Charles Proxy Setup for 💻 Desktops and 📱Mobile Devices

Some test cycles require extended logging of the internet traffic from and to our devices, or a connection routed through a proxy server. For that purpose, mobile testers often deal with the Charles Web Proxy software. The goal of this post is to guide you through the first steps and the overall configuration. The procedure may seem complicated at first, but bear once we’ve finished the initial setup, its future use just requires 30 seconds to get everything ready. So let’s get started!

Charles Web Proxy acts as the middle man between the client and the server. It can intercept/sniff the traffic over the network. We can route all the network traffic from and to our (desktop or mobile) devices through it.

Agenda

1. Download and Install Charles on Desktops — macOS and Windows
2. Connect Mobile Devices to Charles — iOS and Android
3. Install Charles CA Root Certificates — Desktops (macOS and Windows) and Mobile Phones (iOS and Android — physical and virtual)
4. Capture and Decrypt SSL Traffic Using Charles
5. Export Device Logs to Support Bug Reports
6. Tidy Up
7. Miscellaneous Issues

1. Download and Install Charles on Desktops — macOS and Windows

Although Charles is not an open-source software or a free tool, a demo version is available. It can be downloaded and used for free but limits each session to 30 minutes. Consequently, we have to restart the software now and then, if you want to use it for a more extended period.

Let’s head over to Charles Proxy’s website at https://www.charlesproxy.com/download/ and download the appropriate version for our operating system.

macOS

Let’s download and install Charles Proxy on a Mac.

Download and open the .dmg file.

Accept the license terms and drag the file to the Applications folder.

Launch the Charles app and verify the macOS Proxy option is enabled.

Open a browser and navigate to a random site. We see new log entries popping up in the Charles log now. If that log is filling up, we are good to go.

The Charles window opens up. Anything with a padlock icon 🔒 is not monitored and shows as <unknown>.

We can stop the recording by clicking the red circle 🔴 and clear the current session with the broom 🧹.

Windows

Now let’s go through the download and installation process on Windows.

Download the .msi file.

Once we’ve finished the download, we open the .msi file via the Start menu.

Go through a series of installation prompts.

Once we’ve finished the install, we open the Charles Proxy software via the Start menu.

Launch Charles and verify that Windows Proxy is checked ☑️.

Open a browser and navigate to a random site. We see new log entries popping up in the Charles log now. If that log is filling up, we are good to go.

The Charles window opens up. Anything with a padlock icon 🔒 is not monitored and shows as <unknown>.

As before, we can stop the recording by clicking the red circle 🔴 and clear the current session with the broom 🧹.

I recorded a quick video walk-through for Windows users: https://youtu.be/koE6nwjha3k?si=cexIhGvdRO0J-ZzU.

We are done with the desktop download and installation. As soon as Charles is running, it automatically captures and records all browser traffic. This procedure typically covers the most common browsers like Chrome, Firefox, Safari, and Edge.

2. Connect Mobile Devices to Charles — iOS and Android

Configuring Charles on the phone is a little different. Important notes to keep in mind, when connecting new mobile devices:

• Make sure your phone is connected to the same WiFi as the computer it’s plugged into.
• Once a new device tries to connect to our Charles session, Charles asks to grant the permission to do so. Be sure to allow the connection.
• Also disable or appropriately configure any firewall or internet security.

As Charles is running now, we want to route all the network traffic from and to our devices through it. Depending on the device you plan to use, perform the following steps matching your device(s).

Gathering two crucial pieces of information first

Before we can configure our mobile device to use Charles, we need to know the internal IP Address of our computer (running Charles) and the Port. This can quickly be done as follows:

• In Charles on desktop, click Help ▸ Local IP Address to locate your IP. The address consists of four blocks of one to three digits each. It is 10.0.0.76 in my case. It may look something like192.168.178.100 in yours.

Retrieve Local IP Address number.

Alternately, get the IP Address via Proxy > Access Control Settings.

• We also need to know the port, that Charles is using. It is 8888 by default, but you may check via Proxy ▸ Proxy Settings.... It is the HTTP Proxy Port. You can also click the gear icon in the toolbar and select Proxy Settings... there.

Retrieve Port number.

We are going to need both numbers in the next step.

iOS

Real Device

Configure Charles Proxy on a real iOS device. To connect our iOS device, let’s follow these steps:

• Go to Settings
• Tap WiFi. Select the connected WiFi network.
• Tap (i) to the right of our selected WiFi network
• Scroll down to the Configure Proxy section.

• Tap Manual.
• In the Server field, enter the IP Address retrieved earlier.
• For the Port, enter default port 8888 retrieved earlier.
• Verify that Manual configuration is on and the Router number is correct.

The settings on your device may look slightly different, but you should be able to find the right area to modify the WiFi network. It will be located around the WiFi network to which you are currently connected.

Simulator

For an iOS simulator, we don’t download and install Charles. We do install a root certificate though. Keep reading to learn more about CA root certificates.

Android

Real Device

To connect our Android smartphone, just head to the WiFi settings and proceed as follows:

• Go to Settings ▸ Network & Internet ▸ WiFi
• Locate the active connection, tap on the gear icon ⚙️ next to it.
• In the Network details, tap the edit icon ✏️.

• Tap on Advanced options.
• Under the Proxy menu, expand options and select Manual.
• Enter the previously retrieved IP address in the Proxy hostname field and the port in the Proxy port field.
• Tap Save. Done!

Here’s also a quick video walk-through: https://youtu.be/Tsrm7T7hrjU?si=uZxU5OTRM9wuxCYN.

Emulator

Configure Charles Proxy on an Android virtual device.

• Go to the emulator’s Extended Controls ▸ Settings ▸ Proxy. Uncheck the box preceding ‘Use Android Studio HTTP proxy settings’.

• Select the ‘Manual proxy configuration’ radio button.
• For ‘Host name’ and ‘Port number’, enter the previously retrieved Local IP Address and port.
• Click Apply.
• Verify that Proxy status changed to Success.

If the proxy configuration settings don’t work in the emulator’s Extended Controls, try restarting the emulator. In case there are still issues, follow the below outlined steps.

• Go to Settings ▸ Network & internet ▸ Wi-Fi.
• Tap on the gear icon ⚙️ next to the WiFi network.
• Tap on the edit icon ✏️.

• Tap Advanced Options.
• Under the Proxy menu, expand the options and tap Manual.
• In the Host and Port fields enter the previously retrieved Local IP Address and Proxy Port respectively.

3. Install CA Root Certificates — Desktops (macOS and Windows) and Mobile Phones (iOS and Android)

As soon as customers require us to use Charles, they want to know what our mobile device is doing during its communication with their services. If this communication is encrypted, which is great for our day-to-day security, this traffic needs to be decrypted using a certificate. We are now going to install this certificate to allow Charles to listen to that communication. Let’s start with the desktops again.

Installing Desktop Certificate

macOS

Fortunately, Charles already includes this certificate and allows us to install it using the menu easily. Just follow through this process:

• Within Charles click Help ▸ SSL Proxying ▸ Install Charles Root Certificate.

Go to Help > SSL Proxying > Install Root Certificate.

Keychain pops up. It opens as Certificates. Click Add.

We’ll see a certificate with the red ❌ at the bottom. Double-click on that.

Twirl the Trust menu down.

After finishing the wizard, close the certificate and keychain windows, and now we are good to go. Here is a link to the diagram to reiterate the Mac root CA installation process: https://user-images.githubusercontent.com/70295997/223403200-2d226828-6555-4b59-9329-fb8c01908d2b.png.

Windows

Let’s now proceed to installing the root CA certificate on Windows.

• Within Charles click Help ▸ SSL Proxying ▸ Install Charles Root Certificate.

Go to Help > SSL Proxying > Install Root Certificate.

• In the new window click Install Certificate…

In the new popup window, click Install Certificate.

• Complete all the steps of the installation wizard.

Complete the installation wizard.

Click OK.

• We should verify the certificate’s been installed as expected. Navigate to Control Panel ▸ Network and Internet ▸ Internet Options ▸ Content ▸ Certificates.

Navigate to Control Panel > Network and Internet > Internet Options > Content > Certificates.

• Click on the Trusted Root Certification Authorities tab and verify the Charles Proxy CA certificate is listed.

Click on the Trusted Root Certification Authorities tab and verify the Charles Proxy CA certificate is listed.

• Alternately, verify proper installation by opening the Run window with Win + R. Type certmgr.msc and press Enter.

Open the Run window with Win + R. Type certmgr.msc and press Enter.

• Make sure that Charles Proxy CA is listed under Certificates-Current User ▸ Trusted Root Certification Authorities ▸ Certificates.

Make sure that Charles Proxy CA is listed under Trusted Root Certification Authorities.

Now we can close the certmgr and proceed to proxying on our Windows machine.

Installing the certificate on a mobile device

To get Charles working on our phone we have to obtain a trust certificate. To install the certificate on a mobile device, we have to ensure that the device is successfully connected to our Charles session:

• Proxy is set to Manual and configured in our WiFi settings.
• Disconnect any active VPNs to avoid issues during the Charles session.
• Charles is running and the permission for our device has been granted.
• We can browse on our phone and new logging entries appear within Charles.

iOS

Real Device

• Open Safari and head to the address chls.pro/ssl (which leads to https://www.charlesproxy.com/getssl) on the mobile device.
• This downloads the certificate and should automatically open the download prompt.
• Allow the download and go to Settings.

Tap General and then Profiles & Device Management.

• Open the downloaded profile for Charles.
• The certificate is not verified/trusted. Tap Install.

• Enter the passcode, if yo have it, and then tap Install twice.

• Tap Done, once the profile is installed.
• Open the installed profile for Charles and confirm it’s now verified/trusted.

Depending on the device, additionally we may need to trust the certificate in the Settings. In that case, navigate to Settings ▸ General ▸ About ▸ Certificate Trust Settings and toggle the Charles Proxy CA on to trust it.

Tap Continue if a Root Certificate warning pops up.

Now we are ready to proxy with our phone. Go to any web site on the phone, e.g., google.com. Go back to Charles on our desktop. Click on Start Recording. The log starts filling up. We are good to go!

Simulator

In our Charles on desktop, let’s go to Help ▸ SSL Proxying ▸ Install Charles Root Certificate on iOS Simulators.

Go to Help > SSL Proxying > Install Charles Root Certificate on iOS Simulators.

The Charles Root Certificate gets added to iOS simulators.

A message pops up confirming installation of the trust certificate on the simulator. Click OK.

Open an app, bing.com for example. Perform a few actions. If the logs start filling up, it’s good news!

To explicitly monitor the Bing app, add domain *bing.com as Host in SSL Proxying Settings.

Android

Emulator

In our Charles on desktop, let’s go to Help ▸ SSL Proxying ▸ Install Charles Root Certificate on a Mobile Device or Remote Browser.

Go to Help > SSL Proxying > Install Charles Root Certificate on a Mobile Device or Remote Browser.

Per Charles’ instructions, we should get the certificate from chls.pro/ssl.

• On the emulator, in Chrome browser, navigate to the address chls.pro/ssl (which leads to https://www.charlesproxy.com/getssl).
• This downloads the certificate and should automatically open the download prompt.
• Allow the download and go to Settings ▸ Security ▸ More security settings.

• Go to Encryption & credentials ▸ Install a certificate ▸ CA certificate.
• A security message pops up. Click Intall anyway.
• Open the downloaded .pem file.

• Go back to the Encryption & credentials view.
• Click on Trusted credentials and verify that the Charles Proxy CA is included as a trusted certificate.

Open a random app, YouTube for example. Perform a few actions. If the logs start filling up, we are good to go.

Real Device

We can configure the Charles Root Certificate on a physical Android device basically the same way as with the virtual device.

In our Charles on desktop, let’s go to Help ▸ SSL Proxying ▸ Install Charles Root Certificate on a Mobile Device or Remote Browser.

Go to Help > SSL Proxying > Install Charles Root Certificate on a Mobile Device or Remote Browser in Charles on desktop.

Per Charles’ instructions, we should get the certificate from chls.pro/ssl.

• On our phone, in Chrome browser, navigate to the address chls.pro/ssl (which leads to https://www.charlesproxy.com/getssl).
• This downloads the certificate and should automatically open the download prompt.
• Allow and verify the download.

On our desktop, we receive a warning message about the device’s attempt to Charles. Click Allow.

• On the phone, go to Settings ▸ Security & privacy ▸ More security & privacy ▸ Encryption & credentials.

• Proceed to Install a certificate. Tap CA certificate.
• A security message pops up. Click Install anyway.
• Open the downloaded .pem file. Verify identity with PIN or fingerprint.

• Go back to the Encryption & credentials view.
• Click on Trusted credentials and verify that the Charles Proxy CA is included as a trusted certificate.

Open a random app, YouTube for example. Perform a few actions. If the logs start filling up, we are good to go.

To explicitly monitor the YouTube app, add domain *youtube.com as Host in SSL Proxying Settings.

Here’s also a short video walk-through I recorded for an Android phone: https://youtu.be/PvxDnBqLPDc?si=4nQB8jhvvU0AyoR_.

Set Up Our Own Certificate

To draw the certificate-related section to a close, there are other ways of handling a certificate in more secure manner, if we don’t want to install Charles as the trusted root. This post delineates how to proceed, when we want to set up our own certificate authority (CA) and trust that instead.

4. Capture and Decrypt SSL Traffic Using Charles

Enabling HTTPS proxying

Now that are devices (desktop and mobile) are set up, we are ready to record incoming and outgoing traffic. For that we need to change our proxy settings. In incurs enabling SSL Proxying within Charles. This is rather quickly done:

• Within Charles click Proxy ▸ SSL Proxying Settings…
• In the SSL Proxying Settings tick Enable SSL Proxying and click the Add button below.
• Enter an asterisk * as Host and 443 as Port
• Now click OK and OK again

We may need to restart Charles afterwards.

macOS

Go to the Proxy menu. Make sure that the macOS Proxy option is checked ☑️.

Then go to SSL Proxying Settings.

Make sure the Enable SSL Proxying box is checked ☑️.

We can tell Charles which domains we want to encrypt. Click Add under the Include section. Under Host, if we put an asterisk *, Charles will monitor all traffic. If we put an asterisk and the domain we're looking for *<domain_name>, we indicate the specific host to monitor our traffic for. It will just look for that domain, i.e., *google.com.

For the Port, we input 443.

Populate Host and Port fields and click OK.

Now, let’s open a browser, head over to google.com and perform a few actions.

Everything with a padlock icon 🔒 is not monitored and shows as <unknown>. The rule that we set is for google.com, so everything with that domain has a blue lightning icon ⚡️ next to it. It means our specific test domain traffic is being recorded, and that’s good news!

Now we can stop and save the session log in a file. More on that in the log retrieval section.

Windows

Enabling SSL proxying on Windows is identical to the Mac steps.

Go to the Proxy menu. Make sure that Windows Proxy option is checked ☑️.

Then go to SSL Proxying Settings.

Check ☑️ the Enable SSL Proxying box. Click Add in the Include section.

Populate Host and Port fields and click OK.

Make sure the entered Host and Port values show in the Include section.

We may need to restart Charles afterwards.

It’s time to open a browser and navigate to some random website, e.g., google.com. Perform some actions, like search for ‘stuff’, and observe the Charles logs populating.

We set the rule to allow proxying for all domains. So, all the traffic, including the google.com domain has a blue network circle 🌐 or a lightning icon ⚡️ next to it. It means that all domain traffic is being recorded. It matches our set rule. Domain coverage can be customized, as described below.

Tailor Coverage to Our Needs

Earlier. we entered * as the Host. This wildcard character enables the SSL proxying for every possible web address or service we may visit. Thus we might want to tailor the proxying — and therefore logging — to our needs by specifically including certain domain addresses as parts of host. Using wildcards provides a very versatile way of filtering specific URLs, which we want to cover.

This can become very handy, if we want to limit the coverage to an app or page under test. Here are some examples:

• google would cover every network traffic packet from and to google, which includes photos.google.com, google.com/mail and so on.
• photos.google or meet.google.com would include everything from and to photos.google.com and meet.google.com respectively, but not google.com/mail for instance.
• google.com/mail would cover the entire mail section, but no other section such as photos.google.com. Though it would cover photos.google.com/mail/, if such websites existed.

So we take the relevant part of the address, which may include/exclude or be limited to sub-domains like calendar in calendar.google.com and replace the rest of the address with a * to allow every string or even no string (zero or more characters) in its place. We can also use the ? wildcard, which replaces exactly one single character. So go?gle would match google or goggle, but not gogle or googgle.

If we want to only record mobile traffic and avoid interference from the desktop, we should uncheck the macOS Proxy or Windows Proxy options under the Proxy menu.

In the Host section, we can enter the domain specific to our mobile app, not just a web app that’s accessed via a browser. For example, enter <mobile_app_name>.com to trace all the activities specific to that app and its endpoints such as: /api/<mobile_app_name>/login, /api/<mobile_app_name>/userinfo, or /api/<mobile_app_name>/places/getuserplaces.

In order to filter out the traffic data sequences for a specific domain, we can use the Filter feature. For example, enter ‘goog’ to isolate the logs from google.com, or ‘bing’ from bing.com respectively.

Filter feature.

Now that Charles is running with the right settings, the root CA certificates are installed, mobile our devices are configured to use Charles on our computer, and the SSL proxying is enabled, we are set to read and log the traffic!

Log Icons

While recording a session we capture different types of traffic. Each sequence in the logs is prefixed by one of these icons:

📋 To summarize: the padlock 🔒 icon means SSL proxying is not enabled for that HTTPS host; the blue network circle 🌐 or the lightning ⚡️ icon means the traffic for our chosen test domain(s) is being recorded.

5. Export Device Logs to Support Bug Reports

It’s time to start a wrap-up by collecting the log information and exporting it. We do this in order to provide descriptive supporting documentation with a bug report. It’s only adequate that we work closely with our developers and send them a solution-oriented report not a problematic one. So, let’s be helpful and retrieve that log file. Here are some recommended pre-retrieval steps:

• Clear the Charles log using the broom button 🧹.
• Be sure, that logging is active (red recorder button 🔴 in the toolbar).
• Perform your actions or steps to reproduce an issue.
• Stop recording the logs by clicking the red button and turning it grey 🔘.

Now, we can:

• Head to File ▸ Save Session as…
• Choose a folder and pick a file name. Do not use periods in the name.

• Upload the log ending with .chls to your bug report.

That’s it! We are done with extracting Charles logs. Attach the .chls file to your bug report. Jira, for example, accepts this file format. When the report gets assigned to a developer, they are able to download and open the file up in Charles. They can see all the details that were happening when we tested our app, e.g., the contents of requests and responses. Log files allow for issue communication, debugging, root cause analysis, and the according fix to happen efficiently.

6. Tidy up

The very last step, before concluding with the Charles Web Proxy tool, is wiping the slate clean and restoring any applicable default settings.

When we complete our testing activities. We can stop the recording by clicking the red circle 🔴 and clear the current session with the broom 🧹.

When done with the Charles session, be sure to close the software and to revert the WiFi settings on the mobile devices to their prior state. Therefore, set the Proxy to None again in the WiFi settings.

Remove Charles Root Certificates

We also want to remove the certificate from our devices if they are our privately used desktops, smartphones and tablets and not only meant for testing.

Chromium

Windows

• Open the Run window with Win+R, type certmgr.msc and press Enter. If the root certificate was added under Trusted Root Certification Authorities during the root certificate installation steps, then go there and look for Charles Proxy CA. Right-click on it and click Delete.

• Alternatively, go to Control Panel ▸ Internet Options ▸ Content ▸ Certificates ▸ Trusted Root Certification Authorities, click on Charles Proxy CA and click Remove.

macOS

• Remove the certificate via the Chrome browser Settings as depicted below:

• Alternatively, go to Spotlight Search ▸ Keychain Access ▸ Certificates, click on Charles Proxy CA and click Delete.

Firefox

Windows

• Click the navigation drawer menu in the browser’s top-right corner and select Settings. Go to Options ▸ Privacy & Security ▸ View Certificates ▸ Authorities tab. Scroll down to XK72Ltd, click Charles Proxy CA, click Delete or Distrust and then OK.

macOS

• Firefox default directory for certificates is ~/Library/Application Support/Mozilla/Certificates on macOS. Locate the Charles certificate at this path, right-click on it and click Move to Trash.

• Alternatively, perform removal via the Firefox browser Settings, as in the flow illustrated below.

Now, let’s remove root certificates from our mobile devices.

Android

Android

On the phone, go to Trusted credential’s User tab and look for the Charles root certificate. Open the certificate and tap Uninstall.

Physical device

On an emulator, the process in essentially identical.

Emulator

iOS

iOS

On a physical device, navigate to Settings ▸ General ▸ Profiles & Device Management. Under Configuration Profiles, we’ll see an entry for Charles Proxy. Open it and then tap Remove Profile. Enter your passcode (if required) and confirm the removal.

Physical device

Profiles & Device Management isn’t available in iOS Simulator. To remove the Charles Proxy certificates, reset the simulator by clicking the Hardware menu and then Erase All Content and Settings….

Virtual device

If we ever want to start logging in the future, we can jump back in. Just spin up the Charles app and add the IP address and port to our WiFi settings again. If we’ve removed the certificate, we can add it back too. Review and repeat the above described steps, if you encounter any issues with your environment.

7. Miscellaneous Issues and Questions

❓What happens if Charles root certificate is not installed?

🛠️ Solution:

When we have Charles running without having a root certificate installed, most of the sites will browse just fine. But for the hosts where we have enabled SSL Proxying (by going to Proxy ▸ SSL Proxy Settings and adding an entry), we get an error as seen in the images below.

Your connection is not private or Did Not Connect: Potential Security Issue error page, as seen on Chrome and Firefox.

❓Cannot monitor traffic on Android.

🛠️ Solution:

While proxying with most iOS apps works fine, for Android we require a special debug app version. Developers need to calibrate network settings in the manifest file to allow for network interception. They have to add a network security configuration file into the Android project, in order for us to be able to read the traffic for our app in Charles Proxy. Of course, this special debuggable build is never meant for production release to the customers. So, make a point to get a debug test app before proxying on Android devices. There is a high chance that your test app will already be configured for the Android version. iOS does not require that for traffic interception.

❓Usage of Charles with some mobile apps is limited.

🛠️ Solution:

Mobile manufacturers, like Google and Apple, are aware of existing proxying tools like Charles or Fiddler. They recognize them as legitimate tools, but they choose not to share all the information and limit usage of some apps. For example, we are not able to use the Apple Id, access the App Store, and Siri does reply but is unable to execute any commands. Those are hidden from Charles by device manufacturers.

❓Windows: No internet connection after setting manual proxy. We set the manual proxy on our phone to the computer running Charles. When we try to browse a website on the phone, we expect to see a prompt on Charles about an unauthorized device trying to connect, as per the Charles documentation. But we don’t see that prompt, and our phone appears to have no internet connection. Even after manually adding the phone’s local IP to Proxy ▸ Access Control Settings, there is still no internet access on our phone and Charles is not recording any network activity on that phone.

🛠️ Solution:

1. Open Start. Type “network status” and click the matching item.
2. Click Change connection properties.
3. Under Network Profile, select Private (it was originally set to Public).

Charles may need to be restarted. Fiddler, however, works fine without having to change the Network Profile to Private.

❓Firefox: No internet connection after setting manual proxy. Charles is not recording network traffic on Firefox but it is working fine on Chrome and Edge.

🛠️ Solution:

👉Go to Options ▸ Settings (under Network Proxy), and make sure Use system proxy settings is selected. If we’re getting ‘Your connection is not secure’ on HTTPS sites after that, we may have to visit https://chls.pro/ssl and select ‘Trust this CA’ to identify websites to install the SSL certificate on Firefox.

Happy testing, logging and debugging!

This post only covers a fraction of everything that testers can accomplish with the Charles Web Proxy tool. There are many more useful features left for us to explore that are a separate topic on its own.

I welcome any comments and contributions to the subject. Connect with me on LinkedIn, X , GitHub, or Insta.