Have you ever come across an iOS app that doesn’t have a documented API? Ever wanted to reverse engineer this API? We can use a program called mitmproxy to accomplish this task. It’s a proxy program that uses a man in the middle attack to intercept HTTP(S) traffic.
mitmproxy can be installed using
pip, the python package manager.
pip install mitmproxy
There are also other installation methods available in their docs.
If you want to view encrypted traffic you’ll have to install a CA certificate on your iOS device. The mitmproxy documentation has a fairly thorough section on certificates. For iOS, the steps are as follows:
Get your computers IP address. If you’re using a mac, go to
System Preferences > Network > Advanced > TCP/IP.
Manually set the HTTP Proxy on your iOS device by going to
Settings > WiFi. Set the
Server to your computers IP address and
mitmproxy on your computer.
mitmproxy CA certificate by visiting http://mitm.it on your iOS device. Install the Apple certificate.
…and with that,
mitmproxy is installed!
All HTTP(s) requests will now be captured. After visiting some webpages, we should see a list of requests in the
mitmproxy terminal window.
Each line represents a flow, a single HTTP request and response. The list of flows can be navigated by using the
[Down] arrow keys. A flow can be selected by pressing
The flows view can be switched between
Detail by either pressing
[Tab] or using
q to return to the list of flows.
The list of flows can be saved by first pressing
l, and then entering a file name, for example
output.mitm. You can then exit
mitmproxy by pressing
q. A saved file can be reopened for later use:
mitmproxy -r output.mitm
After you are finished using
mitmproxy, you can disable proxying by settings
HTTP Proxy in
Settings > WiFi to
Off. The CA certificate does not have to be removed.
mitmproxy is a very powerful and flexible program that can do much more than just view HTTP(S) requests. More information is available in their docs.
…but this should be enough to reverse engineer an API.
mitmproxy can only intercept HTTP(S) traffic.