Advertisement

How to inspect iOS's HTTP traffic without spending a dime

Richard Gaywood
Dr
Updated ·4 min read

image credit: Matrix Rain by docmiller on deviant art, CC BY-SA 3.0

I recently had a problem. I was seeing intermittent issues with an iPhone app, Tapatalk, not working properly with a web forum hosted by a friend of mine. I knew there was a much better chance of getting the bug fixed if I could a) prove it was a bug and b) show the devs exactly where the problem was, but I was hampered by the usual problem: iOS apps are a bit of a black box, and I couldn't see what it was doing internally.

However, like almost all network-aware iOS apps, this one was clearly using a web service to get data from the backend. So, all I needed to do was figure out a way to see the traffic on the web service. This is the sort of thing I used to do all the time when my day job was writing load testing scripts for big ecommerce sites, but the first time I'd had to do it on the Mac or from an iOS client. I managed to get it working after doing a little research. If you find yourself in need of a similar solution -- perhaps for iOS app development, reporting a bug or some other reason (or just plain hacker interest!) -- then click through for step-by-step instructions on how to intercept and view your iOS web traffic from any Mac running on the same network.

The first thing you need is an HTTP sniffer program. The grandaddy of all network traffic sniffers is Wireshark, but it's rather low-level and overpowered for quickly looking through HTTP traces. It's a bit like using an electron microscope when what you wanted was a magnifying glass. I came across several glowing references to Tuffcode's MacScoop HTTP Scoop during my research, but didn't really want to spend $15 on an app I was only going to use once. I settled on PortSwigger's Burp Suite, a comprehensive HTTP security analysis tool. The free version has the HTTP Proxy feature, which is the only bit we need; grab that. (Windows users: you can use the excellent and free Fiddler Web Debugger, but I won't be walking you through that today, sorry. The steps are very similar though.)

Burp Suite is a Java program, so when it downloads, you'll see a directory with a JAR file in it. If you double click that, it should start up after a warning about an untested JVM version. Be thankful we still get JVMs with our OS X for now or this would be more complex.

Burp is written by and for security experts, so the UI is a bit ... Spartan, ... but it's easy to configure it for the simple feature we want to do. First, click the Proxy tab at the top, then click the "intercept is on" button to make it say "intercept is off," like so:

Next, select the Options tab. It'll show you a single "proxy listener" running in a list. Click on it, then click the Edit button. Untick the "Listen on loopback interfaces only" checkbox, then click "Update." You'll get a warning you can ignore, and when you're done, the app window should look like this:

When you're done, click on the History tab. If you're one of the many Mac users who find Java UIs give you hives, you can rejoice, because you're done with that for now!

Next, open Apple > System Preferences > Network. Select your current active network connection and make a note of the IP address your Mac is using. For me, this is 192.168.2.32.

Now, turn to your iOS device -- I'll be using my iPhone, but this works the same way on an iPad or an iPod touch. Go into Settings > Wi-Fi > your Wi-Fi network, and then click the blue "more details" arrow. Scroll down and at the bottom there's a set of three buttons under "HTTP Proxy." Select "Manual" and fill in your Mac's IP address (found in the last step) and the Burp Suite port number (8080 unless you changed it earlier), like so:

And that's it. If you flick back to the Burp Suite window on the Mac now and start browsing the Web or using apps on your iPhone, you'll see all the traffic show up in a neat little list. You can click on each individual request to see the full text sent and received as part of the request. Note that you might see some security warnings on the iPhone for any app that uses an encrypted link; this is because the app thinks that Burp Suite might be a man-in-the-middle attack. It's not, though, and it's safe to ignore that warning.

And there you have it -- with one free download and a few minutes of configuration work, you can snoop all of iOS's web traffic for fun and/or profit.

Update: corrected name "MacScoop" to "HTTP Scoop". Thanks for the correction, Jonathan.

Update 2: please check the comments for lots of suggestions for alternate tools to do this job. Thank you all for your insightful additions!