Monitoring an iPhone’s HTTPS traffic (Part 2)

Guides | Tutorial By 5 years ago

Following on from last week’s blog, this will cover monitoring an iPhone’s HTTPS traffic. If you haven’t already, look at the setup from last week as it is required in order for this next part to work.

Without too much detail about how SSL works, data is encrypted from the server and decrypted by the client. The client can verify the server’s certificate to make sure the server is who they say they are. If the certificate is invalid then somebody could be pretending to be the server and capturing all the data you are sending them. You probably don’t have the private key from the server you’re trying to monitor data for, so if you got Charles to encrypt the data the phone would see the connection as untrusted. By default iPhone apps will drop any untrusted connections, you don’t get the ‘allow this site’ prompt seen in web browsers.

Because of this you need to install the Charles certificate onto your phone, so no matter what comes from Charles, your phone will accept it.

Download the Charles certificate from their website. Alternatively you could generate your own. Email this to yourself and open it on the iPhone. Install the certificate. Now any valid SSL certificate OR one matching the Charles certificate will be accepted.

This example will show you how to monitor the Facebook request and response.

This next step is optional, but if you want to ensure none of your other data gets sent insecurely then follow this step. Get Charles ready and send a web request from the app you’re trying to monitor. Identify the url in the left list. For Facebook it is api.facebook.com. [end of optional step]

In Charles open the Proxy settings and under the SSL tab check the ‘Enable SSL proxying’ box. Under the locations list click ‘Add’, if you did the optional step enter the url and port 443. If not then put in an asterisks (*), this will mean ALL data will be encrypted via Charles, and if anybody is sitting out there with a Charles certificate (publicly available on their site remember) can see your information being sent and received.

That is all, now attempt the web request in the app again and everything will be visible. When you’re done it’s a good idea to delete the Charles SSL certificate from your iPhone (Settings > General > Profiles).

  • Pingback: Monitoring an iPhone’s HTTP traffic (Part 1) | b2cloud()

  • Pretty good article !

  • Phil

    This was awesome. But then this happened (from Charles website)

    Note for iOS 9: You need to disable App Transport Security in your app to use Charles SSL Proxying with SSL sites. To disable ATS you need to add keys to your app’s Info.plist file, as below. See this tech note from Apple for more information. You must remember to re-enable ATS before you release your app to take advantage of the security that ATS provides.

    NSAppTransportSecurity

    NSAllowsArbitraryLoads

    Do you know if there is anyway around this other than the disabling of ATS? Seems like a drastic step just to be able to debug something.