see network traffic for the iOS apps via Charles proxy - ios

I've got all the settings right and I'm intercepting the SSL traffic.
The only problem is SSL handshake failing.
I've installed the Charles Proxy SSL certificate on my iPhone and marked it as trusted.
It's a 3rd party app (non apple, non google) that I'm trying to see it's traffic. Please guide.
Network Traffic
SSL Proxying Settings

If it's a 3rd party app and you don't have the source code, it can't be done. The app needs to explicitly allow the Charles SSL cert, or set "Application Transport Security > Allow Arbitrary Loads" to YES in its Info.plist. The Charles iOS app may be able to do it.

Related

iOS 11.3.1 doesn't connect to Apple Store if third-party certificate is deployed on the phone

I have iPhone device and need to test my application. However, current version of iOS does not allow to MITM the Apple Store. The rest of the user apps work fine if you follow Charles Proxy manual (install cert, add to the trusted list).
Did anyone encounter the issue before?
iOS does allow third party certs. You just have to explicitly trust them.
Open Settings -> General -> About -> Certificate Trust Settings and enable trust for the development certificate.
This is to ensure that nobody gets an MITM cert installed on accident.
We use this all the time with iOS 11.3 with mitmproxy

How to create a self-signed certificate for iPhone?

Charles the debugging proxy is able to create self-sign certificate for iOS, and I want to do the same with my testing app. So I use SSL to set up the connection between an iOS app and a server. The server's certificate is self-signed and will not be accepted by the iOS. I downloaded the certificate file to the iOS device I was using and manually installed it into the system, and it reads red text Not Verified. My app still fails to connect to the server (while the Android app could establish a connection just fine). Is there a way to create a self-signed trusted certificate for an iOS device like Charles the debugging proxy is able to do?

Fiddler: Get Client Certificate from IPhone App to log HTTPS traffic

I want to debug some HTTPS traffic from an IPhone app using Fiddler.
After installing the Fiddler-generated certificate on the IPhone, I am able to see most of the HTTPS-Traffic but unfortunately the HTTPS-Requests I want to debug use a client certificate which I have to copy to my PC in order to see the traffic.
Is there a general way to download that specific certificate?

Why some iphone apps won't finish ssl handshake with Charles Proxy?

I am using Charles Proxy to see all of the traffic that is coming out of my iphone. I have the ssl certificate/profile installed on my iphone and I can see a lot of the traffic that is ssl encrypted. However, some applications seem to not finish the ssl handshake.
The error is: "SSLHandshake: Remote host closed connection during handshake" and then Charles Proxy suggests to configure the application to trust the Charles Root Certificate. I thought I did when I installed the profile onto my iphone?
Any explanation of this/way to fix it?
Yes, SSL pinning is a possibility. Although as of iOS 10.3, you must take an additional step to trust the Charles Root Certificate that is not currently documented on their website edit: this info is now under iOS Devices here: https://www.charlesproxy.com/documentation/using-charles/ssl-certificates/
Settings > General > About > Certificate Trust Testings
Source: https://www.neglectedpotential.com/2017/04/trusting-custom-root-certificates-on-ios-10-3/
There are applications which don't simply expect the certificate signed one of the trusted CA's on the system, but which expect a single specific certificate or a certificate containing a specific public key. This is called certificate/public key pinning. For this application it will not work if you configure the CA of Charles Proxy as trusted on the system because they will not use this CA.
Any explanation of this/way to fix it?
If the application is built to only trust a single certificate/public key and never trust something just because it is signed by a locally trusted CA, then you would need the original certificate and its private key to do the SSL interception. Since you don't have these there is no way to do the SSL interception.

Certificate issue after migrate from HTTP to HTTPS

I am working on mobile HTML5 site using HTML5/JQueryMobile and server is in php. I changed sever settings from HTTP to HTTPS but now from my mobile it shows these type of error
[Error] Failed to load resource: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “www.example.com” which could put your confidential information at risk.
when using in IPhone 5 with IOs 7.1.2.
How to handle that issue. What things i have to do?
For us this happened with the update to iOS 13. The requirements for trusted certificates changed, so we needed to adjust the certificate.
See the official page of Apple
You are using a self-signed certificate. Thus your iPhone doesn't trust your certificate.
Either add the certificate to your iPhone as a trusted certificate. (recommended)
Or create a official certificate from a trusted authority. (recommended for production usage)
Or make requests and allowing insecure (self-signed) certificates. (not really recommended, but might be the fastest solution)

Resources