I was using an application for OSX called "Charles", which has some of the oddest branding I've seen:

https://www.charlesproxy.com/

It worked pretty well; I set up a whitelist so that only requests to our API would be allowed through, and I set it up to redirect all requests to that API to a local server I had set up (with the SSL certificate that would allow the request to go through, since they had moved to our SSL endpoints).

So, I wasn't able to sniff the traffic from their app directly (since it was using our own SSL endpoints), so I spun up a local server instead to log the request details and be able to develop this without alerting the author.

One way I've seen this done is to use the Charles which sets up a proxy on your Mac to intercept and log requests. You can then change your Wifi settings on your iPhone to use the proxy as described here.

Its not a conspiracy to have you buy pro. Is anyone out there proficient with https://www.charlesproxy.com/ ? If you are and can send me the logs from your device while an ad like this is shown, it would go a long way to helping us get these fixed.

It's only useful for specific situations, but HTTP debugging was a real game changer for me. I use Charles. Before I realised HTTP debugging was a thing, I would have to log the crap out of my HTTP requests to see what was coming back, so I could work out how to parse it. With Charles, you can see exactly what information is being sent to/from the server, which makes it much easier to identify issues.

Similarly useful is Paw. Useful for making & analysing requests & responses (with authentication etc) from your computer rather than having to perform the request in-app.

I think I hurt my left hand.

They can be considered man-in-the-middle. The word attack may have been a bit strong though :D

https://www.charlesproxy.com/documentation/proxying/ssl-proxying/

I love wireshark. Used to use it when it was still Ethereal. GUI could do with some love though.

Charles proxy has a nasty habit of not remove the proxy configurations when it's turned off on the mac. Some apps will retain the proxy settings by not all apps causes. This can cause issues with some vpn configurations. Charles proxy is supposed to automatically remove the proxy settings when you turn it off.

https://www.charlesproxy.com/documentation/faqs/

Charles... You want Charles... https://www.charlesproxy.com

Follow the documentation for it, specifically follow the SSL proxy set up, and filter for 'pubads' and you should see the corresponding calls for google ads.

Can't vouch for the company but a charles proxy is indeed a thing. They presumably want to look at traffic from server x doing job y for program z, to your home. Think of it like a packet sniffer. Thus, I'd not use it on any devices you do sensitive stuff on (though any sensitive stuff should by default, be encrypted, it's more of a safe than sorry thing).

https://www.charlesproxy.com/

You can set up interceptor proxies with it:
https://learning.postman.com/docs/sending-requests/capturing-request-data/capturing-http-requests/

I also know a guy who swears by Charles:
https://www.charlesproxy.com/

Welp, sure. He's my super objective opinion

mitmproxy vs charles

Cost: open source vs paid

Interface: feature-complete CLI with optional Web Interface vs requiring some sort of GUI (web interface or thick client)

API: Python vs n/a

Addon support: Complete vs. n/a

Documentation: Stellar vs pretty ok I guess

mitmproxy feature list vs Charles Feature list

Also, from my personal experience of using both- mitmproxy seems much easier to work with and extend the functionality to. I also love being able to spin up a docker instance of it and direct all the traffic to it- I know that technically you can do that with charles, but the feature seems like it was added as an afterthought.

Yes it is.

But you should be using Charles Proxy because that's the king of proxing on MacOS.

https://www.charlesproxy.com/

There's a free version, but it quits after 30 minute, and it's a really useful tool for mobile QA so it's worth buying the full version.

Well, you could analyze the app's network communications on your phone using an interception proxy such as Charles for iOS. But that assumes the app doesn't implement some form of certificate pinning which would prevent you from analyzing the app's network flow. In that case, you could then inject JavaScript to defeat the app's certificate pinning mechanism using Frida. Once you've mastered that, you could start freelancing as a mobile app security practitioner, buy a motorcycle and new phone, and then move out of your parents' house.

There is actually a great tool for this that is very popular among developers. https://www.charlesproxy.com

Charles proxy lets you intercept and decrypt ssl communication between your device and the internet. There are plenty of example of people using this app to inspect Instagram traffic.

/u/BishopOfBattle

What version of the Editor are you using?

The team recently fixed an issue in 5.6 where DisableEditorAnalytics was not properly honored. That patch should be available soon.

We still have one bug on EditorAnalytics where it will fetch the RemoteConfig for the Editor. (RemoteConfig is the basis for the Remote Settings feature.) However, that should only affect the Editor, not any builds you create. (Also, if you do not have analytics enabled, then you will just get an empty config file.)

There is another setting to disable HW statistics within builds, which can be found in your Player Settings, under Other Settings -> "Disable HW Statistics".

What is the current state of that option in your Player Settings?

Lastly, how are you verifying that these endpoints are hit? I'm assuming you're using a network traffic analyzer, such as Charles proxy. Are you checking this via the Editor or while running on a device?

Hi

Pretty excited 'bout your efforts towards to recreate something similar to old omgpop and bringing back the community. The old omgpop towards its demise was prone to hackers and other cheaters. If those people could do it on omgpop, do you think they can do it on the site you are currently working on? I think the site will be susceptible to attacks and cheats on a heavy basis since all the cheats are out there now and can easily be found on youtube.

https://www.charlesproxy.com/ and wireshark were used to monitor the packets on the earlier site and manipulate the data. I don't really know much about this.

Just giving you a heads up.

I'd give Charles proxy a go. Maybe the setup isn't straightforward if you haven't done it before but it's the best tool that I know for sniffing the network requests/responses.

The other tool that I used to use is Stetho.

Apparently you can use something like Charles, but as far as I'm aware there's no specific tools to manage and interpret it for you. I'm not a mobile developer, but my general understanding is that the App Store (unlike Google Play) doesn't allow for the kind of functionality that such an app requires to work.

Shame that the open source tooling isn't working yet.

I appreciate that it's a Motorola tool, but my suggestion for option 3 was to use something like Charles Proxy (https://www.charlesproxy.com) to capture the requests made by the SWF so that you could potentially create an alternative mechanism to replay similar requests for managing the system without needing Flash.

I assume you've reached out to Motorola too?

I would recommend using Charles. Make your phone proxy through your computer & you can cleanly see every HTTP request & its payload. If you notice SSL traffic then you MAY be able to side-skirt it by installing the Charles root certificate on the device, but if the app developers enabled certificate pinning then theres nothing you can do without basically hacking the app.

Charles Proxy is an app for capturing HTTP request. They have a native iOS app, however it’s $10. https://apps.apple.com/us/app/charles-proxy/id1134218562

The iOS app simplify things by a lot. Not sure if the price is worth it for your use case. I already had the app for developing purposes so I didn’t buy just for this.

However, If you don’t mind more steps. There is a PC/Mac method that would run as a proxy server on your computer and they provide a trial on https://www.charlesproxy.com/

After installing the application, you can use your PC/Mac as a proxy and then you’ll be able to sniff http request from there.

Once you found the hostname to block. You can use Filza and edit /etc/hosts and block the hostname on there. By entering 0.0.0.0 domainhere.com.

After that reboot your phone.

I can't speak for Android, but I know for a fact iOS isn't. I work on this stuff professionally.

You can get something like Charles to spoof the SSL on your device and decode all network traffic to and from the device.

You can actually see when Siri data is transmitted. Internet traffic is still dumb, and outside of 'encoded' data (that you still can see the end point and payload), if you spoof the SSL all data your device moves is visible.

I have entire days on log where all the traffic on my phone is recorded (as part of apps I'm working on) and there's nothing suspicious there, besides random background pushes from things like instagram where they are sending tracking data and usage stats.

Weird. I would have expected that simply removing it would work too. (One note: sometimes making too many edits to the AS code in FFDec can cause errors in the resulting SWF file. I try to stick with editing the P-code when possible.)

I haven't used that site. I was referring to Charles web proxy which basically monitors web traffic on your computer. This allowed me to show what URLs were being requested when I ran the original SWF file in a browser. It can be very useful for both Flash and other reverse engineering -- add it to your tools list too!

Fixing sitelocking can vary in difficulty quite a lot. I generally search in FFDec for the displayed message ("play this game on xyz.com" or whatever). This usually helps me find where in the code the site check is implemented, and modify it accordingly.

Some big-name games are tricker -- for example, NinjaKiwi games encrypt some critical sitelocking functions with a key that's computed elsewhere in the SWF at runtime. However, by adding trace() (see the output by enabling TraceOutputFile for the player as explained here) and FileReference.save() functions at the right points, you can often break these DRM methods too, given enough work. (I've successfully done this for BTD5, Happy Wheels, and a few others. It's a fun puzzle, in a way.)

Check it out!

https://www.charlesproxy.com/documentation/ios/

https://itunes.apple.com/app/charles-proxy/id1134218562?mt=8

All virtual keyboards are more or less keyloggers. All!

One exception ( Android ):

https://github.com/klausw/hackerskeyboard

Thats not true. Look at the changelog and you will see many new features in v4 that v3 does not have.

For example:

• HTTP/2 support
• protobuf support
• Detailed TLS info

That said, v3 is perfectly capable of handling most use cases

If they are external you can monitor the request using something like Charles https://www.charlesproxy.com which you can have running in the background while you preview the SWF. The file paths will appear in the request URL list

The configuration profile in the first screenshot is NOT what gets installed when you download enterprise signed apps. The configuration profile in the first line of the first screenshot is for this extraordinarily useful tool. The second line that has the blackline obscurring the company name is what shows up when you install an enterprise app. It is explicitly NOT a configuration profile. It ONLY gives your device permission to run apps signed by that certificate which did not come from the app store (iOS trusts app store signed apps by default).

In the first screenshot, look at the second entry under the heading "Enterprise App". This is what shows up if you install enterprise signed applications and does not give MDM access.

Are you using a PC? If that's the case you can find the apps in your music folder. There you have an iTunes folder. In it there should be a Mobile Application folder. My system's language is German and the folder names are still in English so this should be the same case with Spanish systems. You can just check it out without starting anything. That seems to be the hardest part for you because it's not in in the guide. However it seems that iTunes 12.4.3 is only available for a 64 Bit system at least the version you find directly on apple.com. However you can get this version from Apple which is even older and should work. You can find the old version from Charles here. If you have both tools you should watch the entire video carefully. If you do all the things step for step you can't really mess up anything. The worst that could happen is that it does not work and you wasted a few minutes. If you take this "risk" you should definitely try it.

I've looked at some of the traffic with Charles, but it seems like none of the actual game data runs through it.

I forget how I did it, but I logged out the DNS requests, and I was seeing traffic to sparx.io which seems to be Kabam's game API server. I seem to recall seeing it was over port 443 which is HTTPS, but I wasn't seeing that domain anywhere in Charles, so I'm not sure how they're making those connections or how to capture that data.

I made requests for read-only API access on their suggestion forum, but obviously that went nowhere.

> WHAT'S WITH THE LOGO?

>The jug is part of the Charles folklore. It once belonged to a man >named Charles, but Charles is not named after him.

https://www.charlesproxy.com/documentation/faqs/whats-with-the-logo/

We build an SDK that developers put into their apps. When there are problems, we download their applications and set up a proxy connection on mobile devices we use for testing, and inspect the network traffic of them via our laptops (the proxy) to find out if there are problems with their SDK integration. The SDK communicates to our servers over SSL, so we use a custom certificate installed on the devices, and then we use the Charles app on the laptop to look at the traffic. (in case you're curious -- https://www.charlesproxy.com/documentation/proxying/ssl-proxying/)

To be clear, our laptop will act as the proxy for a device, so that we can inspect the traffic individually. We don't monitor all traffic of the test devices, nor do we have a need to. It's on an individual basis.

These are not devices that users own; they are test devices that they check out and return. As such, the devices do not proxy to the same IP all the time, whoever checks out the device changes the proxy IP to that of their own laptop for the duration that they use the device.

Try using the “Charles Proxy” app. It’s basically an external version of what the Chrome network tools is showing anyway.

Charles Proxy article on SSL Traffic

I haven't done web dev for a few years so I don't have the tools installed, but you can use Charles proxy's rewrite rule to rewrite a portion of the response, for example.

https://www.charlesproxy.com/documentation/tools/rewrite/

I did this often when I had no control over web responses but needed them to return specific types of data to reproduce bugs so they could be fixed.

> Merci pour la longue réponse, je pense qu'on s'entend quand même bien sur ce que ça aurait dû être.

Oui en effet.

> mais c'est vraiment l'aspect vie privée qui chicote.

Définitivement. J'ai pas confiance en Akinox, qui supposément n'a personne en Sécurité ni en Vie Privée d'après Radio-Canada.

> l'application ne se connecte même pas au réseau

Pas si je me fie au Play Store:

> This app has access to: > > Photos / Media / Files > > - read the contents of your USB storage > > Camera > > - take pictures and videos > > Storage > > - read the contents of your USB storage > > Other > > - receive data from Internet > > - draw over other apps > > - view network connections > > - modify system settings > > - control vibration > > - full network access > > - prevent device from sleeping

D'autant plus qu'elle offre la possibilité de mettre automatiquement à jour les informations. J'ai pas de détails, mais ça sous-entend que par exemple, si j'ai une troisième dose ou je suis diagnostiqué COVID, ça va se mettre à jour tout seul pour indiquer ces informations-là... À première vue, si je me fie à l'application sur mon iPhone et à Charles, l'application est muette, donc la fonctionnalité n'a peut-être pas encore été implantée ou va s'activer un certain temps après l'ajout du code seulement.

Pour le reste, effectivement. Faudrait que l'application soit opensourcée. Ça permettrait de trouver les failles et de les colmater plus rapidement, d'autant que ça faciliterait les audits de sécurité et qu'on saurait ce qui est envoyé.

> encrypting the network traffic

How would you do that? You use normal SSL keys, the attacker tells their OS to trust their own key that allows MITM. You put the key in your client, the attacker has the key. You send the key on connection to the server, the attacker hacks the client and they have the key.

Instead, you could limit the data you send to clients. If the client couldn't see an opponent, then they don't get sent the opponent's position. If they hear an opponent, they get sent team-agnostic sound events. This requires more processing on the server and probably more network data, but it makes it harder to cheat.

If I had to guess, I’d say the Flash is trying to download a webfont from somewhere and it’s failing.

You might try running something like https://www.charlesproxy.com to watch all the outgoing web requests and see if there’s one coming from the Flash that’s failing.

Of course, even if you find this support file, you’ll probably need to set up a server and override DNS to properly serve it to the Flash.

Normally I’d say not to bother but you’ve already gone so much farther than I’d have bothered to, I’d like to see you make it work ;-)

Amazing. Just used shortcut on a 2021 Subaru Crosstrek Premium. Like Engl-ish, I had to remove the blank Key/Text in the login step. There were also a few different Form options for engineStart. I used Charles to inspect the requests. Thanks for sharing!

You are looking for https://www.charlesproxy.com/

Free version run for 30 min, than closes, and you restart and repeat.
Enought to play around.

First time setup is not the easiest (you have to install mock SSL cert ecc)

Because you are not supposed to see such traffic, therefore you need to perform a man in the middle attack.

But their guide is nicely done.

There are other package, but this is the easiest

I don't think this would be possible from an iOS app/device. Only one user can interact with an app on a single device at a time.

Whatever the backend is, that's where you'll need to performance test. You'd need the api's the app is sending and then use an api test tool - would be my best guess. Maybe something with Charles is possible?

Else - if you've got 50 phones available...you can hook them up to something like BBC Hive and then run the test in parallel.

You might want to try https://www.charlesproxy.com. You need to see ever detail possible of the traffic between you and the server to tease out what is happening.

My first thought was something in your apache config that is doing some reverse proxy stuff or redirects related to https. Just to cross that off the list, have you tried both http and https requests? Do they exhibit this same behavior?

Have you inspected both your request and response headers for anything funky?

In your browser’s network console, you just see this single request sent when the code is executed?

Your reluctance to show the literal code is annoying. Your here asking for help. Help us help you. I get that it might not prove helpful, but the devil is often in the details.

I’d like to see your code and your Apache config. Do you run the server Apache is on and know there isn’t also a load balancer or other hop beteeen you and Apache that could be mucking with the request?

A few things, potentially.

If you’re on MacOS, I’d recommend Little Snitch to see what’s being sent by your computer, what’s being received by your computer, and to where it’s going or originating. This is very easy and is literally just installing, restarting, and you’re done.

You could bump it up a level and look at something like Charles Proxy. This is going to be more complicated though. You could also explore Wire Shark.

There are equivalents of all these programs on all operating systems. Just search around and look on YouTube for tutorials.

Theres too many things that can go wrong ull need to provide more info is ur phone still getting traffic ie u can still surf but not able to see in charles which charles are u doing the proxy on laptop or just the phone etc

Also https://www.charlesproxy.com/documentation/faqs/using-charles-from-an-iphone/

I recommend using Charles Proxy to see what’s really happening here. As another user said, you’re possibly sending a POST but being redirected. Charles can help see what’s going on. It’s an essential tool.

https://www.charlesproxy.com/

I came up with what I think is a pretty neat solution to this problem a while ago that I have yet to see posted anywhere else so here it goes...

I realized that if you configure a proxy server in the device's wifi settings, network calls to localhost get sent through the proxy and thus resolve to the host that the proxy is running on. This even works on the emulator! Just run your development backend server on the same computer as your proxy and this works out great. Personally I like Charles Proxy, but this should work with any debugging proxy.

Then, I configure my android:networkSecurityConfig like this to avoid crashes from plaintext network calls to localhost:

<?xml version="1.0" encoding="utf-8"?> <network-security-config> <domain-config cleartextTrafficPermitted="true"> <domain includeSubdomains="false">localhost</domain> </domain-config> <debug-overrides> <trust-anchors> <certificates src="@raw/charles_root_certificate"/> </trust-anchors> </debug-overrides> </network-security-config>

If your proxy or local webserver has a known certificate that it serves, you can add this to the debug trust anchors overrides and use HTTPS on localhost (even if the cert is self-signed).

An added benefit of this approach are that if you have a BuildConfig field defined in your build.gradle for the base URL of your server, you don't have to keep changing it to different IP addresses and resyncing the project when you switch to a different wifi network or someone else tries to run your project. Proxy settings on android devices are remembered per wifi network so if you are using a physical test device you can configure your development PC's IP one time for each network and not really need to worry about it ever again.

ClientRequest 'finish' fires when the request stream on the client has closed and has been "flushed to the underlying system". Conceptually, that's not the same thing as the server having received the last byte of the request. And that `http-timer` is describing that as "Time when the request finished uploading" is a a little misleading. A lot can take place that and the server receiving that data depending on the intermediate network topology.

The simple fact is, the client can't know when the server received the request. The HTTP spec doesn't allow for that. Hell, I'm not even sure TCP allows for that (although it does sound like it mandates ACKs be sent < 500ms after a packet is received.)

So it's not surprising that you're seeing non-zero TTFB's.

Have you tested this in an environment where there's no intervening network? I.e. run client and server on the same box. To slow things down you can delay the rate at which the server `read()`s the IncomingMessage.

Then, from there, you could add a proxy like Charles and use that to inspect/control how data is actually flowing between client and server. That should allow you to determine when exactly the various events are taking place.

I might be biased but I think Apollo's pretty much the best you can get. By default it uses Firebase for some light crash reporting and being able to get stats on things like how many people use light versus dark mode, but even that you can completely turn off if even that bothers you. At that point you could use an app like Charles for iOS to sniff your network traffic and see that Apollo doesn't send anything off so you don't have to take my word for it. :P

I learned some of the more advanced features of Charles Proxy. It is very useful for mocking test JSON responses, advanced throttling of the network, and overall network debugging.

I don't know about add to a cart, but you can add steam (or other hidden appid) to your wishlist. You need to use some proxy... I recommend you to search about Charles proxy and breakpoints.

If you add appid 753 to your wishlist it will be like that: https://i.imgur.com/yVk2mcm.png

You're in luck. The data is actually stored in a CSV file in Dropbox, so it's super simple to download. URL: https://dl.dropboxusercontent.com/s/hprrfklqs5q0oge/player_trends_dev.csv?dl=1

How do I know? I used Charles Web Debugging Proxy to trace the HTTP traffic and searched for a player name in the captured calls.

I think you could try using something like Charles to conduct a man in the middle on the transmission, even works for SSL connections.

If you find something out please report back.

If that's beyond your skillset you could probably ask someone on one of the other subs but beware of wumao-types who might deflect with false information.

Hello everyone,

I'm trying to reverse engineer an IoT device which is controlled via an iPhone app. The device in question is this LED Strip Controller which is controlled by an app called Magic Home.

I've set up Charles Proxy with SSL inspection and it works fine for most internet traffic but it does not capture or show the local traffic between the app and the controller. This is true for all local traffic to other IoT devices that are controlled via other app or via HomeKit. If I make a request through Safari to a local IP, even on a different port than 80, I can see that traffic. Is there a way to monitor the app's traffic through Charles proxy or proxying in general?

The other approach that I was thinking about was monitoring the traffic that the controller receives. I have a Unifi network (USG, Switch and one AP) but I have no idea how to do something like that. Any help will be greatly appreciated.

Thank you.

So I attempted this on my Mac using Charles (as suggested above) and a tutorial from this YouTube video: https://youtu.be/xL70CLXhF9U (Slightly out of date since Charles has been updated, but it was good enough to help me muddle through)

I did get it to work, but with a few notes: 1) This will NOT work on Mojave or later as the older version of iTunes isn’t compatible and will refuse to install 2) You May run into certificate issues with Charles, in which case please review this page on their site: https://www.charlesproxy.com/documentation/using-charles/ssl-certificates/

In the end, I couldn’t get the older version to install without deleting 3.0.2 off my phone entirely (iTunes issues), but still, I did get 3.0.1 on there.

I hadn’t known about the private server project before the servers shut down so unfortunately I’ve now lost any trace of my nesos by doing this, but thought I’d share the results of my test with you all in case there are any other Mac users out there in this boat.

I have an HTTP/HTTPS proxy running in my computer. It captures all the network traffic from every application I have installed. This way I can inspect what things each app is both downloading or sending from and to the Internet, respectively.

If you want to do the same, you can do so using one of these apps:

• https://portswigger.net/burp/communitydownload/
• https://www.charlesproxy.com/
• https://proxie.app/

We have this problem in our organization, testing that API calls in native mobile apps fire based on certain calls to action.

To do so we:

• Use CharlesProxy to capture the calls
• Enable the web interface to start recording before the automated test, stop the recording after the test and then download the recorded session in JSON format;
• Test the session for the required acceptance criteria.

If you want to perform manual verification of the calls, you can export from Charles as a CSV from the web interface and then use column filtering to manually eye-ball the calls.

I believe there’s complications with using Charles on Android devices on versions Android N and newer. You can’t just setup Charles like normal, I’m assuming it’s a mobile app calls that you’re trying to see? It’s going to require some extra dev work to get it working:

https://www.charlesproxy.com/documentation/using-charles/ssl-certificates/

First off, I’m a big fan of your organization’s work and the effort everyone there puts in to fight for what’s right. Thank you so much!

Quick question about the testing environment you released...

For the slightly less technical crowd, and in the spirit of democratizing understanding of privacy, could a person get similar levels of insight by using Charles Proxy or Wireshark?

>Am I using this tool incorrectly?

No, but as you point out, it seldom works out of the box because most modern site pages are built with JavaScript, REST API calls, and other techniques.

I've provided ad hoc Power Query web scraping solutions to questions posted here and I invariably do the following:

• open the page in Firefox or Chrome, inspect the element(s) that are required, and copy the XPath, which I then try to use as a guide to navigate from the root of the document
• if that doesn't work, I fire up Charles Debugging Proxy and look for calls that return JSON. If you find one of those, then you can often open the URL and have Power Query parse it directly.

Here are some solutions I've provided in the past that use different scraping techniques. Due to the nature of the exercise, they may not work anymore:

• [Tips on how to collect search data from website using data from Excel Cells](/r/excel/comments/aagbaq/tips_on_how_to_collect_search_data_from_website/)
• [Exporting a table from a website](/r/excel/comments/abt6y3/exporting_a_table_from_a_website/)
• Can I use Power Query to capture data on an excel website where part of it is on an &quot;export&quot; to table feature?

>You can use a tool like Charles to download them:
>
>https://www.charlesproxy.com/

You can use a tool like Charles to download them: https://www.charlesproxy.com/

First thing is to check for API docs from the company. I would also check google / github to see if anyone has already done some of the work and written a library for it.

If neither of the above are available then you have to do the investigation / reverse engineering work yourself. I've done it in the past for my heating system and recorded some of the steps in a blog post.

In my case I was lucky that it was a fairly simple HTTP / JSON API. For that the main steps to do were to use charles proxy to capture the messages between the app on my phone and their server. When I had those I wrote a python library that does the actual HTTP(s) calls and just exposes a python API. Once this worked locally you can upload it to PyPi and then add the component to home assistant that uses this library.

The development docs for home assistant are good and explain most of what you need. Anything they don't have can usually be found by looking at similar components or asking on their forum / chat.

Here's a start. You can get the raw data for the Hitter Total URL by creating a blank query and pasting the following code in it:

// Query1 let Source = Json.Document(Web.Contents("https://www.fangraphs.com/api/leaders/splits/splits-leaders", [Content=Text.ToBinary("{ ""strPlayerId"": ""all"", ""strSplitArr"": [], ""strGroup"": ""season"", ""strPosition"": ""B"", ""strType"": ""2"", ""strStartDate"": ""2018-3-1"", ""strEndDate"": ""2018-11-1"", ""strSplitTeams"": false, ""dctFilters"": [], ""strStatType"": ""player"", ""strAutoPt"": ""true"", ""arrPlayerId"": [], ""strSplitArrPitch"": [] } "), Headers=[#"Content-Type"="application/json;charset=utf-8"]])), data = Source[data], #"Converted to Table" = Table.FromList(data, Splitter.SplitByNothing(), null, null, ExtraValues.Error), #"Expanded Column1" = Table.ExpandRecordColumn(#"Converted to Table", "Column1", {"Season", "playerName", "playerId", "TeamNameAbb", "PA", "AVG", "BB%", "K%", "BB/K", "OBP", "SLG", "OPS", "ISO", "BABIP", "wRC", "wRAA", "wOBA", "wRC+"}, {"Season", "playerName", "playerId", "TeamNameAbb", "PA", "AVG", "BB%", "K%", "BB/K", "OBP", "SLG", "OPS", "ISO", "BABIP", "wRC", "wRAA", "wOBA", "wRC+"}) in #"Expanded Column1"

The way I figured this out is by using Charles Web Debugging Proxy and searching for a player name in the captured data.

Play with that and let me know how it works for you.

There are no such apps, because of each app in iOS running in its own sandbox, that why one app can't monitor another app. You can see the cellular usage in Settings -> Cellular -> Cellular Data. To see URLs that your app using, you can through the Charles Proxy

Use a proxy server like https://www.charlesproxy.com/, it allows you to switch any remote file to a local version. This way you can insert and test the prebid set up without having a true development environment.

1. That would take a staggering amount of bandwidth.
2. You can monitor all traffic in and out of a device with something like Charles Proxy or even Wireshark (though I feel it’s a bit more complicated) - it can even spoof the SSL and let you unwrap and ID the data being transferred.

At least on iOS (I can’t verify on android), the mic is inaccessible outside of first party without permissions. Pre iOS 11, the mic couldn’t even be used simultaneously with the audio bus output, so you could tell if the mic turned on... because it would turn off your music.

This is my least favorite conspiracy, because it’s so easy to debunk. And I deal with hearing about it on a constant basis. And yes, I’m aware FB Messenger (on android) would turn the mic on in the background sometimes, but there hasn’t been any evidence of any of that data ever transferred off-phone.

It's a trivial thing to implement if you're in a closed community. They're sold to K-12's and business alike off the shelf. You install a trusted CA certificate into your browser, then your proxy server makes on-the-fly certificates for every TLS enabled site you visit. Your proxy/filter can now decrypt the frames as a Man-in-the-Middle without presenting warnings.

It's trivially easy to get going on your own too. Here's something you can use for personal use:

https://www.charlesproxy.com/documentation/proxying/ssl-proxying/

It's possible to add certificates to the Android certificate store as a user, and then the system will trust them (since the user does). This is what Charles Proxy does to decrypt TLS traffic for debugging.

> Charles Proxy for iOS lets you capture and inspect network requests and responses on your iOS device. You can view metadata, headers and bodies in the app, so you can finally debug your app’s networking issues without a computer.

There's also a desktop app: https://www.charlesproxy.com

You need to spend $50 on the full version of https://www.charlesproxy.com in order to participate in this.

Not sure if this company has anything to do with the company that makes CharlesProxy but this detail was conveniently left out during the registration process and the emails afterwards. No details were ever given as to what needed to be done for this “weekend assignment” so I’d suggest steering clear of it.

Yes, it's a known type of malicious ad referred to as "auto-scroll ads" and can be identified and blocked by services like GeoEdge ADd Integrity. Generally, these ads are removed by the DSP by the time we've reported them, so there is a good chance it's already been removed. Most DSPs will ask for a Charles log that will allow them to identify the bad actor. https://www.charlesproxy.com/

> Currently I am trying to revert the version of the "Skype For Iphone" app on IOS using the program "Charles Proxy"

How are you planning on this helping you revert Skype? Even if you intercepted the App Store download request, you won't be able to get the iPhone to accept a different payload for the app file. If you have an IPA (that was downloaded legitimately from iTunes with your Apple ID) you could just side-load it on to the phone with iTunes.

However, the iPhone is going to check the signatures on the app bundle....as well as the FairPlay DRM to make sure it was downloaded by you. So, intercepting / injecting the old app into the network request isn't going to make the iPhone accept a copy that iTunes rejected.

So, Charles Proxy isn't going to help you do anything that can't be done with a simple sideload from iTunes. But, /u/czpcr is correct: You need to install the SSL certificate for Charles on your phone. They have a webpage on how to do it.

If you're planning on spoofing the requested version to download....I don't think that will work either.

Also: The Skype update is terrible. I don't blame you for wanting to revert. Made me switch to a different app.

^(I am a bot, this is an auto-generated reply | )^Info ^| ^Feedback ^| ^(Reply STOP to opt out permanently)

I finally could make it work with this tool, it's all good: https://www.charlesproxy.com/

I tried with Fiddler too but it's not really working well on Mac and couldn't figure out how to do resource mapping.

You can use Charles to download older versions of apps using iTunes on your computer.

here's a tutorial on idownloadblog

You can just use Charles (https://www.charlesproxy.com/) to have it make requests via a PC or Mac and get visibility of what's being sent. Setup is pretty straightforward if you follow the instructions.

HTTPS is vulnerable to MITM if the client has modified the chain of trust by installing a root certificate (some popular software that can demo: Charles, Fiddler.

Captive portal enforcing local browser certificate to be installed would work to effectively MITM over HTTPS. This vector might be too much interaction for most users and they'd just use their phone to tether, though.

It is super unlikely, but possible. SuperFish was an example of the certificate being installed on the client by OEM.

You have to use a debugging tool like Charles to intercept the data sent by the server. There's a guide in this subreddit probably if you search around for it. I'm pretty sure its against the ToS so use at your own caution.

You can pretty much do anything you like if you have the time.

For example you can use a reverse proxy like this one https://www.charlesproxy.com/ and map js files locally to tweak them they would render with their altered version in the browser. So yeah, front-end JS and security aren't a nice pair.

• Don't rely on user input in any case
• Sanitize everything server side http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php

I recommend using a program like Charles to intercept the request from the iPhone, where you can easily find all the required information like secret, identitysecret, and deviceid.

yep, just because the audio wasn't great in the first place. if you want to try finding the source mp3, you can use charles proxy (https://www.charlesproxy.com) or try this guide: http://www.adobe.com/devnet/flex/articles/flashbuilder4_network_monitor.html

for video the easiest method is turning on the "develop" menu in safari preferences and changing your user agent to "iPad". the site will usually serve a native html5 video which you can save from the context menu.