Charles Proxy | Not Hacker News!

Discussion (108 comments)

Showing 121 comments

21 days ago

1 reply

Fantastic software that I've used for over a decade. Interacted with Karl a few years ago about Adobe's AMF format; very generous with his time. I was surprised to learn that it's over 20 years old! https://en.wikipedia.org/wiki/Charles_Proxy

sponno

21 days ago

i just texted Karl to say he’s on the front page of HN. I was the same. Charles was soo good for ol AMF!! Still miss Flash.

cientifico

21 days ago

13 replies

One hidden gem.

The closest free alternative is https://www.mitmproxy.org/ that is not even close.

And off course, https://www.wireshark.org/ but that is too generic and with a bigger learning curve.

Worth the money. And no subscription (or there weren't a subscription back then)

acheong08

21 days ago

3 replies

I built a bad clone of Charles Proxy over the summer as part of another project (iOS VPN -> mitm with custom root certificate -> logging). It's surprisingly simple. It basically goes App -> Packet tunnel -> SOCKS -> a child process (I used https://github.com/AdguardTeam/gomitmproxy) to handle the sniffing and reencryption.

Did post the source somewhere at some point but my git server got corrupted and I haven't gone and fixed it. https://github.com/acheong08/apple-corelocation-experiments/...

I wonder if AI is good enough to vibe code my horrible hacks into a full clone of Charles Proxy these days.

Annoying fact: Apple requires you to have a paid developer account to access the Packet Tunnel APIs. You can't even test it in XCode simulator because of how networking works in there. It's insane that I can't even develop for my own phone without paying an extra fee to Apple. The error message when you sideload without a paid account doesn't make it obvious at all and it took me a good day or two before realizing .

le-mark

20 days ago

1 reply

> It's insane that I can't even develop for my own phone without paying an extra fee to Apple.

A Linux phone can’t come fast enough. Yes there is at least one, on ancient hardware. IMO a viable Linux phone requires hardware at most one generation old.

well_ackshually

20 days ago

1 reply

That Linux phone is called Android. It runs plenty fine enough even without GApps (or with shims like microg), and the sheer amount of engineering needed to make baseline linux even usable as a phone system is over a dozen years away.

Android with binder is a strictly superior architecture that anything else that has come for strict isolation. As a bonus, it's battle tested, and latest Android phones just... run linux. You can have a shell and GTK if you so desire.

balnaphone

20 days ago

1 reply

When you say "just... run linux", are you referring to termux, or something else ? How do you run a linux userspace in Android ?

well_ackshually

20 days ago

2 replies

I mean a fully fledged regular debian

https://www.linuxjournal.com/content/bringing-desktop-linux-...

https://source.android.com/docs/whatsnew/android-16-release#...

While this is mostly a KVM setup, there's nothing specific about Android that prevents a linux userspace from running in there. Each app is almost one already. Most of its core components have been integrated into linux's main repository (like binder), and AOSP isn't that far off from a regular Linux. Sure, zygote, user & power management are not exactly a standard install, but they're not that crazy either

le-mark

20 days ago

That’s all very convincing. For users who just want a Linux phone? Not there yet.

rendaw

20 days ago

Okay, so suppose I want a linux and not an android phone, so I get an android phone, disable login password etc, and delete everything except "Linux Terminal" and put my linux there.

What sort of tradeoffs would I see? Performance? Battery life? Security (secure enclave access?)

aeonik

20 days ago

1 reply

I do a lot of work in similar areas here.

While vibe coding will get you something that potentially works, I've noticed LLMs are really bad at cleanly abstracting across multiple layers in this area. They usually will insist on parsing and serializing every field at every layer.

If you have the protocols/interfaces well defined up front it is very fast at building extensions, analytics or visualizations though.

wwweston

20 days ago

> I've noticed LLMs are really bad at cleanly abstracting across multiple layers

Which makes sense, as most developers are too (it’s a particular non-trivial skill and rarely modeled wrll), so LLMs are more likely to be trained on muddled multiple layers.

jeroenhd

20 days ago

1 reply

mitmproxy/mitmweb offer a WireGuard server implementation to do pretty much this. You can grab any existing WireGuard VPN, scan a QR code to import the VPN config, and start monitoring (after installing the MITM certificate, of course).

The packet tunnel story is crazy. I'm glad Android allows you to just use network APIs without question as a developer.

acheong08

20 days ago

That's what I usually use. The packet tunnel method is used if you want everything to be fully local. My plan was to make an app that can locally spoof your location on iOS without a third party able to MITM.

punnerud

21 days ago

2 replies

I was a daily user of mitmproxy, until they changed all they keybindings around version 2. Tried a couple of times to get used to the new “TMUX” style, but switched to Charles Proxy.

Have mitmproxy gotten any better in usability over the years?

jeroenhd

20 days ago

1 reply

I generally prefer mitmweb, the web frontend for mitmproxy. I don't have much of a problem with their tmux-like UI, but I find mitmweb a lot easier to use than the keyboard shortcut based terminal navigation.

punnerud

17 days ago

Same experience. The V1 and V2 was simple to use to clear, start capture, navigate etc. Everything felt broken after the switch, for the trade off to get more features?

Maybe I should do a fork and try to fix it again

NicolaiS

21 days ago

> Have mitmproxy gotten any better in usability over the years?

The new-ish "Local Capture" and "WireGuard"-mode are quite nice.

And running e.g. `mitmproxy --ignore-hosts '.*' --show-ignored-hosts` [1] for monitoring apps with certificate pinning also a new feature

[1] cmd will turn mitmproxy into a "non-MITM proxy" but do show domains (SNI) the app is connecting to.

chrisweekly

20 days ago

1 reply

I had excellent experiences w mitmproxy (and mitmdump) in 2016-17. At that point it was powerful and easily scriptable, making it far superior to charles for my purposes.

_dark_matter_

20 days ago

Agreed, I used to have a bunch of mitm commands in my bashrc to easily intercept https messages

ricardo81

20 days ago

I'd used mitmproxy to reverse engineer browser extensions and mobile apps and it did the trick. It was quite some time ago.

rnewme

20 days ago

What about ZAP? https://www.zaproxy.org/

dns_snek

21 days ago

[delayed]

OptionOfT

20 days ago

What I really like about mitmproxy is that it runs on my server with a certificate I trusted on my phone.

I then flip on WireGuard on my phone, pointed to mitmproxy, and seamlessly all traffic from my phone is decrypted and viewable through the website on my computer.

Except of-course all the applications these days that do certificate pinning, which is annoying, but for that we have Frida.

crossroadsguy

20 days ago

[delayed]

jeroenhd

20 days ago

mitmproxy supports quite a few features that Charles doesn't and vice versa. You could use them as alternatives for basic browser traffic analysis (where they're both fine), but their features and capabilities cover different areas. They complement each other.

leptons

20 days ago

Fiddler is superior to Charles and always has been.

https://www.telerik.com/fiddler

Fnoord

20 days ago

[delayed]

29athrowaway

20 days ago

- mitmproxy (the Docker version is really easy to set up)

- Burp Proxy

- Wireshark, tshark

efortis

21 days ago

Burp is free too (community edition)

https://portswigger.net/burp/communitydownload

DrBenCarson

21 days ago

1 reply

Alltime great software

I’m on proxyman https://proxyman.com/

jibcage

21 days ago

1 reply

I used Charles for a while and also jumped on the Proxyman bandwagon. It’s a slick tool and even works for remote debugging (i.e., an iPhone attached to your computer with a cable).

tricker5453

21 days ago

Proxygen (https://proxygen.app.) has this super cool way to pair its iPhone app with the Mac app, and then remotely inspect traffic from iPhone apps on the Mac. You do the pairing once and then just beam traffic over. Attaching cables feels pretty ancient compared to this.

hboon

21 days ago

11 replies

I don't have elaborate needs and have used Charles for many years. A few years ago I switched to https://proxyman.com and found it easier to use.

cientifico

21 days ago

1 reply

That it's an osx ONLY app.

lnx01

21 days ago

1 reply

MacOS, iOS, Windows, and Linux

distances

21 days ago

I was going to comment on the Mac exclusivity too which might be a bad idea now that Linux is on the rise. But you're right, there's a Linux beta too now. Thanks for the pointer.

ChrisMarshallNY

21 days ago

4 replies

Pretty nice.

Does it work for Xcode simulators?

I use Charles extensively (I am using it for the development I’m doing right now), and it needs to work on simulators.

Cost isn’t an issue for me. Fitness to purpose is important. I won’t cripple my development capacity, in order to save $50.

jshier

21 days ago

1 reply

Yes, Proxyman has great sim integration, including the ability to filter by apps within the sim. It's a far better macOS app than Charles, and I've never found it to be lacking a feature I used in Charles.

ChrisMarshallNY

21 days ago

Cool. I appreciate the tip. I’ll give it a go.

Thanks!

OptionalDonuts

21 days ago

When I was still working with iOS, all of us on the team switched to Proxyman and found it much better than Charles. Developer experience wise that is (features, ui/ux, etc.) We ran into some issues with Charles and found Proxyman as the alternative. Don't remember the issues but we never looked back.

itsn0tm3

21 days ago

It makes working with Xcode simulators even easier by having a dedicated UI workflow to install the proxy certificates and restart the sim. I used to face issues from time to time doing this with Charles having to restart my machine at times and not getting the certificates to work. Proxyman makes this way nicer to work with and since switching I never faced certificate issues again.

Not trying to do an ad, but really glad I don‘t have to think about that anymore :)

hboon

21 days ago

It does. I find the UI better and setting it up easier too

shubhamjain

21 days ago

1 reply

Proxyman is 100x value for 2x the price. I am not even kidding. Native UI, shortcuts, cert installation helper tools. And script editor to programmatically edit requests is so much better and powerful than Charles' request editor.

tricker5453

21 days ago

I've moved to Proxygen app long time ago. Offers the same core functionality plus some unique features for half the price. And it has an amazing iOS app.

https://proxygen.app

shelled

21 days ago

2 replies

At a previous workplace, Charles Proxy was not in the list of approved software. I don't recall the reason - it might have been cost, but we used lots of paid tools, and since it was in the restricted category, we couldn't pick and use (we handled a copious amount of Western PII, from reading, working on it, to storing it). Two were approved: Requestly and another was a link to an internal wiki with a really "interesting" process involving Wireshark and whatnot. Needless to say, that doc was one of the most clicked and least read. I tried Charles at a later place that offered a license, and I went back to Requestly, which I really found to be more straightforward or simpler to use.

SoKamil

21 days ago

1 reply

It is the same thing though?

Charles is a http proxy, Requestly judging by the landing page is a http client like Postman.

shelled

20 days ago

While as a mobile dev most of my usage were limited to api client kinda usage I did use it for debugging traffic and hence its intercepting features. Haven’t checked their landing page or the tool itself in a long time (or any coding for that matter) so not sure.

leptons

20 days ago

"approved use" is usually just someone that doesn't understand what the software does.

I recently had the IT team at my work ban VNC client, they didn't understand it wasn't VNC server, which I could understand being a security risk, but the client? They're idiots.

VoidWhisperer

21 days ago

1 reply

Is anyone else having trouble loading the proxyman website? (Firefox, Windows 11) - it freezes the entire browser..

w4yai

21 days ago

Check your browser extensions

gokaygurcan

21 days ago

I frequently use them both. The main reason why I can't leave Charles is the lack of session grouping in Proxyman. Seeing a huge list of irrelevant items is annoying after some point. In Charles, I can save that session with a name and move on to something else. It's almost impossible to leave one for the other at this point for me.

This goes without saying, but huge thanks to the both developers for making these available.

aaronbrethorst

21 days ago

Likewise. I was a dedicated user of Charles for about a decade. It’s great, but if you are a macOS user, Proxyman is better, easier, and more macOS friendly.

mkw5053

21 days ago

Same. At some point there was a new Charles version and I could not figure out how to use it the way I had used the old version (I admit I forget exactly what I was trying to do), and it was trivial in Proxyman. Proxyman also has a great app.

sgt

21 days ago

Looks much better, thanks for that tip

mavamaarten

21 days ago

If the devs behind Charles would just tweak their UI a bit, it would be the absolute perfect tool. Functionally it pretty much already is. Mainly being able to turn on and off and configuring features I use all the time (rewrite, map local, map remote) is always a journey through menu's that don't always make sense. The only functional thing I'm missing is some DNS stuff (e.g. throttling or breaking DNS specifically).

I tried using proxyman for a while, and while definitely powerful and more modern, it honestly didn't feel "better" or more powerful so I didn't go for yet another license.

ghxst

20 days ago

I went from charles to mitmproxy to proxyman and am currently using Reqable. Something all of these miss imo is a way to modify TLS handshakes.

aua

21 days ago

1 reply

I found Charles Proxy last year and it's fantastic. They have a mobile app too (if you need the ssl proxying for mobile apps).

thunderbong

21 days ago

Didn't know about that.

https://www.charlesproxy.com/documentation/ios/

eddywebs

21 days ago

3 replies

How come a reverse-proxy, better than the network tab in dev tools ?

keithnz

20 days ago

super useful when you have an application, i.e. not a browser, that is making api calls that you want to inspect.

leptons

20 days ago

Dev tools is an "inspector" and limited in scope, like a butter knife, a real proxy tool is like a Swiss Army knife.

efortis

21 days ago

You can do more, e.g., changing the status code

logicuce

21 days ago

1 reply

I feel obliged to mention Fiddler. The tool I loved almost 20 years back and felt like it came from future. IIRC it was/is more powerful than Charles. Fiddler was Windows only but at one time they had builds for other platforms in works. Sadly they got acquired which changed their roadmap, and I had also moved on from Windows.

https://www.telerik.com/fiddler

_blackhawk_

21 days ago

5 replies

This. I tell people tales of that beautiful tool. have you found anything for a MacOS? My hunt so far has been futile.

mytydev

21 days ago

1 reply

The fiddler landing page says it runs on Windows, macOS, and Linux, so maybe give it another try.

logicuce

20 days ago

1 reply

The original thing is now called Fiddler Classic and it is still Windows only. Not maintained anymore, sadly. It has first class scripting support.

leptons

20 days ago

I still use Fiddler Classic, at least once a week when I need to dig-in on a problem. It occasionally gets an update though I can't remember the last time it did.

It's so powerful, especially with the JScript scripting language. Such a powerful tool.

sumedh

20 days ago

Proxyman is great.

dsincl12

21 days ago

https://proxyman.com/

m0dest

19 days ago

https://nssurge.com is available on macOS & iOS and has seemed superior to Fiddler in many ways.

- Supports a pseudo-VPN mode (~tap and socket filter) that intercepts any traffic that doesn't go through the HTTPS/SOCKS proxies, including attempting TLS MITM on them.

- Can sync between devices with iCloud Drive if desired

- Robust scripting support including third-party auto-updating "module" support loaded via URL, if desired

- Native macOS/iOS UI

logicuce

21 days ago

For macOS settled on Charles back then but not as capable as Fiddler.

imvetri

21 days ago

1 reply

Never learnt the use of this tool. The certificate configuration tripped my head during my work. This gives brain damage because it doesn't make sense.

Why to check network payload when you are sure the data was sent.

-frontend developer

myHNAccount123

20 days ago

It's invaluable for mobile developers. What you think you sent and in what order, is not always what happens. Charles and Proxyman help you figure that out.

runtimepanic

21 days ago

3 replies

Burp Suite can do much of this as well, but the intent feels different. Charles is very much about observing and understanding raw HTTP(S) traffic with minimal friction, which makes it handy for quick debugging, mobile app inspection, or client-side issues. Burp leans heavily into security workflows: interception, replay, automation, and attack surface exploration. That power comes with more setup and a more opinionated UI. I’ve found Charles useful when I want visibility without switching into “pentest mode,” whereas Burp shines when security analysis is the goal.

lillesvin

21 days ago

1 reply

Just to mention an alternative option, ZAP (aka. Zed Attack Proxy) covers much of the same ground as Burp and is entirely free and Open Source.

dns_snek

21 days ago

[delayed]

Sytten

20 days ago

1 reply

You can also check out Caido as an alternative, we are a newer player in the space but catching up very fast. Most of the Burp new features of the last 2 years are basically copying what we innovated in Caido.

runtimepanic

20 days ago

That’s fair. I mostly stick with Burp because I’m very familiar with its workflows and tooling, and that familiarity matters a lot in day-to-day work. That said, I genuinely appreciate having credible competitors to Burp. New tools entering the space tend to challenge long-standing assumptions, especially around UX and ergonomics, and that pressure usually benefits everyone. Even if I don’t switch immediately, competition is healthy and often the reason established tools keep improving.

hashstring

20 days ago

Exactly, usually for my UC, Burp is enough. Even the Community Edition works great.

tricker5453

21 days ago

1 reply

I mean, Charles Proxy was a great option perhaps 20 years ago, in a time when there weren't any native Mac apps around.

If you take a closer look at the HTTP proxy app space a lot has happened since then. We have many free open source apps like mitmproxy, information security focused tools like Burp Suite and many others.

I have taken a liking on a relatively new app. Proxygen (https://proxygen.app). They've nailed their UI and the app receives constant updates. Their free version runs circles around similar apps like Charles and Proxyman which aren't that great value these days.

daishi424

21 days ago

1 reply

Mind making some disclosure? Your account is 0 days old, and has made 3 comments. All in the same thread and promoting the same app.

tricker5453

21 days ago

Just noticed this post making the rounds in Hacker News. I've worked with these tools for tens of years so figured I'd chime in, although I haven't commented here before. Lately I've been really happy with the Proxygen app and wanted to add it to the discussion because I really want to see that app thrive.

obventio56

21 days ago

2 replies

Wait why is this on the front page? I thought this is a very established and well-known tool

everlier

20 days ago

1 reply

I am also confused, I can't see any recent news/updates for this project either.

geerlingguy

20 days ago

From time to time, an "old" things reappears, since there's always a number of people who haven't heard of it (or just like upvoting things they like, I guess).

Obligatory Ten Thousand reference: https://xkcd.com/1053/

benhurmarcel

20 days ago

Well I never heard of it before so I appreciate it

doomerhunter

21 days ago

1 reply

I am a Burp guy, but lately Caido[1] has been trending, pretty lightweight and can be ran in headless mode. It's still very security-oriented (as Burp Suite is), but might be worth your time, notably as you can run it on a VPS/container to proxy all your traffic through it (which is by-design, contrary to my beloved burp/zap)

[1] https://caido.io/

Sytten

20 days ago

2 replies

Caido co-founder here, thanks for the shoutout! We are slowly moving to the DevSecOps space too.

ghxst

20 days ago

1 reply

Please consider allowing the user to modify the TLS handshake / ClientHello. Out of all proxies I have used only Burp offers this through a plugin / extension.

Sytten

19 days ago

Agreed this is something we need to do, but not easy to do properly. The TLS 1.3 spec has a lot of extensions, currently we use openssl that for example doesn't support GREASE.

doomerhunter

19 days ago

My pleasure, your team is doing a great job and its good to see competition in that space, forces everyone to push forward :D

kyleblarson

21 days ago

1 reply

The combination of Charles + Postman is great for reverse engineering mobile API's. Inspect traffic w/ Charles, export request to cUrl, import cUrl into Postman, play around with request headers / params / etc, export to py, use Cursor to create reusable library.

oxedom

21 days ago

Out of curiosity, what would the setup for reverse enginering a iOS/Android app look like using Charles Proxy?

ghxst

20 days ago

1 reply

I'd say Reqable is a worthy mention as well.

cxplay

20 days ago

I'm also using Reqable, for those interested check it out: https://reqable.com

1vuio0pswjnm7

20 days ago

2 replies

Is this "breaking TLS", as referred to here:

https://news.ycombinator.com/item?id=46214950

1vuio0pswjnm7

20 days ago

Is the "breaking TLS" rant referring to the mechanism for doing so or to the reason why the mechanism is being used (and/or who is using it)

sflanker

20 days ago

This is a totally different class of software than what that post is ranting about. Charles is a local developer tool intended for temporary use when debugging. It only inspects TLS connections if 1) you enable that feature and 2) you add the domain being connected to the list to be inspected.

That being said, the mechanism is the same. Charles generates a root certificate that it uses to issue certificates for each domain in intercepts a TLS connection for and you need to install that root certificate in your OS such that your clients will trust that certificate. If you have a client that doesn’t use the Mac OS certificate store you may have to do some extra per client configuration.

I also despise “security” tools that intercept and inspect TLS traffic (such as ZAcaler for example), but I find a Charles to be very useful for what it does and the TLS inspection support is easy to use and really helpful/necessary in some cases.

PieUser

20 days ago

1 reply

Ugh these comments - every time it's just people spewing alternatives they like better

keithnz

20 days ago

that's a good thing, many a time I've discovered some real gems by people telling us about alternatives

snyp

20 days ago

1 reply

A much better alternative for MacOS folks https://proxyman.com/

ollysb

20 days ago

I used Charles for many years but proxyman's performance is a real step up.

swaraj

21 days ago

I once used Charles Proxy to change all the game configs for Candy Crush Saga on my phone back in 2013 by intercepting and replacing the API requests - I made all the puzzles have 1-2 colors and infinite powerups. I guess they didn't care much about the security because I ended up spending way more time in the game

Aldipower

21 days ago

Used it heavily as my AS3 dev times from 2008 to 2011. Crazy that is still around.

el_benhameen

21 days ago

Just upgraded my license today, so I guess Charles is my new Baader-Meinhof token. Great tool! The ssl proxying is especially handy.

simultsop

21 days ago

Tool that can't be beaten

self_awareness

21 days ago

This one is truly a gem:

https://httptoolkit.com

It even bypasses SSL pinning on Android using 1 click.

dhuan_

21 days ago

I’ve found tools like Charles really useful for understanding what’s happening on the wire. When I need something more repeatable (tests, offline work), I usually reach for a mock server instead. I ended up building a small one for my own use and later open-sourced it:

https://dhuan.github.io/mock/latest/examples.html

followben

21 days ago

Wow. Charles was indispensable tool for working with HTTP apis back when I got started as an iOS dev in 2011. Great to see it still going strong.

rramadass

21 days ago

How does "Zed Attack Proxy" (ZAP - https://www.zaproxy.org/) which is opensource and part of OWASP (https://owasp.org/) compare with this and other similar proxies?

dacapoday

19 days ago

Why not [Reqable](https://reqable.com/en-US/)? More modern, more powerful.

h33t-l4x0r

21 days ago

I loved Charles, I used it for many years. It only stopped when an update changed the UI in ways that were confusing, and also the chrome network tab really did everything I need in terms of inspecting requests / responses.

user3939382

21 days ago

Even better SIP bullshit off kext tap nic mitm intermed. certs. Fuck all the phone home stuff it’s enough.

nunez

20 days ago

Used this all of the time back in the day. Great tool.

rightisleft

20 days ago

flashback to 2009 right here...

akaitea

20 days ago

For my rather simple needs I've been using https://httptoolkit.com free edition, I like that it launches a independent Firefox window on its own for the intercepting so I don't have to touch my working browser or deal with configuring a proxy anywhere

dilyevsky

20 days ago

Is there a story behind misusing the term "reverse proxy" as it is clearly a forward proxy?

poemxo

21 days ago

I like Burp Suite better for intercept and Squid better for a persistent proxy but maybe I'll give Charles another shot.

wahnfrieden

21 days ago

Even after using it for years I could never recognize all its unlabeled icons without hovering for tooltip

I emailed the author about it a decade ago but he didn’t seem convinced

tgma

21 days ago

More narrow cmdline http inspection tool https://github.com/signeen/inspect-http-proxy

Resources