Faster mobile debugging using a HTTP Proxy

Transcript

1. FASTER MOBILE DEBUGGING USING A HTTP PROXY By Scott Alexander-Bown

   @ScottyAB SWmobile Meetup

2. ➤Why ➤Charles ➤Features ➤Setup on Mobile ➤Tips

3. Y THO? ➤ Debugging / Testing ➤ Simulate ➤ Slower

   connections ➤ Error states ➤ Hard to recreate server side set up ➤ More info for developers to fix the bug (mobile and/or API)

4. REAL LIFE BUGS ➤ Double Attachment upload ➤ Concurrency issues

   with calls to /refreshKey ➤ Missing request params between iOS / Android ➤ Unnecessary API calls (push token registration)

5. Proxy Server

6. None
7. None

8. Disclaimer: Not tested this

9. SINGLE SITE LICENCE *£39

10. ALTERNATIVES ➤ Android Studio Network Profiler ➤ Chrome Dev tools

    ➤ Stetho (Android) ➤ Pony Debugger (iOS) ➤ Chuck (Android) ➤ MITM proxy ➤ Fiddler ➤ Others…
11. None

12. SCREENSHOT OF ANDROID APP SESSION

13. FEATURES

14. BREAKPOINTS ➤ “Does what it says on the tin”

15. EDIT REQUEST / RESPONSE ➤ Simulating error responses ➤ Removing

    values from request ➤ Removing values from response
16. None

17. RE-WRITE ➤ Similar to edit request/response but automated ➤ Import/Export

    re-write rules

18. WILD CARD EXAMPLE

19. MAP LOCAL / REMOTE ➤ Serve local files instead of

    those from server

20. THROTTLING

21. None

22. AND THAT’S NOT ALL ➤ DNS spoofing ➤ Compose new

    Requests ➤ Web interface (useful when running Headless) ➤ Host OS proxy ➤ Import/Export Session ➤ Repeat aka basic load testing (multiple times with optional delays) ➤ Whitelist, Blacklist(block), Ignore urls

23. CONVINCED?

24. MOBILE DEVICE SETUP

25. None

26. What about TLS/SSL?

27. None

28. HELPER OPTIONS FOR ROOT SSL

29. Go to http://www.charlesproxy.com/getssl/ INSTALL THE ROOT CERT ->

30. None

31. SSL PROXY RECAP ➤ Connect device to proxy via WiFi

    settings ➤ Install the Charles Proxy Root Cert ➤ Visit charlesproxy.com/getssl/ ➤ Or Provide your own SSL root cert ➤ Enable SSL Proxying on per domain basis ➤ Profit £££!

32. SIDE NOTE ANDROID 7+ ➤ Requires Network Security Config to

    trust user installed certs ➤ Also disable SSL pinning (debug only)

33. SIDE NOTE ANDROID 9+ (CLEAR TEXT) ➤ Clear Text (a.k.a

    http) is blocked by default on Android 9 ➤ Requires Network Security Config to permit clear text ➤ Needed if you’re running API server locally

34. TIPS ➤ Cut the noise (focus, filter and ignore) ➤

    Sharing with team ➤ Export rules ➤ Save to Github Gist ➤ Get cURL of request

35. TIPS ➤ Multiple Devices? - show Client IP ➤ Increase

    Connection and Read/Write timeouts ➤ Share root SSL certificate if sharing test devices

36. FEEDBACK: DID YOU LIKE THIS TALK? @SCOTTYAB

37. By Scott Alexander-Bown @ScottyAB THANKS… If mobile is your thing

    check out the SWmobile meet up

38. Thanks and Q&A By Scott Alexander-Bown @ScottyAB HOW DO YOU

    USE WEB PROXIES? If mobile is your thing check out the SWmobile meet up