When performing network debugging on iOS, you often encounter devices that cannot be jailbroken. In such cases, packet capture methods face some limitations, but most debugging tasks can still be completed.
Below explains how to capture iOS network requests without jailbreaking.
Starting with Proxy-Based Packet Capture
The first method is proxy-based packet capture.
Applicable scenarios:
- The app uses the system network stack
- Requests go through the system proxy
- No additional certificate validation is present
Tools to use:
- Charles
- Proxyman
- SniffMaster
Configuring the Proxy Environment
Steps:
- Start one of the tools on your computer
- Check the listening port (e.g., 8888)
- Confirm the computer’s IP address
- Connect the iPhone to the same Wi-Fi network
- Open iPhone Settings → Wi-Fi
- Tap the current network
- Set HTTP Proxy to “Manual”
- Enter the IP address and port
Return to the home screen after saving.
Installing the HTTPS Certificate
On the iPhone:
- Open the certificate download URL in Safari
- Download the profile
- Install the certificate
- Enable trust in “Certificate Trust Settings”
Verifying Proxy Success
Open Safari and visit an HTTPS website.
Observe Charles:
- You can see the request
- You can view the response
This indicates the proxy environment is active.
Attempting to Capture App Requests
Open the target app in the proxy environment.
Trigger network operations, such as login or data requests, and observe the packet capture tool.
Two Possible Outcomes
Requests Are Captured
This means the app uses the system proxy, allowing direct analysis of HTTPS data.
Requests Are Not Captured
This indicates the app does not use the system proxy or has certificate validation mechanisms.
Switching to Direct USB Connection Packet Capture
If proxy-based capture fails without jailbreaking, you can use a direct USB connection to the phone for packet capture, such as with SniffMaster (Packet Capture Master).
This method does not rely on a proxy and does not require manual certificate installation for decryption.
Using SniffMaster for Packet Capture
Steps:
- Connect the iPhone to the computer via USB
- Keep the device unlocked
- Tap “Trust This Computer”
- Launch SniffMaster
- Select the iPhone from the device list
- Install the profile as prompted
- Enter HTTPS Brute Force Capture Mode
- Click Start
Then trigger network requests on the phone.
Observing Results
In the capture interface, you can see the request domain, path, and header information.
Even if the app does not use the proxy, requests are visible.
Filtering for a Specific App
Decrypted captures include system traffic.
To reduce interference, you can capture only a specific app.
Steps:
- Click Select App
- Check the target application
- Start capturing
The capture list now only includes requests from that app.
Handling Incomplete Data
During capture, you might see the URL and headers but an empty body.
This indicates HTTPS is captured, but the app is not signed with a development certificate.
Steps to handle:
- Obtain the app’s IPA file
- Re-sign it with an iOS development certificate
- Install it on the device
- Capture again
After this, you can view complete request data.
Options for Modifying Requests
When debugging interfaces, you may need to modify requests or responses.
In such cases, use proxy-based capture tools:
- Charles
- Proxyman
- SniffMaster
You can modify request content via:
- Breakpoints
- Rewrite
- Interceptors
Analyzing Connection Issues with Wireshark
If you need to analyze network connections, for example:
- Request timeouts
- Data loss
You can:
- Use SniffMaster to capture the data stream
- Export it to Wireshark
In Wireshark, you can view:
- TCP three-way handshake
- Data transmission process
- Connection closure reasons