Charles proxy configuration for Android
Charles is an HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet. This includes requests, responses and the HTTP headers (which contain the cookies and caching information).
This post will go through the required settings to configure Charles to sniff traffics in Android Apps. Since Android Nougat (7.1), Google have blocked proxy tools such Charles from intercepting and decrypting network traffic from Play Store apps. That means Charles only works for Android apps that you have control and be able to add configuration to the app codebase. If you are developing Android apps, Charles will work for the apps you build directly from Android Studio. For the apps you already submitted to Google Play Store, Charles will not work if the app is installed on Android devices running Android Nougat(7.1) or above. However, if you have the control of the source code for the Android app, there is a way to enable user installed proxy by adding some configuration in the Manifest file, and then Charles will be able to intercepting the traffics from your app on all Android versions. First create a xml file with the following: res/xml/network_security_config.xml
Then add a reference to this file in your app’s manifest, as follows:
...
The following are the steps for setting up Charles on Mac to intercepting and decrypting network traffics from Android apps.
1. Download Charles and open it. https://www.charlesproxy.com/download/latest-release/
2. Since Charles is running on the Mac, and Android apps are running on an Android device, they have to be on the same WI-FI network in order for Charles to get the traffics from your Android devices. So, make sure your Mac and Android device is on the same WI-FI network.
3. Find the your Mac’s local IP address, it will be needed for your Android device setting. You can find your Mac’s local IP address from: System Preferences -> Network, from Network, under the Wi-Fi status, there should have some text such as Wi-Fi is connected to my-home-wifi and has the IP address 192.168.1.123, where 192.168.1.123 will be your Mac’s local IP address.
4. Configure your Android device’s Wi-Fi setting to proxy through your Mac’s local IP address. On your Android device, go to Settings -> Wi-Fi -> Tap on the Wi-Fi name you are using -> Tap on the edit button -> Tap on Advanced Options -> Tap on Proxy -> Select Manual -> Type in your Mac’s location address under Proxy hostname -> Type 8888 under Proxy port -> Tap Save. Different Android device might have different path to get to the Wi-Fi setting, the important thing is to set use a manual proxy for your Wi-Fi connection and point the proxy address to your Mac’s local IP address with port 8888.
5. Open a browser app such as Chrome on your Android device and go to any website.
6. Go back to your Mac, click Allow if you see a prompt from Charles saying a connection attempt is made from an ip address which is from your Android device.
7. Back to your Android device, open Chrome and go to chls.pro/ssl to download the Charles Root certificate, this is required to decrypt the traffic, otherwise the traffics you will be seeing will be just encrypted strings.
8. Install the Charles Root certificate that was downloaded. On your Android device, go to Settings -> Security -> Encryption & Credentials -> Install a Certificate -> CA certificate -> Install anyways -> enter pin or password or fingerprint if asked -> tap on the certificate.
9. Make sure the root certificate is trusted. go to Settings -> Security -> Encryption & Credentials -> Tap Trusted credentials -> USER, you should see a certificate with name XK72 Ltd.
10. Back to the Charles on your Mac, enable SSL proxying to view traffic with decrypted data. If you want to see traffics from https://api.example.com/, right click on this network request and click the Enable SSL Proxying option.
11. Everything is now all set up to use Charles to see the network traffic from the apps in your Android phone. As long as your Mac and Android device on the same Wi-Fi network and with the above configuration, you should see all the network traffics from your Android device showing in Charles.
12. To disconnect, revert the changes you made in WiFi setting on step 4.
References:
https://developer.android.com/training/articles/security-config.html
https://www.charlesproxy.com/documentation/using-charles/ssl-certificates/
Search within Codexpedia
Search the entire web