Quantcast
Channel: VMware Communities : Blog List - All Communities
Viewing all articles
Browse latest Browse all 3135

How to Debug IOS Mobile Traffic

$
0
0

For updates on this blog and other blogs: Follow @SteveIDM

 

When troubleshooting SAML/OIDC, its extremely useful to have access to your HTTP headers to validate what is being passed from one provider to the next.  This is very straight forward on Windows and MacOS devices but not quite as easy when we need the headers on a mobile device.

 

There are many tools on the market that can help proxy your mobile traffic. Most people default to Fiddler however I've personally had very little luck with fiddler for this purpose as Fiddler tends to truncate the SAML request thus making it useless for debugging SAML Traffic.  I credit a former colleague of mine, Eugene for introducing me to a tool called MITM Proxy. As the name suggests, its a man in the middle product but useful in troubleshooting.

Please note - This is not an endorsement of this specific tool, its just a tool that I've had success with.  The usual disclaimer with any third party product, please use at your own risk.

 

Before you start, make sure your Corporate IT department won't block this tool as its quite common. You might see something like this:

Screen Shot 10-15-20 at 09.27 AM.PNG

Getting Started with MITM Proxy

  1. Download MITM Proxy from https://mitmproxy.org/
  2. Install MITM Proxy as per their instructions. https://docs.mitmproxy.org/stable/overview-installation/
    Note: Install this proxy on a system that is accessible by your mobile device.
  3. Since running MITM Proxy on Windows 10, I will launch the MITM Proxy UI from the start menu.
    Screen Shot 10-15-20 at 10.36 AM.PNG
  4. If everything goes well, you will see a CMD window displaying the proxy was successfully started and a browser tab open display the debug window.
  5. In my case, it doesn't go well and I get the following error:
    Screen Shot 10-15-20 at 10.40 AM.PNG
    1. This error does not necessarily mean your Corporate IT team is blocking the application (Although I've thought this many times). It most likely means you have a port conflict. Run a netstat and verify that 8080 and 8081 are not being used.
    2. If 8080 is taken, you will need to start this manually in a command window using a free port
      C:\Program Files (x86)\mitmproxy\bin>mitmweb.exe --listen-port 8888
    3. If 8081 is taken, you will need to start this manually in a command window using a free port
      C:\Program Files (x86)\mitmproxy\bin>mitmweb.exe --web-port 8082
      There is a way to make these changes permanent using YAML but I've not figured that out yet.

  6. Hopefully, you now have the application started and you see the console open in a web browser.
    Screen Shot 10-15-20 at 10.49 AM.PNG

    Please Refer to MITM Proxy Troubleshooting for help with any other error to start this application.



Setting up your IOS Device

  1. On your IOS Device, go to your Settings Application
  2. Click on WiFi
  3. Click the "i" beside your WiFi network
    Screen Shot 10-15-20 at 10.58 AM 001.PNG
  4. Click on Configure Proxy at the bottom of the screen
    Screen Shot 10-15-20 at 10.58 AM.PNG
  5. Select Manual
  6. Enter the correct IP Address and Port
    Screen Shot 10-15-20 at 11.00 AM.PNG
  7. Open Safari and verify that you can see traffic in the console by going to any http url ie. http://www.google.com (Ignore the connection is not private error).

 

Installing SSL Certificate for HTTPS Decryption

 

  1. Open Safari on your mobile device, and go to http://mitm.it
    Screen Shot 10-15-20 at 11.26 AM.PNG
  2. Click on the Apple Link to download your profile.
  3. Go to your IOS Profiles and install the downloaded profile.
    Screen Shot 10-15-20 at 11.29 AM.PNG
  4. In the Settings Application, Click on General -> About
    Screen Shot 10-15-20 at 11.32 AM.PNG
  5. Scroll down and click on "Certificate Trust Settings"
  6. Enable Full Trust for the MITM Proxy Certificate
    Screen Shot 10-15-20 at 11.33 AM 001.PNG
  7. You should now see full headers in your web console.
  8. You can use any online SAML Decoder to get full access to the SAML Requests/Responses
    Screen Shot 10-15-20 at 11.36 AM.PNG

 

How to support Certificate Based Authentication

If you need to perform certificate based authentication, you can not 'intercept' a certificate challenge from the Workspace ONE CAS server. You will need to bypass the Cert Challenge from proxying through MITM

  1. Although you can modify settings on the fly using the UI, its probably easier to add the following switch when starting your MITM Proxy Server:
    mitmweb.exe --web-port 8082 --ignore-hosts "^(cas|cas-aws).*"

Screen Shot 10-15-20 at 12.38 PM.PNG


Viewing all articles
Browse latest Browse all 3135

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>