Reverse Engineering Native Apps by Intercepting Network Traffic With Charles 4?

Question

the older pre-3.10 versions of Charles allow users to install a root certificate on their phones to help apps to allow SSL connections but the newer version has removed this feature. I am not sure if this is the reason why I wasn't able to POST successfully to the native app server.

For example I will get messages like SSLHandshake: Remote host closed connection during handshake

I suspect the root certificate is for the app on my phone to accept SSL connections from the server, but not for me to POST messages to the server.

Anyways, is there a method for me to set up SSL connections to POST?

P.S. I have added the server's url in my SSL list, and also enabled "transparent HTTP proxy." (I noticed that is not HTTPS, so perhaps Charles doesn't have transparent HTTPS feature?)

Update: I tried using mitmproxy and it worked. It looks like installing cer file to the phone is the right way to go but I am wondering why Charles removed this feature. I also think I might have missed something in the documentation. Perhaps Charles did generate a cer file in my system for me to download to the phone. If so, where can I find this file?

Answer 1

Yeah, all you need to do is to click help on the menu bar and then select save SSL or install SSL on mobile device and then browse to the url it gives you on your mobile browser to download the certificate.