DEV Community

Cover image for How to Capture HTTPS Traffic on iPhone (On-Device, No Desktop Proxy)
Anh Vu
Anh Vu

Posted on

How to Capture HTTPS Traffic on iPhone (On-Device, No Desktop Proxy)

#ai #mobile #api #tutorial

If you build or test mobile apps, you have almost certainly hit this wall: your app calls an API, something breaks, and you have no idea what actually went over the wire. To debug it properly, you need to capture and inspect the HTTPS traffic your iPhone is sending and receiving.

Traditionally that meant tethering your phone to a computer, running a desktop proxy, and fiddling with certificates and Wi-Fi proxy settings. This guide shows a faster, mobile-first approach: capturing decrypted HTTPS traffic directly on the iPhone itself — no Mac, no jailbreak, and no desktop proxy.

Why HTTPS Traffic Inspection Matters

Nearly all modern app traffic is encrypted with TLS — great for security, inconvenient for debugging. Being able to decrypt and inspect it on demand unlocks problems you would otherwise be guessing at:

  • API debugging. See the exact request URL, method, headers, query parameters, and body, plus the raw response.
  • Authentication issues. Verify bearer tokens, cookies, and API keys are present, correctly formatted, and not expired.
  • Backend troubleshooting. Confirm whether a failure is a 4xx/5xx response, an unexpected payload, or a timeout.
  • QA testing. Reproduce edge cases by mocking responses or rewriting payloads.
  • Network analysis. Audit which third-party SDKs are phoning home, how often, and with what data.

The Mobile-First Approach

Moni Proxy runs the proxy on the iPhone itself, using iOS's native VPN and certificate APIs to capture, decrypt, and render traffic locally. Everything happens on-device and the traffic never leaves your phone.

  • No desktop required. No Mac running a proxy, no same-network requirement.
  • No jailbreak. Supported system VPN profiles and a local certificate authority.
  • Less setup. Install, run the certificate wizard once, and start capturing.
  • Inspect anywhere. Debug on a real device on cellular, on the train, or in the field.

Step-by-Step Tutorial

1. Install Moni Proxy

Download Moni Proxy from the App Store and open it. A one-time wizard installs a local certificate authority (CA) on your device — generated locally, never shared.

Moni Proxy home screen with the CA certificate trusted

Install the profile in Settings → General → VPN & Device Management, then enable full trust in Settings → General → About → Certificate Trust Settings. You only do this once.

2. Start a Capture Session

Tap Start. Moni Proxy spins up a local proxy and routes your device traffic through it using a system VPN profile.

Capture session running as live HTTPS requests stream in

3. Generate Traffic

Switch to the app you want to debug and use it normally — log in, refresh, submit a form. Each network call is intercepted in real time. Works for any stack (URLSession, Alamofire, a Flutter HTTP client, or a React Native fetch).

Traffic list with the filter-by-domain panel open

4. Inspect Requests

Tap any entry to see the full URL, method, status code, headers, query parameters, and request body — syntax-highlighted for JSON. Most API bugs reveal themselves here: a missing Authorization header, a wrong content type, or a malformed payload.

Request detail view showing a POST request

5. Inspect Responses

Switch to the response tab for the status line, response headers, timing, and the decrypted response body. Pretty-printed JSON makes it easy to confirm whether the bug is on the backend.

Decrypted response body as pretty-printed JSON

6. Debug APIs

Beyond read-only inspection, you can mock a response, rewrite headers or body fields on the fly, or replay a captured request after editing it — reproduce an error state, test a 500, or simulate an empty list, all without touching the backend.

Map Local screen with custom mock responses

Rewrite rules editing headers and body before replay

Common Issues

  • Bodies are unreadable. The certificate is installed but not trusted. Go to Settings → General → About → Certificate Trust Settings and toggle full trust on.
  • A specific app's traffic is missing. Some apps use certificate pinning, which rejects any certificate other than the developer's. That's a security feature, not a bug.
  • Nothing is captured. Confirm the capture session is running and the VPN profile is enabled (iOS shows a small VPN indicator in the status bar).

Conclusion

A mobile-first workflow removes the desktop proxy, the Wi-Fi configuration, and the same-network requirement — leaving a fast loop of capture, inspect, and mock that works wherever your bug actually happens.

Moni Proxy is free to try on iPhone, Android & macOSmoniproxy.com

Top comments (0)