Intercept HTTPS requests made by a live #iOS app using @Telerik #Fiddler
If you want to debug an iOS app that’s installed on a iPhone, to determine what network calls it is making, then if you have a Windows PC, then you can use Telerik’s Fiddler to intercept requests between any iOS app and whatever back-end API it is using, even over HTTPS.
Make sure your PC and iPhone are on the same WIFI network before starting.
First, Install the Telerik Fiddler Application, and make sure your firewall allows connections on port 8888. Now, go Settings > Wifi > (i) > Configure proxy > Manual
Get the IP address of your PC using ipConfig, Mine was 192.168.0.22, yours may be different.
Enter the port as 8888 and press Save. Now, Fiddler should be able to capture HTTP (insecure) requests.
To Capture Secure Requests (HTTPS), you will need to install a certificate on your iPhone. To Do so, you can download it from your iPhone from here http://www.javatiger.com/fiddler/FiddlerRoot.cer
Or use the Camera app on your iPhone to scan this QR code:
When asked to chose a device, select iPhone
This downloads the cert, but you need to install it and activate it.
Open your settings app, and click “Profile Downloaded” then “Install”
then enable the cert
By pressing settings – general – about – certificate trust settings
Make sure that In Fiddler, you have selected Tools > Options > HTTPS > Decrypt HTTPS traffic, and then restart Fiddler.
I also added extra TLS protocols amd selected the Ignore server cert errors.
Hopefully now, if you operate your iPhone, you should see both HTTP and HTTPS requests appearing in Fiddler.
Certain apps, like the App store (for example) will not work, since they are smart enough to notice that there is a “Man-In-The-Middle” attack going on – and this does highlight the importance of Certificate pinning, which you should do, if you are handling financial data in apps.