Mobile Zone is brought to you in partnership with:

Programmed Macs since Inside Mac came in 3-ring binders; programmed iPhones since the first day the SDK was downloadable. 51 apps in the App Store to date, and always looking for new and interesting contracts! Alex is a DZone MVB and is not an employee of DZone and has posted 122 posts at DZone. You can read more from them at their website. View Full User Profile

Charles Web Proxy Tip: Secure Charles Cert

01.31.2014
| 6637 views |
  • submit to reddit

No doubt if you’ve done any web-using apps or applications you’re familiar with Charles Web Proxy for debugging — and if not, go check it out right now — but there is the niggling concern that when you use it to debug SSL communications you tell it to trust Charles’ root cert, which leaves a hole open for anyone who cares to sign themselves a cert and go to nefarious work on your device.

But fear not! If like us you’d managed to overlook this option so far, here’s a step by step guide to setting up a

Custom SSL Certificate With Charles Web Proxy

Luckily Charles supports using your own custom SSL certificate as the root certificate, which you have to create yourselves. This can be done using openssl. You will be asked some information about the certificate. I recommend at least setting Organization Name to something meaningful as for instance Charles Proxy Custom SSL certificate. This makes it easier to find the certificate in Keychain…

… Now simply select the charles.pfx file in Proxy Settings > SSL > Use a Custom CA Certificate in Charles. Notice that Charles only saves the path to the file, so place the file somewhere meaningful.

Remember to install the certificate in keychain by simply opening the charles.crt file. It can be installed in the iOS simulator by dragging the charles.crt into the simulator window and on your iOS device by sending it using email. Remember to delete the old Charles certificate if you had it installed.

Worth doing just in case, yep. And if you’re OCD enough to get annoyed entering the password each time, the article goes on with how to trick Charles into thinking your custom cert is its default and skip that. We’re good with QA having to know the password, personally, so we’ll leave over that part.

h/t: iOS Dev Weekly!

Published at DZone with permission of Alex Curylo, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)