简单的说就是中间人攻击,也就是“man-in-the-middle attack”
“Charles can be used as a man-in-the-middle HTTPS proxy, enabling you to view in plain text the communication between web browser and SSL web server.
Charles does this by becoming a man-in-the-middle. Instead of your browser seeing the server’s certificate, Charles dynamically generates a certificate for the server and signs it with its own root certificate (the Charles CA Certificate). Charles receives the server’s certificate, while your browser receives Charles’s certificate. Therefore you will see a security warning, indicating that the root authority is not trusted. If you add the Charles CA Certificate to your trusted certificates you will no longer see any warnings – see below for how to do this.”
关于iOS 9的无法使用Charles抓包的问题。
SSL Proxying with iOS 9
You need to disable App Transport Security in your app to use Charles SSL Proxying with apps running on iOS 9.
To disable ATS you need to add keys to your app's Info.plist file, as below. See thistech note from Apple for more information.
You must remember to re-enable ATS before you release your app to take advantage of the security that ATS provides.
Note that this means that you cannot use Charles to observe SSL traffic from apps that you do not control.
ref: FAQs • Charles Web Debugging Proxy
About ATS:Cocoa Keys
简单地说,iOS的ATS是一种对安全的加强。在About ATS里面我们可以看到ATS对证书的一些限制。现在无法使用Charles,则是因为iOS 9 认为这个连接不安全,目前的解决方案是禁用ATS。长远来看,要么Charles的证书能够是ATS眼中的『安全证书』,要么ATS自己修改spec将Charles的证书认为是安全的,但是这两种方法目前看来可能还需要一段时候。