Tim Perry

Creator of HTTP Toolkit: powerful tools to debug, test & build with HTTP(S).

Passionate tech speaker, open-source contributor, and maintainer of Loglevel, Git‑Confirm and notes.

A couple of weeks ago I published a post about changes in Android 14 that fundamentally break existing approaches to installing system-level CA certificates, even with root access. This has triggered some fascinating discussion! I highly recommend a skim through the debate on Mastodon and Hacker News. Since that was posted, quite a few people have ...
Update: This post sparked a lot of excellent discussion and debate on workarounds, and there are now multple working solutions to allow certificate injection on Android 14, despite the restrictions discussed here. See the update post for more details. When Android was initially announced in 2007 by the Open Handset Alliance (headed by Google) their...
There's been a lot of concern recently about the Web Environment Integrity proposal, developed by a selection of authors from Google, and apparently being prototyped in Chromium. There's good reason for anger here (though I'm not sure yelling at people on GitHub is necessarily the best outlet). This proposal amounts to attestation on the web, limit...
Caching is hard. Unfortunately though, caching is quite important. Hosted caching & CDNs offer incredible powers that can provide amazing performance boosts, cost savings & downtime protection, essential for most modern sites with any serious volume of users. Unfortunately, while there are strict standards for how caching is supposed to work with H...
This week, at long last, GitHub announced granular access tokens for npm. This is a big deal! It's great for security generally, but also particularly useful if you maintain any npm packages, as it removes the main downside of automating npm publishing, by allowing you to give CI jobs only a very limited token instead of full 2FA-free access to you...
As you may have seen, Docker Hub made a dramatic shift in policy this week, and effectively gave a 30 day eviction notice to almost all community-run images. They've now made an apology to 'clarify' a few details, and helpfully take some of the hard edges off, but this still highlights a big problem. Fortunately, there are solutions. As initially d...
HTTP Toolkit has been selected to receive another round of open-source funding from the EU! This aims to improve interception of HTTPS traffic from mobile apps, making it easier for both security/privacy researchers and normal technical users to inspect & manipulate the data that any app they use sends & receives. This funding will directly support...
HTTP is important on the web, but as other alternative protocols grow popular in networked applications, it's often important to be able to capture, debug and mock those too. I've been working on expanding HTTP Toolkit's support for this over the past year (as one part of a project funded by EU Horizon's Next Generation Internet initiative), to ext...
The world of decentralized web applications is an exciting place that has exploded in recent years, with technologies such as IPFS and Ethereum opening up possibilities for a peer-to-peer web - creating applications that live outside the traditional client/server model, where users to interact and control their own data directly. At the same time, ...
WebRTC allows two users on the web to communicate directly, sending real-time streams of video, audio & data peer-to-peer, from within a browser environment. It's exciting tech that's rapidly maturing, already forming the backbone of a huge range of video chat, screen sharing and live collaboration tools, but also as a key technology for decentrali...
Certificate transparency is superb improvement to HTTPS certificate security on the web that's great for users and businesses, but on Android it creates a huge problem for the many developer tools like HTTP Toolkit which install trusted system certificates into Android to intercept & debug app traffic. This doesn't appear in the main announcements ...
The modern internet is full of services that want to know who you are. Fingerprinting is the latest way to do this: capturing many small details about your client, and using it to create an id that's sufficiently unique to recognize you and infer details about your network client and device. This is a privacy problem, which I'm not going to focus o...
I get a lot of emails from users who want to know exactly what their favourite Android app is doing, and want to tweak and change how that works for themselves. There are some great tools to do this, including JADX & Frida, but using these is complicated, and every reverse engineering problem has its own unique challenges & solutions. There's few g...
If you run any large public-facing website or web application on the modern web, caching your static content in a CDN or other caching service is super important. It's also remarkably complicated and confusing. Fortunately, the HTTP working group at the Internet Engineering Task Force (IETF) is working to define new HTTP standards to make this bett...
Kagi is a great search engine. If you've been on the fence due to the weird pricing, this update should he...
Kagi is a great search engine. If you've been on the fence due to the weird pricing, this update should he...
Answer by Tim Perry for Android 14 (UpsideDownCake) doesn't see certificate installed in /system/etc/security/cacert
Android 14 now reads CA certs from within the Conscrypt library's APEX filesystem, at /apex/com.android.conscr...
Update: there's now a solution for CA certificate injection on Android 14! 🎉 Full details in a new post he...
Update: there's now a solution for CA certificate injection on Android 14! 🎉 Full details in a new post he...
Allow intercepting any Chrome profile (not just the default)
Use the per-user Docker socket as the Unix default, if present
https://github.com/vercel/next.js/discussions/46722 is very interesting (via https://pilcrow.vercel.app/blog/n...
https://github.com/vercel/next.js/discussions/46722 is very interesting (via https://pilcrow.vercel.app/blog/n...
crypto: return clear errors when loading invalid PFX data
Comment by Tim Perry on Intercepted request through HTTP ToolKit headers won't change
Hmm, that's harder to debug unfortunately. In general though, if you breakpoint a request, modify the headers ...
Use the new Mac Docker socket default path, if present
Answer by Tim Perry for Intercepted request through HTTP ToolKit headers won't change
For all data in a proxy environment like this there are two different visions you could be interested in: how ...
Answer by Tim Perry for How can I debug a HTTP POST in Chrome?
Another option that may be useful is a dedicated HTTP debugging tool. There's a few available, I'd suggest HTT...
Answer by Tim Perry for Way to debug CORS errors
While browsers still aren't very helpful here, I recently built a webpage that can tell you exactly what's goi...
Answer by Tim Perry for Install CA Certificate on android emulator
On recent Android versions, it's no longer possible to install system certificates, and installing user certif...
Answer by Tim Perry for How to monitor HTTP (get, post etc) requests that my app is making in android
Try HTTP Toolkit - it's an open-source tool I've been building to do exactly this. It can automatically interc...
Android 14 is going to create some big problems for devs, testers, reverse engineers, researchers, and anybody...
Android 14 is going to create some big problems for devs, testers, reverse engineers, researchers, and anybody...
Answer by Tim Perry for How do I trust a certificate on android device?
This is due to limitations in recent versions of Android. On unrooted devices, it is impossible to install sys...
Comment by Tim Perry on How to read raw response on HTTPTOOLKIT?
That's a fair question! It was a "most common format" guess - in this case in fact, on closer inspection it pr...
Just discovered that browser WebSockets still don't support headers on the web (thanks @davidfowl).The lat...
Just discovered that browser WebSockets still don't support headers on the web (thanks @davidfowl).The lat...
Answer by Tim Perry for How to read raw response on HTTPTOOLKIT?
This error occurs when HTTP Toolkit validates the contents of the response body as JSON. It appears because th...
Comment by Tim Perry on Proxing HTTPS mobile app reqquests fail with 403 response when SSL proxy enabled
@hldev for some server/client combos, you may need to force HTTP/2 for this, which HTTP Toolkit supports but d...
PayPro have vastly more payment methods (https://payproglobal.com/payment-methods), better fraud handling, rea...
PayPro have vastly more payment methods (https://payproglobal.com/payment-methods), better fraud handling, rea...
A payment processing battle update, nearly a year later: in the end I switched HTTP Toolkit's checkouts fr...
A payment processing battle update, nearly a year later: in the end I switched HTTP Toolkit's checkouts fr...