Intercept SSL traffic on iPhone or iPad with Charles

Charles is an awesome tool which allows you to do many things like intercepting HTTP/ SSL traffic between your device(s) and the internet. Intercepting SSL traffic can be useful when you want to debug your own apps or when you want to spy on the network activity of your installed apps. It’s possible to intercept, read and modify the SSL traffic because Charles acts as the man-in-the-middle between your client and the server:

As you can see all traffic goes through Charles instead of the original trusted connection between the client and server.  We can intercept, read and modify SSL traffic since Charles dynamically generates and signs a trusted certificate (the Charles CA Certificate) for the server which the client then receives. With a trusted certificate installed both parties acknowledge the connection to be secure – when in reality Charles is intercepting all the traffic.

In this post I’ll discuss how to intercept SSL traffic on your iPhone/iPad and simulator using Charles.

1. install charles

You’ll need to download and install Charles on your computer. You can install Charles here.

After installation make sure to write down the HTTP proxy port number (default port 8888) under Charles > Proxy > Proxy Settings. You will need this port number in the next step.

If you only want to track your iOS device and not your macOS device you should go to Charles > Proxy > Uncheck macOS proxy.

2. WiFI Settings on device

Make sure the device is on the same network as your computer. You’ll need to make a few changes in your WiFi-settings on your device so it can connect to your Charles proxy.

  1. On your device go to Settings > Wi-Fi.
  2. Tap on the blue disclosure icon to configure the network.
  3. Set Configure Proxy to Manual under HTTP PROXY with the following settings:
    1. Server: Your local IP address. You can find your local IP address under System Preferences > Network > Wi-Fi.
    2. Port: This is where you’ll use the HTTP proxy port from Charles. Port 8888 is the default port.
    3. Authentication: Off.

To verify that everything works open up any app that uses internet and watch Charles intercept the internet traffic for you. You might notice that most of the traffic is secured / unreadable because of HTTPS. To fix this we need to install the Charles Certificate in the next step.

Remember to disable the HTTP Proxy again on your phone when you stop using Charles.

3. Installing CHARLES certificate

Currently you’re able to intercept HTTP/HTTPS traffic but you can’t read the contents of the HTTPS traffic. To read/modify the HTTPS traffic you will need to download and install the Charles certificate on your device.

Before you move on add the following wildcard in Charles: Proxy > SSL Proxying Settings > Add. This wildcard basically lets Charles sign all the certificates for all the websites you’re trying to reach. The settings for the SSL wildcard are:

  • Host: * (this is a wildcard)
  • Port: Leave empty.

You might want to install the Charles certificate on your computer to prevent “This connection is not private” errors in your web browser. To do this go to Charles > Help > SSL Proxying > Install Charles Root Certificate. Once the certificate is installed you’ll have to trust it. Go to your Keychain Access and search for your Charles certificate. Double click the certificate and set the trust setting to Always trust. Make sure to remove this certificate once you’re done – at the end of this post ill explain how.

INSTALLING ON IOS

  • Open Safari on your iPhone/iPad and browse to https://chls.pro/ssl while Charles is running on your computer. Safari will prompt you to install the SSL certificate.
  • If you are on iOS 10.3 or later, open the Settings.app and navigate to General > About > Certificate Trust Settings and find the Charles Proxy certificate, and switch it on to enable full trust for it.
  • Now you should be able to access SSL websites with Charles using SSL Proxying.

INSTALLING ON SIMULATOR

  1. Quit your iOS Simulator.
  2. Go to Charles > Help > SSL Proxying > Install Charles Root Certificate in iOS Simulators.
  3. Start your iOS Simulator – Charles should work now.

You can also install the Charles iOS app here to intercept HTTP/HTTPS traffic on your device without your computer. This approach is useful when you want to intercept things on the fly without setting up your device and computer. My preference goes out to intercepting traffic on my computer since I also use my computer together with Xcode to debug my apps.

4. DEBUGGING

Now it’s possible to see all traffic between your device and the server. The traffic is unencrypted and it’s possible to change the requests and responses. This can be useful when you wan’t to debug stuff like changing the request or response for an app. You can change the response of a user API to return a whole different username than expected for example.

5. REMOVE CERTIFICATES

Don’t forget to delete the installed Charles certificates on all devices when you’re done debugging to prevent man in the middle attacks.

REMOVE FROM COMPUTER

  1. Go to Keychain Access.
  2. Find and delete the Charles certificate.

REMOVE FROM IOS

  1. Go to Settings > General > Profile.
  2. Under Configuration profiles delete all Charles entries.

REMOVE FROM SIMULATOR

  1. Start iOS simulator.
  2. Go to Hardware -> Erase All Contents and Settings in the menu bar to delete the certificates.

6. EXTRA: SSL PINNING

You can add SSL pinning to your apps as an extra security measure – this means that your app keeps a copy of the trusted SSL’s public key which is then used as verification whenever a connection is made. This means that man in the middles with custom certificates like Charles won’t work because the SSL’s public key from Charles wouldn’t match the public key saved in the app – thus the connection would be refused.

7. TRIVIA

In December 2014 Lenovo used to ship their Laptops with a program called Superfish. This little program came preinstalled on every Lenovo laptop and was responsible for placing specific ads in your search results but it also caused a huge security risk on your laptop.

To place specific ads in your search results Superfish operated in a similar way like Charles:  it included a self signed certificate authority on every Lenovo laptop which allowed Superfish to become a man in the middle between your laptop and the server and provide you ads based on your internet activity. This meant that Superfish could also read all the SSL traffic including all your passwords, credit card information and so on:

Another issue with Superfish was that it used to install the same private key of its signed certificate on every laptop. A hacker could grab this private key and present himself as Superfish on the network. Every Lenovo laptop would then trust his computer as Superfish and send their SSL traffic to the hacker instead of the actual server. The hacker could do anything with the received SSL traffic since he owned the Superfish private key – RIP security!

About the author

Avatar
Haris Pekaric

Designing and developing Swift apps with ❤️.

Add comment