Worth the money. And no subscription (or there weren't a subscription back then)
By cientifico 11 hours ago
What I really like about mitmproxy is that it runs on my server with a certificate I trusted on my phone.
I then flip on WireGuard on my phone, pointed to mitmproxy, and seamlessly all traffic from my phone is decrypted and viewable through the website on my computer.
Except of-course all the applications these days that do certificate pinning, which is annoying, but for that we have Frida.
By OptionOfT 2 hours ago
I built a bad clone of Charles Proxy over the summer as part of another project (iOS VPN -> mitm with custom root certificate -> logging). It's surprisingly simple. It basically goes App -> Packet tunnel -> SOCKS -> a child process (I used https://github.com/AdguardTeam/gomitmproxy) to handle the sniffing and reencryption.
I wonder if AI is good enough to vibe code my horrible hacks into a full clone of Charles Proxy these days.
Annoying fact: Apple requires you to have a paid developer account to access the Packet Tunnel APIs. You can't even test it in XCode simulator because of how networking works in there. It's insane that I can't even develop for my own phone without paying an extra fee to Apple. The error message when you sideload without a paid account doesn't make it obvious at all and it took me a good day or two before realizing .
By acheong08 10 hours ago
mitmproxy/mitmweb offer a WireGuard server implementation to do pretty much this. You can grab any existing WireGuard VPN, scan a QR code to import the VPN config, and start monitoring (after installing the MITM certificate, of course).
The packet tunnel story is crazy. I'm glad Android allows you to just use network APIs without question as a developer.
By jeroenhd 2 hours ago
> It's insane that I can't even develop for my own phone without paying an extra fee to Apple.
A Linux phone can’t come fast enough. Yes there is at least one, on ancient hardware. IMO a viable Linux phone requires hardware at most one generation old.
By le-mark 4 hours ago
That Linux phone is called Android. It runs plenty fine enough even without GApps (or with shims like microg), and the sheer amount of engineering needed to make baseline linux even usable as a phone system is over a dozen years away.
Android with binder is a strictly superior architecture that anything else that has come for strict isolation. As a bonus, it's battle tested, and latest Android phones just... run linux. You can have a shell and GTK if you so desire.
By well_ackshually 2 hours ago
When you say "just... run linux", are you referring to termux, or something else ? How do you run a linux userspace in Android ?
While this is mostly a KVM setup, there's nothing specific about Android that prevents a linux userspace from running in there. Each app is almost one already. Most of its core components have been integrated into linux's main repository (like binder), and AOSP isn't that far off from a regular Linux. Sure, zygote, user & power management are not exactly a standard install, but they're not that crazy either
By well_ackshually an hour ago
I do a lot of work in similar areas here.
While vibe coding will get you something that potentially works, I've noticed LLMs are really bad at cleanly abstracting across multiple layers in this area. They usually will insist on parsing and serializing every field at every layer.
If you have the protocols/interfaces well defined up front it is very fast at building extensions, analytics or visualizations though.
By aeonik 4 hours ago
> I've noticed LLMs are really bad at cleanly abstracting across multiple layers
Which makes sense, as most developers are too (it’s a particular non-trivial skill and rarely modeled wrll), so LLMs are more likely to be trained on muddled multiple layers.
By wwweston 4 hours ago
mitmproxy isn't the gold standard; it is Burp Suite, sadly.
Burp Suite uses a subscription model. Charles a model like Sublime Text: you buy it and get to keep the version forever, major upgrades available for a discount.
I had to chuckle at this one:
> If you purchased a Charles license prior to 1 May 2008 your existing license key is still valid for Charles 5.
So I guess in past they used a model where you'd have lifetime upgrades.
Which also made me think: I recognize this name! This has to be an older piece of software. Was it published on Freshmeat in the start of this century?
There's also some TUI for Wireshark, such as frontends for tshark. I think [1] looks interesting, since it can be used with a local LLM (via Ollama).
I'd used mitmproxy to reverse engineer browser extensions and mobile apps and it did the trick. It was quite some time ago.
By ricardo81 3 hours ago
I had excellent experiences w mitmproxy (and mitmdump) in 2016-17. At that point it was powerful and easily scriptable, making it far superior to charles for my purposes.
By chrisweekly 4 hours ago
Agreed, I used to have a bunch of mitm commands in my bashrc to easily intercept https messages
By _dark_matter_ 4 hours ago
mitmproxy supports quite a few features that Charles doesn't and vice versa. You could use them as alternatives for basic browser traffic analysis (where they're both fine), but their features and capabilities cover different areas. Charles is user friendly and robust, mitmproxy has advanced scripting capabilities with a decent amount of community examples available. They complement each other.
Wireshark is extremely powerful and useful but it lives in a completely different category of tools. It's not a proxy so it can't modify traffic or inspect HTTPS [1], it's used to passively capture and analyze general network traffic and troubleshoot networking issues.
[1] without an elaborate setup, your program needs to be instructed to dump TLS encryption keys for Wireshark to read
By dns_snek 8 hours ago
I was a daily user of mitmproxy, until they changed all they keybindings around version 2. Tried a couple of times to get used to the new “TMUX” style, but switched to Charles Proxy.
Have mitmproxy gotten any better in usability over the years?
Just based on the images, is seems to have the same problems?
By punnerud 9 hours ago
> Have mitmproxy gotten any better in usability over the years?
The new-ish "Local Capture" and "WireGuard"-mode are quite nice.
And running e.g. `mitmproxy --ignore-hosts '.*' --show-ignored-hosts` [1] for monitoring apps with certificate pinning also a new feature
[1] cmd will turn mitmproxy into a "non-MITM proxy" but do show domains (SNI) the app is connecting to.
By NicolaiS 5 hours ago
I generally prefer mitmweb, the web frontend for mitmproxy. I don't have much of a problem with their tmux-like UI, but I find mitmweb a lot easier to use than the keyboard shortcut based terminal navigation.
By jeroenhd 2 hours ago
I feel obliged to mention Fiddler. The tool I loved almost 20 years back and felt like it came from future. IIRC it was/is more powerful than Charles. Fiddler was Windows only but at one time they had builds for other platforms in works. Sadly they got acquired which changed their roadmap, and I had also moved on from Windows.
For macOS settled on Charles back then but not as capable as Fiddler.
By logicuce 9 hours ago
The fiddler landing page says it runs on Windows, macOS, and Linux, so maybe give it another try.
By mytydev 7 hours ago
For my rather simple needs I've been using https://httptoolkit.com free edition, I like that it launches a independent Firefox window on its own for the intercepting so I don't have to touch my working browser or deal with configuring a proxy anywhere
By akaitea 3 hours ago
I don't have elaborate needs and have used Charles for many years. A few years ago I switched to https://proxyman.com and found it easier to use.
By hboon 11 hours ago
Proxyman is 100x value for 2x the price. I am not even kidding. Native UI, shortcuts, cert installation helper tools. And script editor to programmatically edit requests is so much better and powerful than Charles' request editor.
By shubhamjain 9 hours ago
Likewise. I was a dedicated user of Charles for about a decade. It’s great, but if you are a macOS user, Proxyman is better, easier, and more macOS friendly.
By aaronbrethorst 10 hours ago
At a previous workplace, Charles Proxy was not in the list of approved software. I don't recall the reason - it might have been cost, but we used lots of paid tools, and since it was in the restricted category, we couldn't pick and use (we handled a copious amount of Western PII, from reading, working on it, to storing it). Two were approved: Requestly and another was a link to an internal wiki with a really "interesting" process involving Wireshark and whatnot. Needless to say, that doc was one of the most clicked and least read. I tried Charles at a later place that offered a license, and I went back to Requestly, which I really found to be more straightforward or simpler to use.
By shelled 6 hours ago
It is the same thing though?
Charles is a http proxy, Requestly judging by the landing page is a http client like Postman.
By SoKamil 5 hours ago
While as a mobile dev most of my usage were limited to api client kinda usage I did use it for debugging traffic and hence its intercepting features. Haven’t checked their landing page or the tool itself in a long time (or any coding for that matter) so not sure.
By shelled 4 hours ago
If the devs behind Charles would just tweak their UI a bit, it would be the absolute perfect tool. Functionally it pretty much already is. Mainly being able to turn on and off and configuring features I use all the time (rewrite, map local, map remote) is always a journey through menu's that don't always make sense. The only functional thing I'm missing is some DNS stuff (e.g. throttling or breaking DNS specifically).
I tried using proxyman for a while, and while definitely powerful and more modern, it honestly didn't feel "better" or more powerful so I didn't go for yet another license.
By mavamaarten 8 hours ago
I went from charles to mitmproxy to proxyman and am currently using Reqable. Something all of these miss imo is a way to modify TLS handshakes.
By ghxst 3 hours ago
Same. At some point there was a new Charles version and I could not figure out how to use it the way I had used the old version (I admit I forget exactly what I was trying to do), and it was trivial in Proxyman. Proxyman also has a great app.
By mkw5053 5 hours ago
I frequently use them both. The main reason why I can't leave Charles is the lack of session grouping in Proxyman. Seeing a huge list of irrelevant items is annoying after some point. In Charles, I can save that session with a name and move on to something else. It's almost impossible to leave one for the other at this point for me.
This goes without saying, but huge thanks to the both developers for making these available.
By gokaygurcan 7 hours ago
Is anyone else having trouble loading the proxyman website? (Firefox, Windows 11) - it freezes the entire browser..
By VoidWhisperer 5 hours ago
Check your browser extensions
By w4yai 5 hours ago
Pretty nice.
Does it work for Xcode simulators?
I use Charles extensively (I am using it for the development I’m doing right now), and it needs to work on simulators.
Cost isn’t an issue for me. Fitness to purpose is important. I won’t cripple my development capacity, in order to save $50.
By ChrisMarshallNY 11 hours ago
It makes working with Xcode simulators even easier by having a dedicated UI workflow to install the proxy certificates and restart the sim.
I used to face issues from time to time doing this with Charles having to restart my machine at times and not getting the certificates to work.
Proxyman makes this way nicer to work with and since switching I never faced certificate issues again.
Not trying to do an ad, but really glad I don‘t have to think about that anymore :)
By itsn0tm3 10 hours ago
Yes, Proxyman has great sim integration, including the ability to filter by apps within the sim. It's a far better macOS app than Charles, and I've never found it to be lacking a feature I used in Charles.
By jshier 11 hours ago
Cool. I appreciate the tip. I’ll give it a go.
Thanks!
By ChrisMarshallNY 11 hours ago
When I was still working with iOS, all of us on the team switched to Proxyman and found it much better than Charles. Developer experience wise that is (features, ui/ux, etc.) We ran into some issues with Charles and found Proxyman as the alternative. Don't remember the issues but we never looked back.
By OptionalDonuts 9 hours ago
It does. I find the UI better and setting it up easier too
By hboon 10 hours ago
Looks much better, thanks for that tip
By sgt 11 hours ago
That it's an osx ONLY app.
By cientifico 11 hours ago
MacOS, iOS, Windows, and Linux
By lnx01 9 hours ago
I was going to comment on the Mac exclusivity too which might be a bad idea now that Linux is on the rise. But you're right, there's a Linux beta too now. Thanks for the pointer.
By distances 7 hours ago
Burp Suite can do much of this as well, but the intent feels different.
Charles is very much about observing and understanding raw HTTP(S) traffic with minimal friction, which makes it handy for quick debugging, mobile app inspection, or client-side issues.
Burp leans heavily into security workflows: interception, replay, automation, and attack surface exploration. That power comes with more setup and a more opinionated UI.
I’ve found Charles useful when I want visibility without switching into “pentest mode,” whereas Burp shines when security analysis is the goal.
By runtimepanic 10 hours ago
You can also check out Caido as an alternative, we are a newer player in the space but catching up very fast. Most of the Burp new features of the last 2 years are basically copying what we innovated in Caido.
By Sytten 4 hours ago
That’s fair. I mostly stick with Burp because I’m very familiar with its workflows and tooling, and that familiarity matters a lot in day-to-day work.
That said, I genuinely appreciate having credible competitors to Burp. New tools entering the space tend to challenge long-standing assumptions, especially around UX and ergonomics, and that pressure usually benefits everyone.
Even if I don’t switch immediately, competition is healthy and often the reason established tools keep improving.
By runtimepanic 4 hours ago
Just to mention an alternative option, ZAP (aka. Zed Attack Proxy) covers much of the same ground as Burp and is entirely free and Open Source.
By lillesvin 9 hours ago
On paper ZAP has all of the features I care about, but I gave it my best try and found it really unintuitive to use.
By dns_snek 8 hours ago
Wait why is this on the front page? I thought this is a very established and well-known tool
By obventio56 8 hours ago
I am also confused, I can't see any recent news/updates for this project either.
By everlier 4 hours ago
From time to time, an "old" things reappears, since there's always a number of people who haven't heard of it (or just like upvoting things they like, I guess).
This is a totally different class of software than what that post is ranting about. Charles is a local developer tool intended for temporary use when debugging. It only inspects TLS connections if 1) you enable that feature and 2) you add the domain being connected to the list to be inspected.
That being said, the mechanism is the same. Charles generates a root certificate that it uses to issue certificates for each domain in intercepts a TLS connection for and you need to install that root certificate in your OS such that your clients will trust that certificate. If you have a client that doesn’t use the Mac OS certificate store you may have to do some extra per client configuration.
I also despise “security” tools that intercept and inspect TLS traffic (such as ZAcaler for example), but I find a Charles to be very useful for what it does and the TLS inspection support is easy to use and really helpful/necessary in some cases.
I used Charles for a while and also jumped on the Proxyman bandwagon. It’s a slick tool and even works for remote debugging (i.e., an iPhone attached to your computer with a cable).
By jibcage 11 hours ago
Proxygen (https://proxygen.app) has this super cool way to pair its iPhone app with the Mac app, and then remotely inspect traffic from iPhone apps on the Mac. You do the pairing once and then just beam traffic over. Attaching cables feels pretty ancient compared to this.
By tricker5453 8 hours ago
Ugh these comments - every time it's just people spewing alternatives they like better
By PieUser 42 minutes ago
Fantastic software that I've used for over a decade. Interacted with Karl a few years ago about Adobe's AMF format; very generous with his time.
I was surprised to learn that it's over 20 years old! https://en.wikipedia.org/wiki/Charles_Proxy
By infomaniac 12 hours ago
i just texted Karl to say he’s on the front page of HN. I was the same. Charles was soo good for ol AMF!! Still miss Flash.
By sponno 11 hours ago
I once used Charles Proxy to change all the game configs for Candy Crush Saga on my phone back in 2013 by intercepting and replacing the API requests - I made all the puzzles have 1-2 colors and infinite powerups. I guess they didn't care much about the security because I ended up spending way more time in the game
By swaraj 11 hours ago
I’ve found tools like Charles really useful for understanding what’s happening on the wire. When I need something more repeatable (tests, offline work), I usually reach for a mock server instead. I ended up building a small one for my own use and later open-sourced it:
The combination of Charles + Postman is great for reverse engineering mobile API's. Inspect traffic w/ Charles, export request to cUrl, import cUrl into Postman, play around with request headers / params / etc, export to py, use Cursor to create reusable library.
By kyleblarson 5 hours ago
Out of curiosity, what would the setup for reverse enginering a iOS/Android app look like using Charles Proxy?
By oxedom 4 hours ago
I am a Burp guy, but lately Caido[1] has been trending, pretty lightweight and can be ran in headless mode. It's still very security-oriented (as Burp Suite is), but might be worth your time, notably as you can run it on a VPS/container to proxy all your traffic through it (which is by-design, contrary to my beloved burp/zap)
Caido co-founder here, thanks for the shoutout! We are slowly moving to the DevSecOps space too.
By Sytten 4 hours ago
Please consider allowing the user to modify the TLS handshake / ClientHello. Out of all proxies I have used only Burp offers this through a plugin / extension.
By ghxst 3 hours ago
I loved Charles, I used it for many years. It only stopped when an update changed the UI in ways that were confusing, and also the chrome network tab really did everything I need in terms of inspecting requests / responses.
By h33t-l4x0r 10 hours ago
Used this all of the time back in the day. Great tool.
By nunez 2 hours ago
Used it heavily as my AS3 dev times from 2008 to 2011. Crazy that is still around.
Even after using it for years I could never recognize all its unlabeled icons without hovering for tooltip
I emailed the author about it a decade ago but he didn’t seem convinced
By wahnfrieden 11 hours ago
Even better SIP bullshit off kext tap nic mitm intermed. certs. Fuck all the phone home stuff it’s enough.
By user3939382 11 hours ago
Never learnt the use of this tool. The certificate configuration tripped my head during my work.
This gives brain damage because it doesn't make sense.
Why to check network payload when you are sure the data was sent.
-frontend developer
By imvetri 11 hours ago
It's invaluable for mobile developers. What you think you sent and in what order, is not always what happens. Charles and Proxyman help you figure that out.
By cientifico 11 hours ago
By OptionOfT 2 hours ago
By acheong08 10 hours ago
By jeroenhd 2 hours ago
By le-mark 4 hours ago
By well_ackshually 2 hours ago
By balnaphone an hour ago
By well_ackshually an hour ago
By aeonik 4 hours ago
By wwweston 4 hours ago
By Fnoord 2 hours ago
By ricardo81 3 hours ago
By chrisweekly 4 hours ago
By _dark_matter_ 4 hours ago
By jeroenhd 2 hours ago
By efortis 11 hours ago
By rnewme 2 hours ago
By dns_snek 8 hours ago
By punnerud 9 hours ago
By NicolaiS 5 hours ago
By jeroenhd 2 hours ago
By logicuce 11 hours ago
By _blackhawk_ 11 hours ago
By dsincl12 11 hours ago
By logicuce 9 hours ago
By mytydev 7 hours ago
By akaitea 3 hours ago
By hboon 11 hours ago
By shubhamjain 9 hours ago
By aaronbrethorst 10 hours ago
By shelled 6 hours ago
By SoKamil 5 hours ago
By shelled 4 hours ago
By mavamaarten 8 hours ago
By ghxst 3 hours ago
By mkw5053 5 hours ago
By gokaygurcan 7 hours ago
By VoidWhisperer 5 hours ago
By w4yai 5 hours ago
By ChrisMarshallNY 11 hours ago
By itsn0tm3 10 hours ago
By jshier 11 hours ago
By ChrisMarshallNY 11 hours ago
By OptionalDonuts 9 hours ago
By hboon 10 hours ago
By sgt 11 hours ago
By cientifico 11 hours ago
By lnx01 9 hours ago
By distances 7 hours ago
By runtimepanic 10 hours ago
By Sytten 4 hours ago
By runtimepanic 4 hours ago
By lillesvin 9 hours ago
By dns_snek 8 hours ago
By obventio56 8 hours ago
By everlier 4 hours ago
By geerlingguy 4 hours ago
By followben 12 hours ago
By aua 11 hours ago
By thunderbong 11 hours ago
By 1vuio0pswjnm7 2 hours ago
By sflanker 3 minutes ago
By DrBenCarson 11 hours ago
By jibcage 11 hours ago
By tricker5453 8 hours ago
By PieUser 42 minutes ago
By infomaniac 12 hours ago
By sponno 11 hours ago
By swaraj 11 hours ago
By dhuan_ 7 hours ago
By kyleblarson 5 hours ago
By oxedom 4 hours ago
By doomerhunter 7 hours ago
By Sytten 4 hours ago
By ghxst 3 hours ago
By h33t-l4x0r 10 hours ago
By nunez 2 hours ago
By Aldipower 6 hours ago
By ghxst 3 hours ago
By self_awareness 11 hours ago
By poemxo 8 hours ago
By tgma 11 hours ago
By eddywebs 11 hours ago
By efortis 11 hours ago
By el_benhameen 11 hours ago
By simultsop 8 hours ago
By rramadass 9 hours ago
By wahnfrieden 11 hours ago
By user3939382 11 hours ago
By imvetri 11 hours ago
By myHNAccount123 3 hours ago