How to capture messages using a third-party tool-Mobile Platform as a Service(mPaaS)-阿里云帮助中心

Use Charles on macOS to capture and decrypt HTTP/HTTPS traffic from your mPaaS app during development and troubleshooting.

Important

This document may contain information about third-party products. This information is for reference only. Alibaba Cloud makes no warranties, express or implied, regarding the performance or reliability of third-party products or any potential impact from operations performed on these products.

How it works

When developing mobile apps with the mPaaS framework, capturing HTTP messages is one of the most effective ways to diagnose issues involving client-server or client-gateway interactions. By inspecting request and response messages, you can identify malformed requests, verify server responses, and confirm that return values are correct.

HTTP message capture tools

Charles and Fiddler are the most widely used tools for capturing HTTP messages. Both work on the same principle:

They run a local HTTP proxy. Any HTTP traffic routed through this proxy can be intercepted and parsed.
To decrypt HTTPS traffic, install the Charles or Fiddler root Certificate Authority (CA) certificate on the client device. This allows the client to trust the man-in-the-middle, so the tool can decrypt and display the traffic.

Note

Charles and Fiddler only decrypt HTTPS at the transport layer. If your app applies an additional encryption layer on top of HTTPS — such as the data encryption feature of Mobile Gateway Service (MGS) — Charles and Fiddler cannot decrypt that inner content. They display the already-encrypted payload as-is.

Charles on macOS

This section covers Charles 4.5.5 on macOS: installation and the full setup process for HTTPS decryption.

References:

Installation and basic interface

Download the Charles .dmg installer from the official Charles website and run it to install.

On first launch, Charles prompts you to set the system proxy — grant this permission. Once running, HTTP requests passing through Charles appear in the main interface:

Note

A red circle indicates that message capture is active.
The left pane lists HTTP message entries. A lock icon marks an undecrypted HTTPS message.

Configure the client

HTTP requests from an emulator on your local machine are routed through the system proxy by default — no manual proxy configuration is needed.
For physical devices (iPhone or Android), configure the proxy manually so that all network requests from the device go through Charles.
1. Connect your mobile device and the Mac to the same Wi-Fi network so the device can reach the Mac by IP address.
2. In Charles, go to Proxy > Proxy Settings to find the proxy port number.
  
  Note
  The default port is 8888.
3. Find your Mac's local IP address in System Preferences > Network:
4. On your mobile device, set the Wi-Fi proxy to use the Mac's IP address and Charles port. On iOS, go to Settings > Wi-Fi, tap the network name, then add the proxy server.
5. When the device first connects through Charles, a prompt appears. Click Allow:
6. HTTP requests from the device now appear in Charles. For example, visiting http://www.antfin.com/ in the device browser shows up as a request entry:

Configure SSL proxying

By default, Charles does not decrypt HTTPS traffic. To inspect HTTPS message content, complete two steps:

Install and trust the Charles root CA on the device (required for both emulators and physical devices).
Configure which HTTPS domains Charles should decrypt.

Configure the device

With Charles running, open a browser on your mobile device and go to chls.pro/ssl. On iOS, use Safari. The browser downloads charles-proxy-ssl-proxying-certificate.pem and prompts you to install the Charles Proxy Customer Root Certificate.

On Android, name the certificate and install it under user trusted credentials (also called the Customer Certificate).
iOS 10 and later: Go to Settings > General > About > Certificate Trust Settings and enable full trust for the Charles certificate you installed.

Note that for an Android App, you must add a network security configuration to trust user credentials. Follow these steps:

In your Portal project, create res/xml/network_security_config.xml with the following content:

<network-security-config>
<debug-overrides>
<trust-anchors>
    <!-- Trust user added CAs while debuggable only -->
    <certificates src="user" />
</trust-anchors>
</debug-overrides>
</network-security-config>

Reference the configuration in AndroidManifest.xml:

<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
<application ...
          android:networkSecurityConfig="@xml/network_security_config"
          ... >
 ...
</application>
</manifest>

Click here to download the sample code for trusting the user CA.

To trust the Charles certificate on your Mac, go to Help > SSL Proxying > Install Charles Root Certificate.

Configure Charles

In the Charles menu bar, go to Proxy > SSL Proxy Settings. On the SSL Proxying tab, select Enable SSL Proxying, then add the domains and ports you want to decrypt.

For mPaaS public cloud users, add the following domains:
- *.aliyun.com
- *.alipay.com
- *.aliyuncs.com
For Apsara Stack, add the domains above and any custom domains your deployment uses.

After completing the configuration, HTTPS message content becomes readable in Charles:

Before configuration: HTTPS message content is encrypted and unreadable.
After configuration: HTTPS message content is decrypted and readable.