Viewing iOS Network Traffic

Have you ever come across an iOS app that doesn’t have a documented API? Ever wanted to reverse engineer this API? We can use a program called mitmproxy to accomplish this task. It’s a proxy program that uses a man in the middle attack to intercept HTTP(S) traffic.

Installing mitmproxy

mitmproxy can be installed using pip, the python package manager.

pip install mitmproxy

There are also other installation methods available in their docs.

If you want to view encrypted traffic you’ll have to install a CA certificate on your iOS device. The mitmproxy documentation has a fairly thorough section on certificates. For iOS, the steps are as follows:

Get your computers IP address. If you’re using a mac, go to System Preferences > Network > Advanced > TCP/IP.

Manually set the HTTP Proxy on your iOS device by going to Settings > WiFi. Set the Server to your computers IP address and Port to 8080.

Run mitmproxy on your computer.

mitmproxy

Install the mitmproxy CA certificate by visiting http://mitm.it on your iOS device. Install the Apple certificate.

…and with that, mitmproxy is installed!

Viewing Network Traffic

All HTTP(s) requests will now be captured. After visiting some webpages, we should see a list of requests in the mitmproxy terminal window.

Each line represents a flow, a single HTTP request and response. The list of flows can be navigated by using the [Up] and [Down] arrow keys. A flow can be selected by pressing [Enter].

The flows view can be switched between Request, Response, and Detail by either pressing [Tab] or using h and l. Press q to return to the list of flows.

The list of flows can be saved by first pressing w, then l, and then entering a file name, for example output.mitm. You can then exit mitmproxy by pressing q. A saved file can be reopened for later use:

mitmproxy -r output.mitm

After you are finished using mitmproxy, you can disable proxying by settings HTTP Proxy in Settings > WiFi to Off. The CA certificate does not have to be removed.

Conclusion

mitmproxy is a very powerful and flexible program that can do much more than just view HTTP(S) requests. More information is available in their docs.

…but this should be enough to reverse engineer an API.

Happy Hacking!

Note: mitmproxy can only intercept HTTP(S) traffic.