iOS Capture
Capturing on an iPhone / iPad has always been a headache. Ordinary tools usually either require a jailbreak or can only set up a proxy (which still means installing a profile and a certificate, and apps with certificate pinning still cannot be captured). iOS capture offers three no-jailbreak methods, from “see system requests with zero configuration” to “full traffic for the whole device” to “complete plaintext for a single app.” One of them will get your target.
1. Common preparation
Section titled “1. Common preparation”- Connect the device: use a data cable to connect the iPhone / iPad to the computer, then tap Trust on the device.
- No jailbreak needed: all three methods are for non-jailbroken devices.
- Compatible with new systems: newer versions of iOS (including iOS 17 and above) switched to a new device channel, and connecting and capturing still work here.
- If the same device also appears on the network, choose the USB / network entry accordingly.
2. How to choose among the three methods
Section titled “2. How to choose among the three methods”| Your need | Which to use | What you can see | Certificate install / re-sign needed? |
|---|---|---|---|
| Quickly see which HTTPS requests the system sent (address / status / headers) | System-level capture | Works for ordinary apps too (ordinary apps cannot see the body) | Neither; only a diagnostic profile |
| All traffic for the whole device (including non-HTTP, handshake / SNI) | NIC capture | Full data (ciphertext by default, decryptable on demand) | Not needed to view ciphertext; re-signing needed only to decrypt a given app |
| A given app’s complete plaintext exchanges (including the body) | App-layer capture | Complete plaintext for a single app | The target app must be re-signed with a development certificate |
None of the three require a jailbreak. System-level capture is especially hassle-free: even for ordinary apps and App Store apps you can see which HTTPS addresses they request, something ordinary tools cannot do on a non-jailbroken iPhone.
3. System-level capture: the most hassle-free, works for ordinary apps too
Section titled “3. System-level capture: the most hassle-free, works for ordinary apps too”Want to quickly see which HTTPS requests this iPhone sent out, without installing a certificate, setting up a proxy, or dealing with certificate pinning? This is the most hassle-free method.
- Lists the HTTP(S) transactions the system sends: request method, full URL (the address is plaintext even for HTTPS), status code, request headers and response headers.
- No CA certificate to install, no proxy to set up, no certificate pinning to deal with.
- How much you can see is limited by the system diagnostic logs themselves:
- Ordinary apps and App Store apps: usually you can see only the request address and request headers.
- Apps signed with a development certificate: you can see the full request / response body.
Prerequisite: you need to install the matching device diagnostic profile (once is enough).
4. NIC capture: see everything on this device
Section titled “4. NIC capture: see everything on this device”Capture all of the device’s network traffic, regardless of app or protocol, including non-HTTP QUIC and custom protocols.
- What you see by default: by default it is ciphertext packets + metadata (target address, port, and the SNI hostname from the TLS handshake), enough to see clearly “which places this device connected to and with what protocol.”
- Want plaintext: use “Decrypt this program” on the target app to decrypt its plaintext; this requires the app to have been re-signed with a development certificate.
5. App-layer capture: complete plaintext for a single app
Section titled “5. App-layer capture: complete plaintext for a single app”Targeting a single app, this method obtains the complete plaintext (including the body) it sends and receives. Certificate pinning cannot stop it, because it reads from inside the app.
- Restart the target program: you can close and relaunch the app first to capture its early-startup traffic too.
- Turn on “socket traffic” as a fallback when plaintext cannot be decoded: for apps that statically link / use a custom library and from which the usual methods cannot obtain plaintext, turn on this switch to take a lower-level path to the data.
- Only apps re-signed with a development certificate are selectable in the app list; the rest are grayed out.
Prerequisite: the target app must be re-signed with a development certificate; App Store apps and system apps must be re-signed first before they can be used as targets.
6. You can also use proxy capture
Section titled “6. You can also use proxy capture”Besides the three methods above, an iPhone / iPad can also use proxy capture: point the device’s Wi-Fi proxy at this machine, install the root certificate, and you can capture HTTPS plaintext just like on a computer and use the full set of rewriting and replay capabilities. It suits debugging apps that go through the system proxy, or scenarios that need rule-based rewriting / replay of mobile requests.
- Install the certificate: scan the QR code on the phone for one-tap installation → Certificate Management and Installation
- Capture and rewriting capabilities: → Proxy Capture
7. When to use iOS capture
Section titled “7. When to use iOS capture”- To quickly investigate “which endpoints an app requested and what they returned,” system-level capture is the easiest, and even ordinary apps work.
- To see all traffic on the whole device (including non-HTTP), use NIC capture.
- If you can re-sign the target app and want its complete plaintext body, use app-layer capture.
- To view and edit at the same time (rewrite / replay mobile requests), use proxy capture.
Back to Proxy Capture · Related: Data Viewing and Decoding · Certificate Management and Installation