Hello!

We wanted to use Charles (https://www.charlesproxy.com/) to inspect the calls made by our app from an Android device, for debugging purposes.

So we configured the phone wifi to use a HTTP proxy and installed a CA certificate from Charles. We also edited AndroidManifest.xml in Lime template to fix SSL certificate pinning by adding a /res/xml .network-security-config.xml file, referenced in the manifest.

Now Charles seems to work and does intercept some calls made by our app, namely all calls made by some Lime Native Extensions that we wrote for different third parties that we’ve integrated into your app (AWS Kinesis, Kochava etc.). These all have a Java source and make networking calls from the Android APIs in Java.

But strangely, we couldn’t intercept at all any network call made to our own backend. These calls are made from our Haxe code, using openfl.net.URLLoader, which in turn relies on lime.net.HTTPRequest, which is natively supported by HXCPP I’m assuming. Our theory is that this C++, lower-level, networking support from HXCPP is somehow ignoring the OS-level WiFi proxy settings and goes straight to the destination. Because our backend does receive the calls fine, it’s just that they are completely transparent to the Charles proxy.

I probably should post this as an issue at https://github.com/HaxeFoundation/hxcpp/issues, but I wanted first to see what you guys think of this situation here, or if you encountered a similar scenario.

We’re using Haxe 4.1.5, OpenFL 9.0.2, Lime 7.8.0 and HXCPP 4.1.24.

Thanks!