An Android application that has SSL Pinning was successfully tested on a mobile device running Android 6 (with the certificates installed) using Burp proxy and OWASP ZAP Proxy. As expected the application refused connections when using either proxy.
However, when tested using Charles Proxy it was possible to intercept and read most of the app traffic in clear text, despite the presence of SSL Pinning.
What could be a reason for this? Google searches yielded no fruit.