Saturday 24 March 2012

Inspect traffic from your iPhone

Quick guide how to you inspect iPhone/iOS network traffic

We're in times of more and more reports of malware on our phones. What are the apps on your iPhone actually sending and receiving? 


  1. Download a web proxy. I use Fiddler from http://www.fiddler2.com/ on my PC but there's for example Paros which is written in Java if you want to run on all platforms. This tutorial however uses Fiddler.
  2. Install Fiddler and fire it up. Goto Tools -> Fiddler Options and tab Connections. Select "Allow remote computers to connect". 
  3. Also notice the port number 8888 or change it something that suites you.
  4. Restart Fiddler.
  5. Now start a command prompt and run ipconfig to find your ip number. Or on a Mac/Linux machine: ifconfig
  6. In your iOS device, goto to your Wifi settings and scroll down to the proxy settings. Choose manual settings and type in the proxy computers ip number and port.
  7. Fire away!
Here's an example of stock information sent by the Stock app on my iPhone. I've chosen the XML view in the reponse inspection to get pretty format.





Compression

Many sites compress their http responses which Fiddler has support for. So in the Inspector view in Fiddler use the raw format tab. I almost always use it anyway but if the response is gzipped there will be a hint in the top of the window to let you unzip it on the fly.

HTTPS

Another obstacle in monitoring traffic can be that the client app and the server communicates over SSL. You won't notice that in the protocol column since Fiddler tells you it's plain HTTP but in the Host column you'll see it says "Tunnel to". There is a way to come around at least some of the SSL problems by enabling "Decrypt HTTPS traffic" in the HTTPS tab in Fiddler Options.

What this really means is that Fiddler will act as a man in the middle and generate SSL server certificates on the fly mimicking the real server. Obviously, your iPhone will not trust the root certificate Fiddler has used to create the fake certificates with so you will be prompted with "Unsecure certificate, possible attacker..." etcetera if you for example would surf against https://www.google.com. Some apps/sites won't even work if they don't trust the certificate.

In Fiddler, you can export the Fiddler root certificate to a cer-file and you could import that to your iPhone to trust it. It would end up under Options -> Profile as a trusted certificate. But I wouldn't recommend you to add unknown certificates as trusted unless you know what you're doing.