"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle."
|--Sun Tzu, The Art of War|
In the previous chapter, you studied about finding vulnerabilities in local storage, such as the plist files, SQLite database, and other formats. One of the important aspects in mobile application level security is analyzing an application's network traffic. To find out the issues related to backend APIs, we need to monitor the traffic between an application on iDevice and backend APIs.
In this chapter, we will look at the following topics:
Intercepting traffic over HTTP
Intercepting traffic over HTTPS
Intercepting traffic of iOS Simulator
Web API attack demo
Bypassing SSL pinning