قالب وردپرس درنا توس
Home / Tips and Tricks / Using Charles Proxy to View Your Mobile Apps Data Sending and Receiving «Null Bytes :: WonderHowTo

Using Charles Proxy to View Your Mobile Apps Data Sending and Receiving «Null Bytes :: WonderHowTo



If you're using a mobile device, it's pretty sure your apps are sending lots of information from their servers. To make sure you're not inappropriately collecting data, we recommend setting up a web proxy to spy on this traffic so you know exactly which apps are "calling" when.

With an established web proxy you can find out what is being sent and received from your Android or iOS apps. You can even monitor every encrypted traffic sent over HTTPS. The web proxy acts as a man-in-the-middle and lets you see what's happening.

Finally, there is no limit to the way data is collected. Everything from the time you spend on a given screen to raw sensor data is often collected, either for companies that analyze or sell to third parties internally. Some of this information that you may not have or would like to sell.

Step 1
: Install Charles Proxy on Your Computer

My preferred tool for parsing HTTP traffic is Charles Proxy. It is available for all modern operating systems (Linux, macOS, Windows), and you can download a free 30-day trial at charlesproxy.com/download. After the trial period, you can expect to pay $ 50 for a user license.

Charles is an immensely powerful tool, not just for sniffing app traffic, but also for all kinds of web application analysis and debugging, so a good investment if you're interested in mobile development of any kind. If you just want to see what's going on with the apps on your smartphone or tablet, the free trial is enough. Note that the free trial is limited to 30-minute sessions. So you have to close and restart Charles every 30 minutes.

Step 3: Determine Your Computer's IP Address and Port Number [19659005] Instructions for configuring your desktop browser and operating system to route traffic through Charles vary depending on what you use. If you want to use Charles to inspect the web traffic from your browser, I would recommend to visit this Charles documentation on this topic.

For our purposes, we want to examine traffic from a smartphone, so let's start by configuring an iPhone to use the computer with Charles as a web proxy.

First select "Help" from the menu on the computer where Charles is running, then "SSL Proxying" and click "Install the Charles Root Certificate" Mobile Device or Remote Browser. "

You will see a dialog like this that provides an IP address and a port for the machine with Charles:

Step 4: Configure the phone to use Charles Proxy

On an iPhone, in the Settings app, navigate to "Wi-Fi." Then make sure that it's on the same network as Charles, tap the info icon next to the connected network, then scroll down and select "Configure proxy." Select the line for "Manual," then enter the server and port numbers from the last dialog that Charles gave you, tap "Save" to finish the process.

For Android phones, the process differs slightly depending on the OEM and software version Generally, you would open Wi-Fi settings, tap and hold the shared network, and then select something like "Manage network settings" or "Change network" or a pencil icon. Select the option to view advanced settings, then open the "Proxy" settings and enter the server and port numbers Charles gave you before. Tap "Save" to exit.

Your smartphone is now configured to handle HTTP traffic through Charles is forwarded.

Step 5: Allow connection to Charles

If your smartphone is connected to Charles, you will get a dialog on your computer that warns you that Charles has been contacted. Now select "Allow". If you decline, you will need to restart Charles to get the prompt again.

Step 6: Install the Root Certificate on Your Phone

Next, navigate to your smartphone using the web browser chls.pro/ssl.

On an iPhone, you immediately get a request to allow the site to show you a configuration profile Tap "Allow." You will then be redirected to the Install Profile screen for the Charles Proxy CA. Tap Install to go to a warning page. Tap "Install" again and the pop-up again. When finished, tap Done.

If you're using iOS 10 or later, you'll also need to go to General in the Settings app. Tap Info, then tap Certificate Trust Settings below. Under the section Enable Full Trust for Root Certificates, tap the check box next to the Charles Proxy CA.

On an Android device, the file should immediately try to download to your device. If not, you may be asked to download it. In this case, you would click on "Download". After downloading, you will need to enter your PIN or fingerprint to continue. Then the certificate window opens in which you want to call the certificate something like "Charles Proxy CA". When you are done, click "OK".

Please note that DNS-based ad blocking must be disabled on your Android device in order for the certificate to be installed by Charles Proxy. Later, when you analyze the data, your ad blocker will only mask traffic, so it's best to stop it until you stop using Charles.

After you have installed the certificate, you can use encrypted HTTPS data in plain text in Charles, not just HTTP data as without the certificate

Step 7: Enable SSL proxy for all hosts in Charles

They are not done yet. There's another step before you see all the data coming and going from apps. You must configure Charles to enable SSL proxy for all hosts. In the menu, navigate to "Proxy" and select "SSL Proxying Settings".

When the options appear, click the Add button on the SSL Proxy tab. If the field Edit Place appears, simply press "OK" or enter * (a single asterisk) manually in the Host field and press "OK". This is a wildcard that applies to all hosts. If you leave field host empty, a wildcard will be created for you.

In the SSL Proxy Settings window, click "OK" to save your settings. And now that they're all set up, open an app on your smartphone to see what kind of data they are sending!

Step 8: Isolating Phone Traffic from Other Devices

Depending on what type of Internet traffic is generated on the computer with Charles It can be difficult to tell which requests come from a phone or not. Charles will automatically change your network settings to pass HTTP traffic to your computer through the proxy, but it's pretty easy to change that manually so you only see the traffic.

In Mac OS, you can change this under System Preferences. Once there, navigate to Network, then Advanced, and under Proxies, clear the check boxes for Web Proxy (HTTP) and Secure Web Proxy (HTTPS). Charles will automatically change this setting every time you reboot, so you'll need to repeat this step each time you want to isolate the phone traffic.

Step 9: Use Your Apps and Analyze the Results

I decided to test that on something that I use quite often use, Strava, a fitness tracking app that allows users to record and upload data for workouts When I open Strava on my smartphone, I see a couple of hostnames in the left pane of Charles, ie domains.

Expanding When you look to the right side of the "Content" section, you can see exactly what information these apps send to manufacturers and third parties. I recognized one of the entries for Strava as a commonly used analysis platform and decided to give it a try.

I'm not naive enough to post the entire payload, but there was some really detailed information that I found here, including mine Name, location, mobile operator, e-mail address, and even some of the ad categories he put me in. That's not very surprising, knowing how many things these apps can harvest, but it was interesting to see everything in plain language.

Look for requests from well-known App Analytics companies. Some of the most popular are Segment, Fabric, Flurry and Firebase. Ad providers also get a pretty scary amount of tracking data and can be a good place to look – you can often tell what they are by the hostname.

The data sent and received by apps is usually harmless. All that goes to an address that looks like api.appname.com, for example, is functional data needed to operate the app. If you look at these requests, you can get a good look behind the scenes of the app, and it's a good place to make sure you're not "phoning" with data that you do not expect them to access. 19659062] Some apps do not work on your phone?

Many apps implement SSL certificate pinning, meaning they validate the root certificate specifically and are not prone to a man-in-the-middle attack. In my case, the actual Strava API validates certificates, but the third parties receiving my information did not do so.

If you're trying to use an app on your phone and it's not working properly, you will not be able to see web traffic. Many apps from Apple and Google have this level of security. As a result, third-party apps are the ones you want to try. It's those who tend to do dodgy things with their data anyway. [19659065] Remove everything as soon as you're done

Once you've completed the analysis of mobile app traffic on your smartphone, you should remove the installed certificate because you do not want your man-in-the-middle The certificate will keep your device longer than you need it while you use it explicitly. You may also want to remove the proxy setup.

To delete a certificate on an iPhone, go to "General" in Settings and select "Profile" below. Touch the configuration profile "Charles Proxy CA" and then "Remove profile". Touch "Remove" to confirm. To stop the proxy server, select "Wi-Fi" in the settings, tap the Wi-Fi network, select "Configure Proxy", then "Off" and press "Save".

For all Android users, the process depends on your device. Select "Security & location" or "Lock screen and security" from the settings, tap "Advanced" or "Other security settings," then "Encryption and credentials" or "View security certificates." In stock Android, you also need to tap on "Trusted credentials". Now select the "Users" tab and then tap on "Charles Proxy CA". Touch "Remove" and then "OK" to delete it. As for the proxy, just go back to the options for the Wi-Fi network and change the proxy settings from "Manual" to "None".

Cover Picture by Justin Meyers / Null Byte; Screenshots of macro mosaic / zero byte

Source link