install: Download Charles Proxy from the official website and install it on your computer (Windows, macOS, or Linux).
2. Proxy Settings: Ensure Charles is running. By default, it listens on port 8888. Note this port number; you’ll need it later.
3. SSL Proxying: Go to Proxy > SSL Proxying Settings… and enable “Enable SSL proxying”. You can choose to add specific hosts or domains to the inclusion list if you don’t want to intercept all traffic. For initial testing, adding `*` will intercept everything (but is less secure).

Installing the Root Certificate on Android

1. Find Your IP Address: Determine your computer’s IP address. On Windows, open Command Prompt and type ipconfig; on macOS/Linux, use ifconfig or ip addr.
2. Access Charles SSL Certificate: In Charles Proxy, go to Help > SSL Proxying… Click “Install Charles Root Certificate on a Mobile Device or Remote Browser”. This will display instructions and your IP address.
3. Connect Android to Wi-Fi: On your Android device, connect to the same Wi-Fi network as your computer.
4. Download & Install Certificate: Open a web browser on your Android device and navigate to http://your_computer_ip_address:8888. Download the `charlesproxy.pem` certificate file.
5. Install Certificate (Android): Go to Settings > Security > Encryption & credentials > Install a certificate > CA certificate. You may need to navigate slightly different menus depending on your Android version. Select the downloaded `charlesproxy.pem` file and follow the prompts. You’ll likely be asked to set a screen lock PIN/password if you haven’t already.
6. Trust Certificate: After installation, ensure the certificate is trusted. Go back to Settings > Security > Encryption & credentials > Trusted credentials > User certificates and verify that Charles Proxy Root CA is listed and enabled.

Installing the Root Certificate on iOS

1. Find Your IP Address: As with Android, determine your computer’s IP address.
2. Access Charles SSL Certificate: In Charles Proxy, go to Help > SSL Proxying… Click “Install Charles Root Certificate on a Mobile Device or Remote Browser”. This will display instructions and your IP address.
3. Connect iOS to Wi-Fi: On your iPhone/iPad, connect to the same Wi-Fi network as your computer.
4. Download & Install Certificate: Open Safari on your iOS device and navigate to http://your_computer_ip_address:8888. Download the Charles Root Certificate profile.
5. Install Profile (iOS): Go to Settings > General > VPN & Device Management. You should see a downloaded profile named “Charles Proxy SSL Certificate”. Tap it and follow the prompts to install. You’ll be asked to confirm trust of the certificate.
6. Trust Certificate: After installation, go to Settings > General > About > Certificate Trust Settings and enable Charles Proxy Root CA under “Full Certificates Trust”.

Troubleshooting

• Certificate Not Trusted: Double-check that the certificate is installed correctly in your device’s trusted credentials. Restarting the device can sometimes help.
• App Still Doesn’t Intercept: Some apps use certificate pinning, which validates only specific certificates. Charles Proxy cannot intercept traffic from these apps without bypassing the pinning (which may require advanced techniques like Frida or objection).
• Mutual TLS: If the server requires client-side certificates (mutual TLS), you’ll need to configure Charles Proxy with the appropriate client certificate and key.
• Proxy Settings in App: Some apps allow manual proxy configuration. Ensure the app is configured to use your computer’s IP address and port 8888.
• VPN Interference: Disable any VPN connections on your device or computer, as they can interfere with Charles Proxy’s interception capabilities.