Genuine question here: How is it not absolutely terrifying that an iOS App Store app can man in the middle HTTPS communications made by other apps? Is there some way in which this isn’t poking a hole in exactly the sort of security sandbox that iOS tends to be good at? (And yes there probably is some part of what’s going on that I don’t understand, that’s why I’m asking the question)
I know that without it we wouldn't have amazing apps like https://itunes.apple.com/us/app/adblock/id691121579 , but i'm really not sure if its worth that risk for a common user that apple mostly targets with iOS.
Can't say much about the security, but I suspect it's working by pretending to be a VPN provider and then proxying the traffic. It's then able to install a CA root to generate any certs it needs to MITM traffic. Cert pinning will prevent this from working, but that's the only thing that will.
Supposed sandboxing against malicious apps is precisely why I run iOS rather than Android. I get that Charles isn’t malicious, but what’s keeping any random free game app from doing the same thing? (Again, intended as a real question not a rhetorical one)
Setting up Charles requires two explicit authorization steps (each requiring passcode/fingerprint/face verification): First, network interception requires adding a VPN config (the dialog warns that "All network activity on this iPhone may be filtered or monitored when using VPN"). Second, SSL MITM requires installing and trusting a root CA certificate (the relevant prompts in iOS are less clear -- they say that the cert will not be trusted until you enable it, but don't explain the implications if you do enable it).
"what’s keeping any random free game app from doing the same"
It's not that simple, as author stated, it was some of the most challenging code he ever wrote.
Charles desktop app is well respected in the developer community. There is no reason that the iOS app will be treated any differently.
1a. This requires your passcode, and any time a system is asking for your permission to do something is worth questioning. Even my least technosavvy friends and family have learned that if something is asking for your password and you don't know why, abort.
How do you intercept traffic from apps that use cert pinning? Is the only way to patch the app binary and reinstall the patched binary using a dev certificate?
How exactly does one go about patching the binary – is there a tutorial somewhere?
Won't an app worth its salt use certificate pinning to prevent this mitm ? In other words - Can I use Charles to sniff FB or watsapp traffic ? I do not use both services, but interested in analyzing their traffic.
Yep. App Transport Security mandates that you have to explicitly whitelist the domains [0] which you want to access via plain http. This however, has nothing to do with certificate pinning, which the OP was mentioning.
[0] Of course you can use the blanket NSAllowsArbitraryLoads to allow plain HTTP everywhere.
Apps can do this by presenting a configuration profile to the user. This requires entering the passcode and a few steps - it’s not something they can do silently.
It's your phone. Of course software you installed should be allowed to do anything you want.
The fact that Android has recently made it impossible to MITM apps is really making me consider switching. I don't think I will, because in many other ways Android is still more open, but the analysis is no longer as lopsidedly in Android's favour.
