How to monitor iPhone's HTTP traffic

I usually wonder how my iPhone apps communicate with their servers. I had a debate with my ex-coworker about the security of app communication. He thinks we can use simple HTTP protocol for app communication, including authentication. But I insist that we should use more secure way for transmission in apps.

Let me use an example to demonstrate how little an app protects the content and how easy it is to monitor the traffic of an iPhone app.

According to Apple’s document here. I choose tcpdump and take 7-11 Taiwan app as an example.

This app provides coupon for Starbucks. I want to get the content of this coupon.

The steps are as following :

1. Connect Device

  • Connect your iPhone to your Mac via USB.

2. Remote Control

  • use rvictl to connect your device via UUID (20 characters, you can find it in iTunes or organizer in XCode)
>rvictl -s UUID

3. Check whether your device is activated

> rvictl -l
Current Active Devices:
[1] YOUR UUID

4. Start monitering

Simplest way
sudo tcpdump -n -t -i rvi0 -q -A tcp
Including request and response headers and message body
sudo tcpdump -t -i rvi0 -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
GET Only
sudo tcpdump -t -i rvi0 -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
POST Only
sudo tcpdump -t -i rvi0 -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'

Result

The result will be like this

IP XXXXXXXX.61956 > static-ip-38-69-56-61.rev.dyxnet.com.http
[email protected]@......i=8E&...P..z.h..... ........
/.}..Q.AGET /Starbucks/act_ns/2013_chrismas/css/images/ajax-loader.gif HTTP/1.1
Host: event.e21magicmedia.com.tw
Referer: http://event.e21magicmedia.com.tw/Starbucks/act_ns/2013_chrismas/index.html
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: _ga=GA1.XXXXXXXXX
Accept-Language: en-us
Connection: keep-alive
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_3 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mobile/11B511

Wow ~ http://event.e21magicmedia.com.tw/Starbucks/act_ns/2013_chrismas/index.html

Now you can get the Christmas discount(Buy 1 get 1 free) without downloading the app.

Then you can use Chrome Developer Tool and inspect the image for you

Wrap Up

Don’t use simple web view to protect your content. HTTPs and session based authentication could be a better solution.

This article can be only used for education. All rights of images belong to original company

Reference :
Can I use tcpdump to get HTTP requests, response header and response body?
Remote Packet Capture for iOS Devices