iOS uses Charles (Blue and White Porcelain) to capture packets and tamper with returned data

The motivation for writing this article was that I forgot a step when using Blue and White Porcelain to capture packets some time ago. I searched the Internet for a long time but couldn't find a complete tutorial. So after the problem was solved, I took the time to take screenshots, wrote it myself, and sealed it in the blog park for future reference.

Charles, also known as Blue and White Porcelain, plays an important role in packet capture in iOS development. The three biggest uses are: first, intercepting the requests and backend interfaces sent by other software to practice development. Second, intercepting and modifying the response returned by your own backend before receiving it to achieve the purpose of testing critical data. Third, writing scripts to repeatedly intercept and capture other people's data. (Because it is not very ethical, this article does not mention the third point)

If you are not seeing this article on Dong Boran’s Blog, please click here to view the original text.

1. Preparation before starting

First install this software

I believe many people have this installed on their computers. If you don't have it installed, you can easily find it by searching for "Charles cracked version". If you don't have the Java environment installed, you will be prompted to install the Java package when you first enter Charles. The link you are given is from Apple's official website. Just go to the next one and install it with one click.

After the installation is complete, open it and then proceed with the following operations.

Then go to your computer's System Preferences -> Network -> Select the network you are currently connected to (most people should use WiFi) and you can find the IP address of your computer in the current WiFi. For example, mine is 192.168.0.105 (it is recommended to use a private network. If you use a company network, there may be restrictions and no response.)

Then find your phone connected to the wifi network with the same name, and select the blue i on the right.

Then enter the advanced settings page of this wireless LAN. After entering, scroll to the bottom and find the words HTTP proxy. Then select manual proxy, fill in the IP address found by your computer in the server, and then adjust the port to 8888, and finally click return in the upper left corner. After returning the value, the system will automatically set the proxy to reconnect.

At this time, your mobile phone will go through your computer when it is surfing the Internet. As soon as you open an Internet program with your mobile phone, a pop-up window should appear on your computer asking you to [allow] or [deny]. You must not refuse, so just click allow. This pop-up window will only appear for the first time. I didn’t capture the picture, but you will definitely understand it when you see it. After clicking on the consent, every request sent by your mobile phone will be intercepted and a trace will be left. #p#

2. Intercept the interface data of a certain software

Take NetEase News as an example. I have practiced writing NetEase News projects before, in which all NetEase interfaces were intercepted by Charles. I intercepted what NetEase sent when it sent a request, and then directly used this string of links where I needed to get data in the practice project.

Of course, there are many things blocked here. If you have development experience, you should be able to quickly see which one on the right is the interface that actually returns JSON data. Or you can click on them one by one to view the content.

For example, select a URL and right-click to copy.

Put it in the browser address bar and type it. You can see

This shows that the interface is correct. You can get the data. Then you can convert it to make it clearer. Although many people use bash to view it, I still recommend a website http://www.w3cschool.cc/jsontool. After converting to JSON, it is very clear. Most software will open all the curly braces by default after json sorting, but only this website will close all the curly braces by default. You can click on any one you want to open, and you can know how many key-value pairs there are in the dictionary, so it is very clear.

At this point, a complete pull interface and data acquisition has been completed.

There are two points I want to make:

① If the request sent by this App is encrypted or RSA, you can't get the data even if it is intercepted. NetEase does not do any encryption, so the data can be captured. I tried to intercept Baidu Doctor before, but it didn't work. He set it to get the data within one minute. If it exceeds 1 minute, the copied interface can't get the data. I suspect that it may be encrypted with the HMAC method, and a time judgment is added to it. The requests sent at 32 and 33 minutes are different after encoding. The background may have done fault tolerance, and will judge both 32 and 31 points with you. As long as one of them matches, you will be allowed to pass, but after a full minute, you will definitely not be able to get the data.

② Many large websites generally open a developer platform, where you can register a developer account and then open an interface document to you, so you don’t have to bother intercepting it. For example, Sina Weibo and Dianping both have developer platforms. #p#

3. Change the return data to test critical cases

This is the key point. Because this approach allows an iOS front-end developer to complete the test independently without pulling in a back-end for joint debugging. And there is no need to find various special dimensions or critical accounts. You can achieve the effect by just changing it on the blue and white porcelain. For example, if nil is returned in this place, will the program crash? Just change the response. The following is a specific operation plan.

Open Blue and White Porcelain and switch to the structure page

Breakpoints and debugging information can be seen here

Then find a page for our company. This page should return something like this:

Open this page normally and play around with it for a few times. This blue and white porcelain will capture many interfaces and domain name categories. It should not be difficult to find the domain name category to which your page belongs. Then set a breakpoint. Please note that you should set a breakpoint on the domain name instead of on the single request below.

When you access this page again with your mobile phone, you will request data through the domain name where you just set the breakpoint, and it will be blocked by the breakpoint, as shown in the figure below.

The information on the right is also very clear. You can edit the request at the beginning. If you click single step, you can also edit the response when the response comes back.

There are several ways to view it, but it is recommended to use JSON Text for a clearer view. Now we modify the intercepted data. I change all these statistics to 999 as shown below

Then click Execute again, and the changed data will be displayed on the APP page like the normal returned data.

Being able to reach this step means that you have fully mastered the technology of using blue and white porcelain to tamper with the returned data to test the App.

If you are not seeing this article on Dong Boran’s Blog, please click here to view the original text.

The significance of doing this:

Here, we simply changed some numbers to make the page display more intuitive. In actual operation, you can often use this method to change some values ​​to critical situations to see how the App responds when handling these critical situations. This is much cheaper than finding test accounts with critical data. You can also find some fields that may not return values, and directly delete the values ​​in them to nil to see if there will be any exceptions reported, etc.