Intercepting iPhone traffic with your MacBook

Intercepting iPhone traffic with your MacBook

There are probably lots of ways to set up a monitoring station so that you can watch your iPhone’s traffic. This just shows one way to do it, using the tools I have available. There’s nothing really new about this, though it did take me a while to figure out the shell commands.

This shows you how to:

• route all your iPhone traffic through your MacBook
• set up ZAP proxy for analyzing your HTTP/HTTPS traffic
• install ZAP's CA Certificate on your iPhone

By sending all the traffic through your MacBook, you will see DNS requests and everything else. You can then use wireshark or tcpdump to easily capture the traffic for futher inspection, along with analyzing using the web proxy.

Step 1: Use your MacBook as a router

In this step we will force all the traffic from the iPhone to go through the MacBook.

 

Set up your MacBook to forward iPhone traffic

Open a Terminal, and run these commands:
Enable IP Forwarding:

$ sudo sysctl -w net.inet.ip.forwarding=1

Set natd to cause traffic to be redirected from your MacBook to the real router. The alias_address should be the address of your MacBook, and the address in redirect_port should be the address of your router.

$ sudo natd -alias_address 192.168.1.100 -interface en1 -use_sockets -same_ports -dynamic -clamp_mss -redirect_port udp 192.168.1.254:53 53

Set the firewall to use the natd rules that were just created

$ sudo ipfw flush
$ sudo ipfw add divert natd all from any to any via en1
$ sudo ipfw add allow ip from any to any

Configure your iPhone

1. Put your iPhone into Airplane Mode
2. Turn on your iPhone’s Wifi
3. Open your wifi network settings: Settings > Wifi > Then tap the blue arrow next to your network
4. Tap ‘Static’ to set up a static route through your MacBook
5. Use these settings (changing to suit your network)

IP Address: Just pick one. I used 192.168.1.101
Subnet Mask: 255.255.255.0
Router: Enter the IP address of your MacBook
DNS: Enter the IP address of your MacBook

Your iPhone traffic should be going through your MacBook now.

 

Step 2: Proxy your iPhone web traffic

 

Create an SSL CA Certificate

Download and install OWASP ZAP. Run it and open up the Settings menu. Create a new Dynamic SSL certificate, and save it.

 

Install that Certificate on your iPhone

Download the iPhone Configuration Utility
There are some good instructions here, but the steps are:

1. Run the iPhone Configuration Utility and create a new Configuration Profile (File -> New Configuration Profile)
2. Give it a name in the General tab
3. Open the Credentials tab and add the certificate you just created
4. Connect your iPhone via USB cable
5. Click on your iPhone in the Devices tab
6. In the Configuration Profiles tab, find the configuration profile you just created and click Install

That’s it! Now you should be able to see all the traffic to and from your iPhone.

Caveats

This might not be sufficient if you’re trying to use this for analyzing malware. Clever applications could detect if you’re connected to Wifi or in Airplane mode, and alter their behavior to avoid detection.