HTTP(S) requests are the messages that iPhone or Android phone apps send to the phones. So if we want to take a close look and monitor these HTTP(S) requests there are several ways. We can do that and we can learn a lot about how an app works and what the iPhone or Android data it is collecting and sending. This can be useful for troubleshooting app problems or for security purpose of phones. Technically, as we can open the web inspector or activity window in Safari/Chrome on the laptop to monitor HTTP(S) requests any website has made, we can do that on our phone too for native apps.
Basically, we have to intercept the network traffic traveling between the iPhone and the Internet Service Provider (ISP).
There are two main ways to watch HTTP requests made for both Android and iPhone:
#1 Using a Debugging Proxy
A debugging proxy is a software program that intercepts all network traffic between your iPhone/Android phone and the internet (ISP) and to do this you need to set your phone to use WiFi and to pass network traffic through a proxy. This allows you to see all of the HTTP requests made by the phone as well as the responses it is receiving from the web servers. So, install a debugging proxy and point your iPhone/Android phone to it and clearly specify the proxy address in the settings for wifi as this would only work over wifi and not via a cellular data connection. You’ll then have access to all of the http(s) requests and responses sent and received by the phone.
“So one thing should be kept in mind a good proxy will offer log files and allow you to see server addresses and, if not encrypted, requested URLs.”
There are a number of different debugging proxies available, both free and paid. Some popular options include:
I) Charles
We have to download Charles and follow the instructions on this page and see the HTTP(s) requests made and you may need to install Charles SSL certificate. Same goes for others. Charles supports Windows, macOS and Linux kind of all operating systems.
II) Paros
We can also use Paros which is written in Java so will run on most platforms.
III) Burp
We can also use Burp for the same purpose.
To use a debugging proxy, you will need to install it on your computer and then configure your iPhone to use the proxy. Once you have done this, all of your iPhone’s network traffic will be routed through the proxy, and you will be able to see all of the HTTP requests that it is making.
#2 Use the network inspector in Mobile Apps for iOS and Android Studio for Androids
We can use the network inspector in Android Studio/Mobile Apps for Android/iOS to watch the HTTP requests that your app is making or the other way round like HTTP requests it’s receiving made by the apps. To do this, you will need to create a debug build of your app and then run it on your phone. Once the app is running, you can open the network inspector to see all of the HTTP requests.
Some other tools that we can use are Mitmproxy which will also work for SSL connections, and even has a tutorial for iOS users and we can also use Postman and Proxyman to capture HTTP requests.
Which method should you use?
If you are troubleshooting an existing app, then using a debugging proxy is the best option. This is because debugging proxies are easy to set up and use, and they can be used to watch the HTTP requests of any app, regardless of whether it is a debug build or not.
If you are developing an app, then you can use the network inspector in Mobile Apps/Android Studio to watch the HTTP requests that your app is making. This is because the network inspector provides more detailed information about HTTP requests than debugging proxies typically do and you may get a log-file to intercept through them.
Here are some additional tips for watching HTTP requests on an iPhone/Android:
Make sure that you are using a secure WiFi connection when watching HTTP requests. This is because debugging proxies can intercept and decrypt HTTPS traffic.
If you are using a debugging proxy, make sure to configure your Android/iPhone to trust the proxy’s root certificate. This will allow the proxy to decrypt HTTPS traffic.
If you are developing an iOS/Android app, make sure to create a debug build of your app before using the network inspector. This is because the network inspector will not be able to see the HTTP requests of release builds of apps.