I'm testing an Andoird & IOS app which includes a feature that allows to watch videos.
The problem is - when I use Charles, with a proxy server and a hotspot with my laptop, the videos won't play.
Of course that the videos are playing when I'm not using Charles.
My suggestion is that Charles has some kind of a port limitation, and that's why I can't get the content of the video.
Does anyone have an idea how to solve this problem?
Thanks!
Since it is SSL traffic, you should not be allowed to sniff the traffic. The is the POINT of SSL.
To get around this, you need to break SSL on your phone. To do this you have to tell your phone to implicitly trust EVERYTHING that your PC is sending you. To do this you have to install your Charles SSL certificate as a root CA certificate.
THIS IS HIGHLY DANGEROUS AND ONCE YOU HAVE DONE THIS YOU SHOULD NOT TRUST YOUR BROWSER TO PROTECT YOU FROM HACKERS STEALING YOUR ONLINE BANKING DETAILS UNTIL YOU REMOVE YOUR THE CERTIFICATE.
Here is a tutorial on how to do this on an android phone :)
http://www.lornajane.net/posts/2014/install-charlesproxy-ca-certificate-on-android
Related
I'm trying to use Charles with my phone but it just doesn't work. I tried with 2 differents phone, an iOS and an android and none of them are working..
Here is the step I followed for iOS : (I found them here)
1 - Help > SSL Proxying > Install Charles Root Certificate on a mobile device
2 - On the iPhone, Settings > Wi-Fi > my network > Configure Proxy > Manual And I wrote the IP address and Port that I just got with Charles
3 - I accept the message on Charles that said "a new device is attempting to connect"
4 - Then, on the iPhone, Settings > General > Profiles, I install the Charles Proxy CA
5 - Then, still on the iPhone, Settings > General > About > Certificates, I enable the root certificate
6 - It's supposed to be ready, so I make a test on google and all the contents are still encrypted..
If anyone know how to solve it, I'm listening :)
There are various reasons why you could not intercept the HTTPS Content:
Your app is using SSL-Pinning, which prevents MiTM apps like Charles Proxy or Proxyman intercepts the HTTPS Traffic. => If it's, there is no way to achive it, unless you have the pinned certificate
It seems that you tried to see the HTTPS content from google.com, but it doesn't work => Look like one of the steps is missing. Please double-check again.
If you're testing on Android devices, please make sure you add some config to network_security_config.xml file. Read more at https://docs.proxyman.io/debug-devices/android-device#android-setup-guide
Solution:
Follow the troubleshooting page to find out where the problem is:
You might try Proxyman - which has a built-in comprehensive guide to help you intercept HTTPS traffic from iOS or Android Device
If it's too complicated, you can try the automatic script for Android Emulators (Auto set HTTP Proxy, Install and Trust the certificate)
Disclaimer: I write Proxyman, and hope it helps you.
I am trying to debug one third party mobile application, specifically network calls, When I am using fiddler and charles proxy on the first network call itself. the app shows error that client certificate on the device is not trusted and ask me to switch to mobile network instead of wifi. also when I accept the risk using the same network. The app shows that there is no internet connection.
I think the app is able to detect that the ceritificate is not the orignal client cert. and thus throwing the warning. Can I download the website or app HTTPS certificate and put it in PC as well as iPhone just like I did for fiddler root certificate.
Same issue is happening with charles proxy also.
I see that you are using an iPhone, have you looked at About/Certificate Trust Settings and enabled the full trust switch after installing the (Charles) certificate?
In my work computer, Firefox always gives me the "sec_error_unknown_issuer" error. This happens only on all HTTPS sites.
I have browsed Mozilla's support forums and understood that this is most probably caused by a software that performs an HTTPS scanning. The software presents its "fake" certificates to Firefox and hence, Firefox says that it does not know the issuer of these certificates.
However, I don't know which software is performing the HTTPS scanning and presenting its "fake" certificates to Firefox.
Is there a way to determine which software is performing the HTTPS scanning so that I will be able to add its certificates to Firefox and hence, be able to use the Firefox properly?
In my work computer,...which software is performing the HTTPS scanning
This is probably legal SSL interception done by a firewall in your company. If you want to know the exact software used for scanning ask your local network administrator.
... so that I will be able to add its certificates to Firefox and hence, be able to use the Firefox properly?
If you look at what certificates your server sends you have a look at the certificate details in the browser, especially at the chain certificates. But to make sure that what you get is really the companies certificate used for SSL interception and not some malicious man-in-the-middle attack you should verify your finding with your network administrator. And I'm pretty sure that if they do legal SSL interception they also help you do add the certificate to your browser - at least as long you are allowed to install alternative browsers to your computer and/or your own computer to connect to the companies network.
I've been playing with the twitter API for an iPhone test application, and I've missed the ability to proxy the requests I did to the twitter API with a software like Charles (http://www.charlesproxy.com/). Even though it has a SSL Proxying feature, twitter seems to not like the fact that there's a different certificate in the middle signing the requests.
Is there any way to do this? I'd be very useful to be able to see the requests and the way Charles formats the JSON responses, etc...
Twitter can't know that there is a man in the middle. I've not used Charles, but I've used Fiddler2. Try that one.
http://www.charlesproxy.com/documentation/proxying/ssl-proxying/
http://www.fiddler2.com/fiddler/help/httpsdecryption.asp
Decrypting HTTPS works by the proxy making its own certificate, and giving it to the browser. The browser will notice it connects with a bad certificate and give a warning, but the server (Twitter) will just see the proxy as another browser. The proxy-server connection uses Twitter's certificate, so it's still secure.
Perhaps this is your problem:
Q: Can Fiddler intercept traffic from Apple iOS devices like
iPad/iPhone/iPod Touch and Android devices? A: Yes, but these devices
may not be compatible with the default certificates Fiddler generates.
To resolve the incompatibility, you may replace Fiddler's default
certificate generator with one that generates certificates containing
flags (e.g. AKID, SKID) that are compatible with these platforms.
Simply download and install the new Certificate Maker and restart
Fiddler.
I'm running mitmdump (from mitmproxy) on my Macbook Pro, and I'm connecting to the proxy through my Windows desktop PC.
However, Chrome (running on the PC) refuses to connect to so many sites because of the invalid certificates which mitmproxy provides.
Chrome throws the error: ERR::NET_CERT_AUTHORITY_INVALID
Here's what mitmdump shows:
But why? What's wrong with mitmproxy's certificates, why can't it just send back google's as if nothing happened?
I'd like to know how I can fix this and make (force) my desktop PC to connect to any website through my Macbook's mitmproxy.
Answering this question for people who may find this important now. To get the proxy working, you have to add the certificate as trusted in your browser.
For windows follow this: https://www.nullalo.com/en/chrome-how-to-install-self-signed-ssl-certificates/2/
For linux follow this: https://dev.to/suntong/using-squid-to-proxy-ssl-sites-nj3
For Mac-os follow this: https://www.andrewconnell.com/blog/updated-creating-and-trusting-self-signed-certs-on-macos-and-chrome/#add-certificate-to-trusted-root-authority
There are some additional details in the above links; tldr; import the certificate in your chrome://settings url and add the certificate as trusted. That shall do.
This will make your browser trust your self-signed certificate(mitm auto generated certificates too.)
The default certificates of mitmproxy is at ~/.mitmproxy/ directory.
Per the Getting Started page of the docs you add the CA by going to http://mitm.it while mitmproxy is running and selecting the operating system that you are using. This should solve your problem and will allow https sites to work with mitmproxy.
This is the expected behavior.
mitmproxy performes a Man-In-The-Middle attack to https connections by providing on-the-fly generated fake certificates to the client while it keeps communicating to the server over fully encrypted connection using the real certificates.
This way the communication between client and proxy can be decrypted. But the client has to actively approve using those fake certificates.
If that wasn't the case then SSL would be broken - which it isn't.
The whole story is very well explained here:
http://docs.mitmproxy.org/en/stable/howmitmproxy.html