To inspect HTTPS traffic, ProxyHawk acts as a local Certificate Authority (CA). You install the CA once per platform — the in-app onboarding guides you through each step automatically. There is no Settings screen to navigate; everything is done from inside ProxyHawk.
ProxyHawk generates a self-signed root CA (called Proxy Hawk CA) on first launch.
When a device or browser trusts this CA, ProxyHawk can decrypt HTTPS traffic as a MITM proxy — then re-encrypt it transparently.
You choose which hosts to decrypt using SSL proxying rules (see below). Everything else passes through encrypted.
The CA never leaves your Mac. No cloud, no certificate authority servers.
Mac — one-click install
During onboarding, select Browser / Desktop and click Install certificate. ProxyHawk:
Runs security add-trusted-cert to add Proxy Hawk CA to your login Keychain.
Sets full SSL trust — Safari, Chrome, and other system-proxy-aware apps can now see decrypted HTTPS traffic.
Shows a green "Installed & Trusted" status when complete.
If the automatic install is blocked by a corporate policy, click Having trouble? Use manual setup in the in-app guide to export the PEM and add it in Keychain Access manually.
iOS Simulator — automatic
During onboarding, select iOS Simulator and click Install certificate. ProxyHawk:
Detects all booted Simulator UDIDs via xcrun simctl.
Pushes the Proxy Hawk CA certificate into each booted Simulator's trust store automatically.
Verifies the install by checking the Simulator's keychain, then checks the step off for you.
Zero manual steps on Simulator. You never open Simulator settings or drag a certificate file anywhere.
Physical iPhone — QR + profile (one-time only)
This is the setup other proxy tools get wrong. ProxyHawk uses a configuration profile (.mobileconfig) served over a local QR-linked URL, making the entire process a phone scan and two taps.
During onboarding, select iOS Physical Device and click Install certificate.
A QR code appears. Before scanning, decide whether to enable "Include Wi-Fi + HTTP proxy in profile":
With Wi-Fi included — the profile configures the proxy automatically. After install, your iPhone routes traffic through ProxyHawk whenever the Mac app is running. No manual Wi-Fi settings ever again.
Without Wi-Fi — you'll configure the Wi-Fi proxy once in iPhone Settings (Step 3 in the getting started guide).
Scan the QR code with your iPhone camera. It opens a profile download page served directly by ProxyHawk.
On iPhone: Settings → General → VPN & Device Management → tap the ProxyHawk profile → tap Install.
On iPhone: Settings → General → About → Certificate Trust Settings → enable full trust for Proxy Hawk CA. (This step is required by iOS for third-party root CAs — it's separate from the profile install by design.)
Done. These two iOS steps are permanent. You never repeat them for this device.
QR code not showing? Make sure ProxyHawk is running (proxy must be active), and that your Mac and iPhone are on the same Wi-Fi network. If the QR still doesn't appear, tap Copy Link in the guide and paste it into Safari on your iPhone, or use AirDrop to iPhone.
Android — in-app export
During onboarding:
Android Emulator — ProxyHawk auto-configures the emulator via adb. The CA is pushed as a system CA and the proxy is set to 10.0.2.2:9090 automatically.
Physical Android — click Install certificate to export the CA as a .cer (DER) file. Transfer to the device and install via Settings → Security → Install from storage. Then set Wi-Fi proxy manually to your Mac's IP:9090.
Android 7+ note: Apps targeting API 24 or later only trust system CAs, not user-installed ones. Use a debug build with a network_security_config.xml that trusts user CAs, or root the emulator to install as a system CA.
SSL proxying modes
Even with the CA installed, ProxyHawk only decrypts the hosts you explicitly allow. Choose a mode in SSL Proxying rules:
Decrypt only these hosts (recommended) — only hosts matching your patterns are MITM-decrypted. All other HTTPS passes through as an encrypted tunnel. Best for privacy and performance.
Decrypt all except… — broad decryption with explicit exclusions (e.g. banking or streaming hosts). Use when you want full visibility across many services.
The fastest way to add a host: right-click any row in the traffic list and choose Enable SSL Proxying for this host. Or use the Track button during onboarding to pin and enable SSL in one tap.
Certificate pinning
Some apps pin specific server certificates or public keys. When this is active:
The app rejects the proxy's certificate even when the Proxy Hawk CA is trusted at the OS level.
You'll see failed connections, SSL errors, or rows with no response in the traffic list.
This is not a ProxyHawk bug — certificate pinning is a deliberate security feature.
The fix requires a debug build with pinning disabled or a test entitlement. This is true for all proxy tools.
Most internal, staging, and development APIs do not pin — you can usually debug those freely.
Removing trust when done
macOS — open Keychain Access, find Proxy Hawk CA in the login keychain, and delete it.
iPhone — Settings → General → VPN & Device Management → tap the ProxyHawk profile → Remove. Then remove it from Certificate Trust Settings.
Android — Settings → Security → Trusted credentials → User → remove Proxy Hawk CA.
If you suspect the CA private key was compromised, use Regenerate CA in ProxyHawk to rotate it. All devices will need re-setup after this.
