0

I'm using Charles proxy to fetch all the requests coming from my Android app to a webservice.

The thing is Charles shows me the complete request, meaning I can see the whole URL, headers and body so I can see www.example.com/rest/resource/param1/param2, the JSON I send with it and also the authentication header.

After reading several posts like this and this one I thought the good part of working with the TLS was that one could only get the domain name from the URL, in this case www.example.com

To make sure it's not the client's fault, I requested the webservice resource with Retrofit and HttpsURLConnection and I could see the whole request both times.

I guess also the certificate is properly installed because it is shown in the browser every time an https request is made. Am I missing something else here or is this the normal behaviour?

So far I couldn't find a reason for this to happen so any help will be appreciated.

Community
  • 1
  • 1
muilpp
  • 1,293
  • 4
  • 17
  • 36

1 Answers1

2

To debug with Charles proxy you must install a certificate on your browser (client).

With https the URL is encrypted.

But because you choose to use that proxy, your browser establish a secure connection to that proxy, and the proxy to the website. So, only 1) you, 2) the proxy 3)the website can decrypt the https traffic.

By installing a CA certificate on your browser, you allow the person detaining the corresponding private key (in your case, your proxy) to impersonate (so, decrypt with a MITM) any website.

Tom
  • 4,666
  • 2
  • 29
  • 48
  • Ok thanks, now I get it, could you also recommend a way to prevent this attack? – muilpp Feb 24 '16 at 21:35
  • It's not an attack, you volontary installed that certificate. To avoid that "attack" just don't install it ;) – Tom Feb 24 '16 at 21:37
  • yes, but anyone installing the Charles root certificate would also be able to decrypt the request. – muilpp Feb 24 '16 at 21:39
  • 1
    I don't know specifically about Charles, if they care about security, each costumer use a different certificate. But anyway it's safer to disable that certificate after your tests. – Tom Feb 24 '16 at 21:42
  • 1
    When you attempt to install such a certificate (called a self signed certificate), the OS will most likely give you a security warning saying that it should NOT be done. You must click proceed to make that install on your device. In doing so, you purposefully allow Charles to perform a MITM attack on you. – Ruchira Randana Apr 30 '16 at 22:29