Observing Network Traffic of iOS Applications

Have you ever downloaded an app and wondered how it was communicating? This guide steps you through a method for observing the API requests that applications are making on your iOS device.

Introduction

Audience

This document is intended for a technical audience. You should understand some of the basics around how the internet works and network traffic works. The guide is also intended for users that are on Mac OS X. At the time of writing this I’m on El Capitan (10.11.4).

What You’ll Learn

The purpose of this guide is to show you a way to view the HTTP requests that your app makes. For example, if you always wondered how Instagram handles authentication. With this guide you’ll be able to observe the HTTP calls that your device is making to the server.

Getting Started

Downloading Charles

Charles has been around for a while an old standby for this task. You can download Charles here.

Connecting Your iOS Device and Computer

While Charles is downloading open up Network Utility (use Command + Space to Spotlight Search “Network Utility” if you don’t know how to find the app).

Take note of the IP Address field under the Info tab.

On your iOS device navigate to Settings > Wi-Fi and tap the i button on the end of the row both your iOS device and your computer are sharing.

Settings including the HTTP Proxy Setting

Scroll to the very bottom of this view and you’ll see the options for HTTP Proxy.

Tap Manual on the segmented control and enter the IP address identified on your Mac’s Network Utility app.

Enter 8888 for the port and navigate out of this view by tapping the Wi-Fi button on the navigation bar.

Firing Up Charles

Once downloaded open up and install Charles. It will come ready to roll and will likely start recording traffic right away. Make sure Charles is running and recording traffic just in case.

Making Your First Request

Once you enter the proxy information on your iOS device and Charles is running. You should see a prompt to authorize the connection from your iOS device to your computer. Authorize that request.

SSL, iOS and Charles

Viewing Network Traffic & SSL

You’ll notice very quickly that most if not all apps use SSL. So when we go to fire up Instagram we see the following.

Snap, we can’t view SSL traffic because the traffic is encrypted.

We need to enable SSL with our proxy. This means installing a certificate on your iOS device that Charles.

Installing SSL Certificate on iOS Device

To get started in Charles. Head to the Proxy menu and select SSL Proxy Settings. Within this view check Enable SSL Proxying. You can also add a location. For example, I added i.instagram.com.

In Charles, head to the Help menu and click on Help > SSL Proxying > Install Charles Root Certificate on a Mobile Device on Remote Browser…

Open Safari on your iOS device that is already connected to the Charles proxy. As per the alert window, head to http://charlesproxy.com/getssl

Note: Don’t do this in Chrome. Use Safari as it knows how to deal with the PEM file and will get it installed.

Viewing a Network Request

Once SSL is setup properly between Charles and the iOS device network requests will be displayed. On the right side of the pane you can see all data passed back in JSON as well as the raw response.

Where to Go From Here

Once you can see the network traffic of an application it gives you a glimpse into the architecture and actual capabilities of the software running it. This is a great tool for anybody looking to design their own APIs. Design of an elegant system and API is both a mix of science and art. Using Charles you can appreciate the work other engineers are doing.

Suggested Reading

The Web Application Hacker’s Handbook is a must read if you are interested in this type of work. If you build your own applications it is important to understand what vectors people may use to hack your application.

I know the cover is so very 90’s but the content is still highly relevant and a great baseline to understand how HTTP works and is commonly setup.

Other Tools or Alternatives

mitmproxy looks like an alternative to Charles that looks interesting.