seeing http requests that ios app makes - ios

I'd like to see the request / responses that an iphone app makes.
I mostly work on web apps, and I can use firebug / fiddler to see them. But how can I see incoming/outgoing traffic of an iOS app, if im running it on my wireless?

The Charles Web Proxy (and I believe Fiddler as well) allow connections from external hosts, when configured properly. In Charles, you will need to make sure your iPhone is added to the Access Control List in Proxy -> Access Control Settings.
After that, you can simply set your iPhone's proxy to your computer's Charles or Fiddler instance. In my case, my local desktop is at 192.168.10.1, thus my iPhone's proxy is set to:
192.168.10.1:8888
One problem, however, may be if you want to decrypt SSL traffic. It may be difficult to get the iPhone to add Fiddler or Charles' certificate to the keychain.

You could share your mac wireless to the iphone
And then use some tool, i personally use http://www.charlesproxy.com/ for these kind of issues
You could pick a tool from
https://superuser.com/questions/99870/mac-wireshark-alternatives

Related

How to see web socket requests in Charles Proxy

I'm using a free version (3.11.5 as of this writing) of Charles Proxy and proxying my iPhone through it to attempt to reverse engineer some real-time features of an app I'm using.
I'm successfully able to see all http/https request in and out of the device. There are, however, web sockets (was://) that are open on the app that I cant see. It's only listing http/https requests.
Is there a setting I'm missing? Is the free version limited? Thanks.
It could be that the app you are proxying is not using the proxy settings you have defined in your iPhone’s “Settings”. If this is the case, you’d need a version of the app which adheres to the user defined proxy settings in order to see the WebSocket traffic in Charles.

iOS 3rd Party Framework assure no network connections

In a project we are currently working on we need to rely on a precompiled 3rd party framework.
Is there any way to assure that it is not able to open up a network connection and send out confidential data?
Edit:
To make this a little clearer: It does not have to be at runtime. A static check is fine. I was more thinking something along the lines of: Is there a library that everyone who wants to use network has to link against?
Yes, there is a way to accomplish what you want. Check mitmproxy out. Install mitmproxy on your mac windows or whatever, install your app on the device, launch mitmproxy on the terminal, make your computer's IP a proxy on the device, install https certificate as described on mitmproxy docs, launch you app, and enjoy! mitmproxy can show all outgoing connections from your app. Good luck!
EDIT
Starting from iOS 9, you can set trusted hosts in the app Info.plist under App Transport Security Settings key. More info about it you can find here. Hope this was helpful.
I'm not sure it is possible to ensure an app never makes a network call.
As Fahri Azimov suggests, you could test whether the 3rd party framework makes network calls by funnelling all traffic from test devices through a proxy. You can do this locally on you Mac using the iOS Simulator and Little Snitch. But this cannot ensure that the framework will Never make a network call.
A work-around to ensure no your app performs no networking could be to use NSURLProtocol to intercept any network calls and return errors. You could look at the OHHTTPStubs framework for inspiration. But, again, this is limited as it will only catch NSURLConnection / NSURLSession networking calls, it won't intercept low-level networking operations which the framework could make.

Bulletproof HTTP Monitor for iOS

I'm using Charles Proxy and Wireshark to monitor http(s) traffic from various iOS apps I'm using on my iPhone. These apps require me to set the HTTP Proxy under the iOS Wifi settings (let's call these the Proxy Settings).
My business needs to see ALL URL's that are being called from my phone. From all apps. All URL's, not some of them.
Now Charles and Wireshark both work fine and I can see a ton of traffic coming from my phone.
However, I can't help but wonder whether I might be missing some HTTP calls. Maybe calls that don't use the Cocoa Core Foundation libraries as the basis for their networking.
For instance, I could write my own HTTP library out of TCP/IP and these would bypass the Proxy Settings.
So my question is: what is the likelihood that some apps are using custom-rolled HTTP libraries and side-stepping my Proxy Settings. Or worse, they're using raw TCP/IP to communicate with a server. I know it's possible, but do any APIs work this way? Does anyone do it?
I found the answer: Use mitmproxy in transparent mode. proxy is not used. harder to setup because it needs work on the router, but it reliably captures every packet on port 80 and 443 regardless of proxy settings.
Assuming that you are able to keep your device tethered, then you may be able to use the pcap service to monitor all traffic. According to the following paper (2014) the pcap service is running on every iOS device:
"Identifying back doors, attack points, and surveillance mechanisms in iOS devices"
You should be able to connect to it via usbmuxd. I'm not sure whether there is a pre-rolled client for the pcap service. There is a list of services supported by libimobiledevice here. Pcap is not on that list.
Alternatively, you can use wireshark to capture all traffic on your wifi network.

How to debug Android and/or iOS apps on a Windows Desktop Environment

I work with web analytics and have somewhat of a web developer background, BUT I am not a programmer. I need a way to debug the tracking code I request our mobile app team to implement. They are also not Web Analysts so they struggle to be able to verify if it works too.
I need a way to take one of their builds, run it on a desktop environment, and monitor it with a network monitoring tool like Charles Proxy or the network monitoring tools in the developer tools of most browsers.
I want to at least be able to see the information being passed back to our analytics tracking tool via the network connection. That will tell me if what I requested works or not. If there are other tools that a non-programmer can use to achieve this and more I would be grateful to hear about them. The few tools I have seen seem to be more about testing web pages via a mobile device. I need to test apps that you will eventually download from the an app store.
Thanks!
In our company, we found that Charles is perfect for testing all that concerns tracking.
Charles will record all your requests and responses from your computer, SSL traffic included.
(You can also let physical Android/iOS devices use your desktop as a proxy to catch all traffic there, which is even more impressive and useful, but I understand that this is not what you want.)
You can even do fancy stuff like throttling your connection and adding breakpoints, to see what would happen in "real" situations with bad connection...
Hope this helps.

inspect http requests in ios simulator/devices

I am working on an ios app which communicate with the server via http request. And I want to monitor the network traffic when testing my app in ios simulator/devices.
Is there any software or tools I can used to inspect the http requests of a specified application on mac/ios, just like firebugs for web developers?
Thanks.
As far as I know, there are several tools in App Store that provide the network traffic monitor feature. But, they could only view iPhone as a whole and stay at that level. In other words, they could only tell how much traffic has been consumed of this iPhone. For each app? No data.
You can use HTTP Catcher to capture web traffic. It's a Web debugging proxy for iOS, so you can view requests and responses directly on iPhone.
You can use Proxyman to record/capture all the requests & responses from your app while developing.It will support ios simulators also. Without doing any code change we use this.
First Download the Proxyman app form the above link after that just go through this documentation for references.
Charles has recently released an iOS version for http traffic monitoring. it is a paid app though. Good news is that you can set up Charles free desktop version then setup HTTP proxy from your iOS device.

Resources