I built a bad clone of Charles Proxy over the summer as part of another project (iOS VPN -> mitm with custom root certificate -> logging). It's surprisingly simple. It basically goes App -> Packet tunnel -> SOCKS -> a child process (I used https://github.com/AdguardTeam/gomitmproxy) to handle the sniffing and reencryption.

Did post the source somewhere at some point but my git server got corrupted and I haven't gone and fixed it. https://github.com/acheong08/apple-corelocation-experiments/...

I wonder if AI is good enough to vibe code my horrible hacks into a full clone of Charles Proxy these days.

Annoying fact: Apple requires you to have a paid developer account to access the Packet Tunnel APIs. You can't even test it in XCode simulator because of how networking works in there. It's insane that I can't even develop for my own phone without paying an extra fee to Apple. The error message when you sideload without a paid account doesn't make it obvious at all and it took me a good day or two before realizing .

What I really like about mitmproxy is that it runs on my server with a certificate I trusted on my phone.

I then flip on WireGuard on my phone, pointed to mitmproxy, and seamlessly all traffic from my phone is decrypted and viewable through the website on my computer.

Except of-course all the applications these days that do certificate pinning, which is annoying, but for that we have Frida.

mitmproxy isn't the gold standard; it is Burp Suite, sadly.

Burp Suite uses a subscription model. Charles a model like Sublime Text: you buy it and get to keep the version forever, major upgrades available for a discount.

I had to chuckle at this one:

> If you purchased a Charles license prior to 1 May 2008 your existing license key is still valid for Charles 5.

So I guess in past they used a model where you'd have lifetime upgrades.

Which also made me think: I recognize this name! This has to be an older piece of software. Was it published on Freshmeat in the start of this century?

There's also some TUI for Wireshark, such as frontends for tshark. I think [1] looks interesting, since it can be used with a local LLM (via Ollama).

[1] https://github.com/kspviswa/pktai

I'd used mitmproxy to reverse engineer browser extensions and mobile apps and it did the trick. It was quite some time ago.

I had excellent experiences w mitmproxy (and mitmdump) in 2016-17. At that point it was powerful and easily scriptable, making it far superior to charles for my purposes.

mitmproxy supports quite a few features that Charles doesn't and vice versa. You could use them as alternatives for basic browser traffic analysis (where they're both fine), but their features and capabilities cover different areas. Charles is user friendly and robust, mitmproxy has advanced scripting capabilities with a decent amount of community examples available. They complement each other.

Burp is free too (community edition)

https://portswigger.net/burp/communitydownload

What about ZAP? https://www.zaproxy.org/

Wireshark is extremely powerful and useful but it lives in a completely different category of tools. It's not a proxy so it can't modify traffic or inspect HTTPS [1], it's used to passively capture and analyze general network traffic and troubleshoot networking issues.

[1] without an elaborate setup, your program needs to be instructed to dump TLS encryption keys for Wireshark to read

I was a daily user of mitmproxy, until they changed all they keybindings around version 2. Tried a couple of times to get used to the new “TMUX” style, but switched to Charles Proxy.

Have mitmproxy gotten any better in usability over the years?

Just based on the images, is seems to have the same problems?

This. I tell people tales of that beautiful tool. have you found anything for a MacOS? My hunt so far has been futile.

Proxyman is 100x value for 2x the price. I am not even kidding. Native UI, shortcuts, cert installation helper tools. And script editor to programmatically edit requests is so much better and powerful than Charles' request editor.

Likewise. I was a dedicated user of Charles for about a decade. It’s great, but if you are a macOS user, Proxyman is better, easier, and more macOS friendly.

At a previous workplace, Charles Proxy was not in the list of approved software. I don't recall the reason - it might have been cost, but we used lots of paid tools, and since it was in the restricted category, we couldn't pick and use (we handled a copious amount of Western PII, from reading, working on it, to storing it). Two were approved: Requestly and another was a link to an internal wiki with a really "interesting" process involving Wireshark and whatnot. Needless to say, that doc was one of the most clicked and least read. I tried Charles at a later place that offered a license, and I went back to Requestly, which I really found to be more straightforward or simpler to use.

If the devs behind Charles would just tweak their UI a bit, it would be the absolute perfect tool. Functionally it pretty much already is. Mainly being able to turn on and off and configuring features I use all the time (rewrite, map local, map remote) is always a journey through menu's that don't always make sense. The only functional thing I'm missing is some DNS stuff (e.g. throttling or breaking DNS specifically).

I tried using proxyman for a while, and while definitely powerful and more modern, it honestly didn't feel "better" or more powerful so I didn't go for yet another license.

Same. At some point there was a new Charles version and I could not figure out how to use it the way I had used the old version (I admit I forget exactly what I was trying to do), and it was trivial in Proxyman. Proxyman also has a great app.

I went from charles to mitmproxy to proxyman and am currently using Reqable. Something all of these miss imo is a way to modify TLS handshakes.

I frequently use them both. The main reason why I can't leave Charles is the lack of session grouping in Proxyman. Seeing a huge list of irrelevant items is annoying after some point. In Charles, I can save that session with a name and move on to something else. It's almost impossible to leave one for the other at this point for me.

This goes without saying, but huge thanks to the both developers for making these available.

Is anyone else having trouble loading the proxyman website? (Firefox, Windows 11) - it freezes the entire browser..

Pretty nice.

Does it work for Xcode simulators?

I use Charles extensively (I am using it for the development I’m doing right now), and it needs to work on simulators.

Cost isn’t an issue for me. Fitness to purpose is important. I won’t cripple my development capacity, in order to save $50.

Looks much better, thanks for that tip

That it's an osx ONLY app.

You can also check out Caido as an alternative, we are a newer player in the space but catching up very fast. Most of the Burp new features of the last 2 years are basically copying what we innovated in Caido.

Just to mention an alternative option, ZAP (aka. Zed Attack Proxy) covers much of the same ground as Burp and is entirely free and Open Source.

I am also confused, I can't see any recent news/updates for this project either.

Didn't know about that.

https://www.charlesproxy.com/documentation/ios/

I used Charles for a while and also jumped on the Proxyman bandwagon. It’s a slick tool and even works for remote debugging (i.e., an iPhone attached to your computer with a cable).

This is a totally different class of software than what that post is ranting about. Charles is a local developer tool intended for temporary use when debugging. It only inspects TLS connections if 1) you enable that feature and 2) you add the domain being connected to the list to be inspected.

That being said, the mechanism is the same. Charles generates a root certificate that it uses to issue certificates for each domain in intercepts a TLS connection for and you need to install that root certificate in your OS such that your clients will trust that certificate. If you have a client that doesn’t use the Mac OS certificate store you may have to do some extra per client configuration.

I also despise “security” tools that intercept and inspect TLS traffic (such as ZAcaler for example), but I find a Charles to be very useful for what it does and the TLS inspection support is easy to use and really helpful/necessary in some cases.

i just texted Karl to say he’s on the front page of HN. I was the same. Charles was soo good for ol AMF!! Still miss Flash.

Caido co-founder here, thanks for the shoutout! We are slowly moving to the DevSecOps space too.

Out of curiosity, what would the setup for reverse enginering a iOS/Android app look like using Charles Proxy?

You can do more, e.g., changing the status code

Mind making some disclosure? Your account is 0 days old, and has made 3 comments. All in the same thread and promoting the same app.

It's invaluable for mobile developers. What you think you sent and in what order, is not always what happens. Charles and Proxyman help you figure that out.