Charles used it a long time ago and has forgotten how to use it since. Recently, the company asked me to test the security of a small program, and I immediately thought of using Charles to capture package analysis. Here I record the process for subsequent reference
The installation
Here is a version of Charles 4.2 and copy the.jar file into Contents/Java.
Introduction to the
Charles is a common network packet interception tool in Mac. In mobile development, we often need to intercept network packets for analysis in order to debug the network communication protocol with the server. Charles implements interception and analysis of network packets by setting himself up as the network access proxy server of the system, through which all network access requests are processed. In addition to debugging ports for mobile development, Charles can also be used to analyze communication protocols for third-party applications. In conjunction with Charles’ SSL capabilities, Charles can also analyze the Https protocol.
Charles Interface introduction
However, I personally prefer this mode of viewing, which is archived by domain name and makes it easier for me to read web requests
The proxy Settings
Open Charles and set it up as a proxy server so you can listen for network requests when accessing the app on your phone.
In order to solve the problem of network packet capture on the mobile phone, you need to set some Settings. On the Charles menu bar, choose Proxy -> Proxy Settings, enter Proxy port 8888, and select Start Proxy.
Mobile phone set
Here I take iPhone as an example. First, we need to obtain the IP address of the computer, which can be found in the Help bar of Charles
We remember this address, and then turn on the phone to find the connected WiFi. “Note that the computer and the phone must be connected to the same WiFi.”
Configure the proxy manually, and then enter the IP shown in Charles help below for port 8888
When you click Save, a Charles message box will pop up on your computer. Click Allow to run.
The SSL configuration
When a mobile phone accesses an HTTPS website, unknown will be displayed. This is because HTTPS is encrypted. Let’s configure the certificate.
PC SSL
To set the certificate on the computer, do as follows:
The following section can be ignored if the certificate is trusted
Charles needs to set the urls to be monitored. Here we set monitoring all
Computer set up
Mobile client SSL
Mobile phone certificate Settings are as follows:
Click on it as shown below, use iPhone Safari to access the address “Beware Safari” and install the certificate
After the certificate is installed, you need to trust the certificate. Choose General > About Local Computer > Certificate Trust Settings to enable the trust function
Ok So far all Settings are complete
Now you can open the App on your phone, and Charles will grab all the requested bags.
PS
Follow the above instructions carefully, otherwise you may encounter HTTPS url data garbled, or unknown problem.
Ha ha. As a result, the small program I went to test had no Token authentication, meaning all interfaces were exposed to the outside world… Then all the request parameters are base64 encoded “shallow encryption”, I only need to decode a few parameters, then encode the request to get their data…