Charles Proxy

Original Article ↗ Hacker News Discussion ↗

Role and longevity of Charles Proxy

  • Widely regarded as an “all‑time great” HTTP(S) debugging tool, used heavily since the late 2000s for web, mobile, and even Flash/AMF work.
  • Users praise its robustness, especially SSL proxying and session handling, and appreciate the non‑subscription licensing with long-lived keys.
  • Some note they’ve since moved away because modern browser devtools fulfill their simpler needs.

Alternatives and comparisons

  • mitmproxy / mitmweb: Often cited as the closest free alternative. Praised for powerful scripting and advanced features (WireGuard mode, “Local Capture,” non‑MITM monitoring of SNI). Criticized by some for its tmux‑style TUI and UX changes; others prefer mitmweb’s browser UI.
  • Burp Suite / ZAP / Caido: Seen as more security‑oriented. Burp is described as the “gold standard” for pentesting but heavier and subscription-based. ZAP has comparable features but some find it unintuitive. Caido is a newer, lighter competitor in the same space.
  • Fiddler: Remembered fondly as extremely powerful, especially the classic Windows-only edition with strong scripting; newer cross‑platform variants exist but are seen as different.
  • Proxyman / Reqable / HTTP Toolkit / Requestly: Proxyman is heavily recommended for macOS/iOS, with many ex‑Charles users citing better UX, native feel, and smoother simulator/cert flows. Others keep Charles for features like session grouping. Reqable and HTTP Toolkit are mentioned as modern alternatives; Requestly more as a simpler client/interceptor.
  • Wireshark / tshark: Recognized as a different class (packet capture, not proxy; passive, not active modification).

UX, usability, and platform support

  • Charles’ functionality is praised but UI criticized: unlabeled icons, confusing menus for common tasks (rewrite, map local/remote).
  • Proxyman is lauded for native UI, shortcuts, cert install helpers, and especially polished Xcode simulator integration; one user notes a Linux beta.
  • Some find enterprise environments reluctant to approve Charles, pushing staff toward more cumbersome workflows.

Use cases and workflows

  • Key use cases: mobile debugging (including simulators and physical devices), reverse‑engineering app APIs and games, validating what was actually sent on the wire, and combining with tools like Postman or mock servers.
  • TLS interception relies on installing a local root certificate; commenters distinguish this legitimate, developer‑controlled use from disliked enterprise “TLS‑breaking” middleboxes.
  • A side discussion covers building homegrown MITM tools, Apple’s restrictions around Packet Tunnel APIs, and Android’s more open networking stack.