Apple - How can Charles Proxy change settings without admin rights after first time?

Privileged Helper

If Charles Proxy is following Apple's recommendations, the permissions gained during the initial set-up will be encoded as a Privileged Helper.

On macOS the folder /Library/PrivilegedHelperTools contains tools that have previously authenticated and authorised with the user.

The folder /Library/LaunchDaemons contains the launchd files that launch and determine access to the tools.

There are other approaches, such as:

Running with Elevated Privileges

If you do need to run code with elevated privileges, there are several approaches you can take:

• You can run a daemon with elevated privileges that you call on when you need to perform a privileged task. The preferred method of launching a daemon is to use the launchd daemon (see launchd). It is easier to use launchd to launch a daemon and easier to communicate with a daemon than it is to fork your own privileged process.
• You can use the authopen command to read, create, or update a file (see authopen).
• You can use a BSD system call to change privilege level (see Calls to Change Privilege Level). These commands have confusing semantics. You must be careful to use them correctly, and it’s very important to check the return values of these calls to make sure they succeeded.

After more research, I found this Common Vulnerabilities and Exposures (CVE) description CVE-2017-15358 Local root privesc in Charles Proxy 4.2:

Setting a system-wide proxy requires root permissions so this is handled by an suid binary located within the Charles application folder:

/Applications/Charles.app/Contents/Resources/Charles Proxy Settings It says that in its first-time setup, Charles Proxy creates a setuid binary that is used on subsequent runs to change the proxy settings.

The link in Graham's answer points this method out as a legacy way of accomplishing this behaviour and is no longer recommended.