2

I have an iOS application that consumes an API. That application sucks so I was trying to "discover" that API and make my own application consuming that API.

The issue is that the API is under SSL/TSL so I tried using Wireshark with naturally, no luck since the URL is hidden due to SSL.

Is it possible to set up a proxy WIFI server, make my phone trust that proxy and try to get the traffic decrypted on that proxy server ?

I'm kinda new to all this of packet sniffing and network auditing, so I'm trying to come up with some ideas.

Thanks!

Juan
  • 21
  • 1
  • Yes, it is possible. Unless the app is truly poorly written, you may need to install your own root CA on the device in order to get the app to trust your proxy. You may run into issues if the app uses certificate pinning as well. – multithr3at3d Mar 16 '17 at 15:06

1 Answers1

1

Yes, by using an intercepting proxy such as BurpSuite (https://portswigger.net/burp/). When you setup your device to use that machine as a proxy; you can surf to "http://burp" to download the CA certificate. This prevents you from having to do all that yourself.

When you import and install that cert, you can see the decrypted HTTPS traffic that is passing through your proxy; that is - unless the apps you're looking at perform any form of certificate pinning; then they'll stop working.

ndrix
  • 3,206
  • 13
  • 17