Tutorial #2: How to view the raw HTTP traffic, parameter and data via proxy for mobile applications — iOS Simulator

Another basic proxy set up tutorial to view HTTP or HTTPS traffic that mobile applications are dealing with on your iOS simulator. This allows developers to not only view the traffic but also make changes on the fly as needed for debugging purpose. This is essentially very similar to how set up is made when we wants to intercept the web application traffic from the browser as mention in my previous post for web applications.

Requirements

  • Java installation of either jre or jdk if you are using BurpSuite .jar version. If you just use installer, I think BurpSuite installer will handle itself.
  • BurpSuite community version from https://portswigger.net/burp/communitydownload. For MacOS, download and install .dmg format which is very straight forward.
  • Xcode and accompanying iOS simulator.

Viewing mobile application or iOS simulator traffic:

  • configure proxy in the BurpSuite
  • configure proxy in MacOS network configuration
  • install Burp CA certificate in your iOS simulator
  • view the traffic

configure proxy in the BurpSuite:

If you are using free community version, Burp will not allow to save the project onto the disk so just use Temporary project

configure proxy in the BurpSuite:

choose through defaults set up for now and start the Burp
at the initial launch, you will be greeted with this landing page
Go to Proxy > Options > Edit the default 127.0.0.1:8080. Change to All Interfaces just in case.
If working correctly, there will be a tick under the Running column and *:8080 in Interface column

In reality, BurpSuite auto configures proxy to port 8080 if the port is free so no additional configuration is needed. But sometime you may have to configure “Bind to address” to “All Interfaces” to get the traffic. There is some nuance to this but this is out of scope in this article. If you can confirm the “tick” presence under Running column, the proxy is working.

configure proxy in the MacOS network configuration:

As iOS simulator directly uses the host MacOS wifi connection, we have to configure the proxy inside the MacOS Network configuration. The downside of this is that all the HTTP/HTTPS traffic will flood your proxy logs but I will show you how to filter it later in the article.

Got to Network and choose your Wi-Fi connection > Advanced
Then go to Proxies tab. Fill up the same information for both Web Proxy (HTTP) and Secure Web Proxy (HTTPS) with 127.0.0.1 and port 8080 on the right. Make sure Bypass proxy settings for these Hosts & Domain is clear. By default, it may have localhost or 127.0.01 value inside.

install Burp CA certificate in your iOS simulator:

Next, we will install the Burp CA Certificate in the iOS simulator and check that proxy is working. We will need to install CA Certificate for the initial set up but no longer need to do this step again in subsequent usage. If you happen to reset the iOS simulator then you will need to install again. For Burp or proxy in general to be able to decrypt the HTTPS traffic, it has to do a thing call Man-in-the-Middle attack (MitM) configuration. To do this, the proxy’s certificate (Burp’s CA certificate) need to be installed and trusted. MitM is a separate topic which I may write in details when I have time.

Launch any browser in your iOS simulator and visit http://burp and you will reach the landing page. Download CA Certificate
After the download, the phone will shows that you need to check profile in the Settings for further action
Go to Settings > General > Profile > PortSwigger CA and you will reach to above screen. Confirm it is PortSwigger CA and click Install. BurpSuite is developed by a company called PortSwigger (in case you are wondering)
The phone will warn you about authenticity but this is normal for CA installation and needed for Burp to work. Just please do not install other random CA as it is dangerous
It will be green after successful installation

After installing the CA, we still have another step to do: trusting the CA.

Again, go to Settings > General > About > Certificate Trust Settings > Turn on the trust for PortSwigger CA. There will be warning about Root Certificate, just click Continue. Again, please do not install other random CA as it is dangerous

Tired? We have finished the setup! Let’s verify it is working.

Now go to the browser of your choice on the iOS simulator and visit any website, maybe the great Bing :P https://www.bing.com
We will notice Proxy and Intercept lights up in the BurpSuite which means the proxy is working. You can turn off interception by toggling Intercept is on button
You can now check all the traffic flowing between iOS simulator and remote web servers in the HTTP history log under Proxy tab

Like mentioned before, there will be a lot of different server traffic in the History Log due to the fact that iOS simulator is using the MacOS network interface. We can filter our target server by editing the scope for more comfortable viewing.

Let’s assume https://www.bing.com is our target scope. So, just right click on it and click Add to scope
There will be a question, just choose whichever you prefer
You can always check back what is in scope in the Target > Scope. It is better to put the root of the URL so the scope will cover all subsequent different URI patterns in the host
We can go back to HTTP history and click on Filter and tick Show only in-scope items. So this will filter out other messy website addresses and only show you what you want to see.

So, this is it. We are now able to view the traffic as well as filter the traffic. If you do not mind seeing other out-of-scope addresses, you do not need to go through all those filter configuration steps.

I hope this will help. Stay safe!

Pentester. Application & Cyber Security enthusiast. Insatiable learner.