All applications these days seems to communicate over the internet. Most of the time, developers might not need paying much attention to such low level but sometimes, the app doesn't behave as we expect so we might want to take a look into network packages to see how it worked.
Sep 30, 2020 Used by four million developers, new version of the popular web debugging proxy tool offers Windows, Mac and Linux support and much more. BEDFORD, Mass., Sept. Debug network traffic on any system. Fiddler Everywhere is cross-platform. This means you can inspect desktop and web traffic from any macOS, Windows, or Linux system. Debugging mobile traffic? Fiddler Everywhere also supports debugging network traffic from iOS and Android – any device that supports a proxy server. Reverse proxy and HTTP proxy and monitor that displays all HTTP(S) traffic to/from. Debug network traffic on any system. Fiddler Everywhere is cross-platform. This means you can inspect desktop and web traffic from any macOS, Windows, or Linux system. Debugging mobile traffic? Fiddler Everywhere also supports debugging network traffic from iOS and Android – any device that supports a proxy server.
In such case, what developers need might be a proxy server like Wireshark, Fiddler, Charles or Proxyman which sits between the app and computer's network connections to capture all of its requests/responses. In this blog, let's see how an app like Proxyman can help us to test an application.
To start, we first need to download the latest version of Proxyman at https://proxyman.io/. Double-click the .dmg file and drag its icon to your Applications folder to install it.
Inspect requests/responses
When first time you launch the app, Proxyman would ask for permission to automatically configure your network settings. Click Grant Privileges and enter your password if prompted. This allows Proxyman to change your network configuration to route all traffic through it to inspect all network events to and from your computer.
As soon as Proxyman is launched, you can see events popping into the left panel. Those recorded network requests are categorized by Apps and Domains and listed down in the main panel along with their detailed information.
To search for specific requests, we can use Command + F to filter all URLs by protocols (HTTP/HTTPs/Web socket), content type (JSON, XML, CSS, Images,…) or text contained in URL, header, status code,…
Then using the Pin feature to isolate those URLs for testing without distraction
SSL Proxying
Although Proxyman can inspect all network events to and from your computer, if you double click to select a request, you should expect to see no content response of that request yet. The reason is that HTTPs protocol use SSL/TLS to encrypt sensitive request and response information and prevent proxy servers and other middleware from eavesdropping.
So how Proxyman can decrypt those SSL messages so that we can snoop on and debug them? Magically (:), Proxyman (and other man-in-the-middle apps) can generate its own self-signed certificate, which we can install on our Mac and iOS devices for SSL/TLS encryption. However, as this certificate isn't issued by a trusted certificate issuer, we'll need to tell our devices to explicitly trust it. Please bear in mind that there are some cases where Proxyman won't work such as when an app uses SSL pinning to verify network connections for extra security. In this case, the app can reject communication if they find any mismatch between the pre-pinned certificates and your newly trusted certificate.
With that being said, most of the time, you could enable SSL by clicking the button on the Proxyman's right panel. Once enabled, Proxyman will be able to decrypt SSL events!
This is how the workspace looks like once you enable SSL Proxying
Modifying requests/responses
In addition to logging data, developers can also use a 'Breakpoint' to edit API requests/responses or even decide whether to block it or allow it to proceed. When you enable Breakpoint for request, Proxyman will stop the request before it goes to your server. If you enable Breakpoint for response, it will stop the response before it goes to your app. Thus, you can modify such requests/ responses to test UI errors or certain back end functionalities (including security vulnerabilities)
Enable Breakpoint
To enable this tool → Right Click the URL → select Tools → select Breakpoint
Add Matching Rule
A Breakpoint Rule Window will then pop-up to allow us to define our matching conditions. As the app auto-use the selected endpoint as the condition, we would see the endpoint https://api.producthunt.com/v1… is auto-filled. Here we want to change the status code only so let’s uncheck the Request box
After hitting Done, a new rule has been added up to the Breakpoint rules window
With that all set up, it’s time to modify the status code to see how the app behaves
Change Status code
As soon as we re-send the request, that API call would be captured so that we can edit our queries on the fly.
As you can see, after changing the status code into 400 and hit Execute, the response is now updated with signal Error 400 in the main window
In case you want to manipulate the content of requests/ responses, you can find the detailed blog at https://proxyman.io/blog/2019/09/Use-Breakpoint-to-intercept-and-edit-request-response-on-iOS-app.html.
Conclusion
In a nutshell, a man-in-the-middle app like Fiddler, Charles, or Proxyman can:
- Configure our network settings to route all traffic through it so that it can inspect all network events to and from our computer.
- Generate and use its own self-singed certificate to decrypt SSL events (which is encrypted by HTTPS).
- Act as a proxy server to help you modify requests/responses on-the-fly.
That’s how we can use Proxyman for debugging an app. Hope that you would find it helpful to incorporate with your working habit and boost your productivity :)
Proxyman is a high-performance macOS app, which enables developers to view HTTP/HTTPS requests from apps and domains on iOS device, iOS Simulator and Android devices. Get it at https://proxyman.io
Recent Developments
For discussion on the latest changes to Charles, please see Karl’s blog.
Charles 4.5.6 released with minor bug fixes and patched security vulnerability. Read more.
Charles 4.5.5 released including bug fixes for SSL certificate imports. Read more.
Charles 4.5.2 released including new features, bug fixes and improvements. Read more.
Charles 4.2.8 released with minor bug fixes. Read more.
Charles 4.2.7 released with minor bug fixes and improvements. Read more.
Charles Security Bulletin for a local privilege escalation in Charles 4.2 and 3.12.1 and earlier. Read more.
How To Debug Mac Computer
Charles 4.2.5 released with major bug fixes and minor improvements. Read more.
Charles for iOS released. Read more.
Charles 4.2.1 released with important bug fixes. Read more.
Charles 4.2 released with major new TLS debugging capability, minor improvements and bug fixes including macOS High Sierra support. Read more.
Charles 4.1.4 released with minor improvements and bug fixes. Read more.
Charles 4.1.3 released including Brotli compression support and other minor bug fixes and improvements. Read more.
Charles 4.1.2 released with bug fixes and minor improvements. Read more.
Charles 4.1.1 released with bug fixes. Read more.
Charles 4.1 released including major new features and bug fixes. Read more.
Charles 4.0.2 released including bug fixes and minor improvements. Read more.
Charles 4.0.1 released including bug fixes. Read more.
Charles 3.11.6 released with support for macOS Sierra and minor bug fixes. Read more.
Charles 4 released featuring HTTP 2, IPv6 and improved look and feel. Read more.
Web Debug Proxy For Mac Windows 10
Charles 3.11.5 released including minor bug fixes; especially fixes SSL certificate installation on Android. Read more.
Charles 3.11.4 released with support for ATS on iOS 9 and crash fixes for older versions of Mac OS X. Read more.
Charles v3.11.3 released including bug fixes and minor improvements. Read more.
Charles v3.11.2 released with SSL and Websockets improvements. Read more.
Charles 3.11 released including major new features. Read more.
Charles 3.10.2 released with bug fixes and improvements. Read more.
Charles 3.10.1 released with minor bug fixes. Read more.
Charles 3.10 released with improved SSL (new SSL CA certificate install required), major new features and improvements. Read more.
Charles v3.9.3 released with improvements to SSL support, Mac OS X Yosemite support and other minor bug fixes and improvements. Read more.
Charles v3.9.2 released with minor bug fixes. Read more.
Charles 3.9.1 released with minor bug fixes and improvements. Read more.
Charles 3.9 released with major new features and bug fixes, including the ability to 'focus' on hosts so they are separated from the noise. Read more.
Charles 3.8.3 released with support for Mac OS X Mavericks and minor bug fixes. Happy Mavericks Day. Read more.
Charles 3.8.2 released with minor bug fixes. Read more.
Charles 3.8.1 released with minor bug fixes and improvements. Read more.
Charles 3.8 has been released with new features and bug fixes. Read more.
Charles 3.7 has been released. Includes new features, bundled Java runtime (so you don’t need to install Java anymore), and bug fixes. Read more.
Charles 3.7 beta 2 has been released. This changes the SSL signing for Charles on Mac OS X to use Apple's new Developer ID code-signing. Read more.
Charles v3.6.5 released including bug fixes and minor changes. Read more.
Charles v3.6.4 released including major bug fixes and enhancements. Read more.
Charles v3.6.3 released including minor bug fixes. Read more.
Charles v3.6.1 released including minor enhancements and bug fixes. Read more.
Charles v3.6 released including new features, enhancements and bug fixes. New features include HAR and SAZ file import. Read more.
Charles v3.5.2 released including bug fixes and minor new features. Read more.
Charles 3.5.1 released. Minor bug fixes. Read more.
Charles 3.5 released. Major new features, bug fixes and enhancements.
Charles 3.4.1 released. Minor features and bug fixes.
Charles 3.4 released. Major changes especially to SSL.
New website launched. Follow @charlesproxy on Twitter. Say hi in San Francisco when I'm there for WWDC!
Charles 3.3.1 released. Minor new features and bug fixes. Experimental 64 bit Windows support. Read more.
Charles 3.3 released. Major new features. Download
Charles Autoconfiguration add-on for Mozilla Firefox adds support for Firefox 3.1
Charles 3.2.3 released. Minor new features and bug fixes.
Charles 3.2.2 released. Minor new features and bug fixes.
Charles 3.2.1 released. Minor new features and bug fixes.
Charles 3.2 released. Major new features. Release Notes
Charles 3.2 public beta released. Download and more information on my blog.
Charles 3.1.4 released. Bug fixes and minor new features.
Charles Mozilla Firefox add-on updated for compatibility with Firefox 3.0.
Charles 3.1.3 released. Minor bug fixes, minor new features.
- Chart tab now includes charts for sizes, durations and types
- Request & Response can now be displayed combined on one split-panel
- SSL handshake and certificate errors are now displayed in the tree
Charles 3.1.2 released. Minor bug fixes.
Charles 3.1.1 released. Minor bug fixes.
Charles 3.1 released.
Charles 3.0.4 released. Fixes SSL bug on Java 1.4.
Charles 3.0.3 re-released. Fixes launch bug on computers that haven't used Charles before.
Charles 3.0.3 released. Various improvements and minor bug fixes.
Charles 3.0.2 released. Minor bug fixes and improvements.
Charles 3.0.1 released. Minor bug fixes.
Charles 3.0 released. Major new features and improvements
Charles 3.0 public beta released.
Charles v2.6.4 release. Minor bug fixes:
- IBM JDK compatibility
- Improved malformed Referer header support
Charles v2.6.3 release. Minor bug fixes:
- Fixed Port Forwarding fault introduced in v2.6.2
Charles v2.6.2 release. Major improvements and bug fixes including:
- No more recording limits. Large responses are now saved to temporary files, reducing memory usage.
- MTU support in the throttle settings
- AMF3 / Flex 2 bug fixes
Charles v2.6.1 release. Minor bug fixes and improvements:
- SOAP information visible while response is still loading
- AMF3 externalizable object parsing regression fixed
- AMF view for AMF3/Flex messages simplified to hide Flex implementation details
Web Debug Proxy For Mac Windows 10
Charles v2.6 release. Major improvements and bug fixes including:
- Major UI overhaul
- JSON and JSON-RPC support
- SOAP support
Charles v2.5 release. Major improvements and bug fixes including:
- Major UI improvements
- Support for new filetypes including FLV
- Major improvements to AMF / Flash remoting viewer
- Thank you to everyone who made suggestions and participated in the long testing process.
Charles v2.4.2 release. Minor improvements and bug fixes including:
- Support for request body compression (used by web services)
- Fix for parsing of AMFPHP responses
- Improvements to AMF viewer
Charles v2.4.1 release. Minor improvements and bug fixes including:
Ios Webkit Debug Proxy
- Firefox extension improved
- AMF 0 and AMF 3 parsing improved
- Look and Feel changes to give a greater (and more consistent) range of font sizes in the Charles look and feel
- SSL error reporting improved when a connection cannot be made to a remote host
- Port Forwarding tool and Reverse Proxy tool re-bind exception fixed
Charles v2.4 release. Major new features, improvements and bug fixes including:
- AMF 3 support
- SSL support for IBM JDK (thanks to Lance Bader for helping solve this)
- Automatic Update Checking
- Documentation wiki open to public
Charles v2.3 release. Major improvements and bug fixes including:
- Proxy implementation improvements including better handling of keep-alive connections
- SOCKS proxy added, so any SOCKSified application can now run through Charles
- External proxies configuration improvements including authentication
- Flash Remoting / AMF viewer improvements
- Dynamic proxy port support, for multiuser systems
Charles v2.2.1 release. Minor improvements and bug fixes including:
- Further improved Firefox proxy configuration
- Port Forwarding enhancements including port ranges and UDP forwarding
- Bug fixes for Reverse Proxy and AMF viewer
Charles v2.2 released. Major enhancements and bug fixes including:
Proxy For Mac Free
- Improved Firefox proxy configuration
- XML viewer improvements
- Line numbers displayed in ASCII viewer
Charles v2.1 released. Major new features and enhancements including:
- Automatic Firefox proxy configuration
- Formatted form posts and query string information
- Parsing of SWF and AMF (Flash Remoting) binary formats
Charles Web Debugging Proxy Mac
Charles v2.0 released. Major enhancements and improvements.