Skip to content

iOS Capture

Capturing on an iPhone / iPad has always been a headache. Ordinary tools usually either require a jailbreak or can only set up a proxy (which still means installing a profile and a certificate, and apps with certificate pinning still cannot be captured). iOS capture offers three no-jailbreak methods, from “see system requests with zero configuration” to “full traffic for the whole device” to “complete plaintext for a single app.” One of them will get your target.


  • Connect the device: use a data cable to connect the iPhone / iPad to the computer, then tap Trust on the device.
  • No jailbreak needed: all three methods are for non-jailbroken devices.
  • Compatible with new systems: newer versions of iOS (including iOS 17 and above) switched to a new device channel, and connecting and capturing still work here.
  • If the same device also appears on the network, choose the USB / network entry accordingly.

Your need Which to use What you can see Certificate install / re-sign needed?
Quickly see which HTTPS requests the system sent (address / status / headers) System-level capture Works for ordinary apps too (ordinary apps cannot see the body) Neither; only a diagnostic profile
All traffic for the whole device (including non-HTTP, handshake / SNI) NIC capture Full data (ciphertext by default, decryptable on demand) Not needed to view ciphertext; re-signing needed only to decrypt a given app
A given app’s complete plaintext exchanges (including the body) App-layer capture Complete plaintext for a single app The target app must be re-signed with a development certificate

None of the three require a jailbreak. System-level capture is especially hassle-free: even for ordinary apps and App Store apps you can see which HTTPS addresses they request, something ordinary tools cannot do on a non-jailbroken iPhone.


3. System-level capture: the most hassle-free, works for ordinary apps too

Section titled “3. System-level capture: the most hassle-free, works for ordinary apps too”

Want to quickly see which HTTPS requests this iPhone sent out, without installing a certificate, setting up a proxy, or dealing with certificate pinning? This is the most hassle-free method.

  • Lists the HTTP(S) transactions the system sends: request method, full URL (the address is plaintext even for HTTPS), status code, request headers and response headers.
  • No CA certificate to install, no proxy to set up, no certificate pinning to deal with.
  • How much you can see is limited by the system diagnostic logs themselves:
    • Ordinary apps and App Store apps: usually you can see only the request address and request headers.
    • Apps signed with a development certificate: you can see the full request / response body.

Prerequisite: you need to install the matching device diagnostic profile (once is enough).


4. NIC capture: see everything on this device

Section titled “4. NIC capture: see everything on this device”

Capture all of the device’s network traffic, regardless of app or protocol, including non-HTTP QUIC and custom protocols.

  • What you see by default: by default it is ciphertext packets + metadata (target address, port, and the SNI hostname from the TLS handshake), enough to see clearly “which places this device connected to and with what protocol.”
  • Want plaintext: use “Decrypt this program” on the target app to decrypt its plaintext; this requires the app to have been re-signed with a development certificate.

5. App-layer capture: complete plaintext for a single app

Section titled “5. App-layer capture: complete plaintext for a single app”

Targeting a single app, this method obtains the complete plaintext (including the body) it sends and receives. Certificate pinning cannot stop it, because it reads from inside the app.

  • Restart the target program: you can close and relaunch the app first to capture its early-startup traffic too.
  • Turn on “socket traffic” as a fallback when plaintext cannot be decoded: for apps that statically link / use a custom library and from which the usual methods cannot obtain plaintext, turn on this switch to take a lower-level path to the data.
  • Only apps re-signed with a development certificate are selectable in the app list; the rest are grayed out.

Prerequisite: the target app must be re-signed with a development certificate; App Store apps and system apps must be re-signed first before they can be used as targets.


Besides the three methods above, an iPhone / iPad can also use proxy capture: point the device’s Wi-Fi proxy at this machine, install the root certificate, and you can capture HTTPS plaintext just like on a computer and use the full set of rewriting and replay capabilities. It suits debugging apps that go through the system proxy, or scenarios that need rule-based rewriting / replay of mobile requests.


  • To quickly investigate “which endpoints an app requested and what they returned,” system-level capture is the easiest, and even ordinary apps work.
  • To see all traffic on the whole device (including non-HTTP), use NIC capture.
  • If you can re-sign the target app and want its complete plaintext body, use app-layer capture.
  • To view and edit at the same time (rewrite / replay mobile requests), use proxy capture.

Back to Proxy Capture · Related: Data Viewing and Decoding · Certificate Management and Installation