// Capture mobile app API traffic using mitmproxy with HTTPS decryption, certificate trust setup for iOS/Android, and certificate pinning bypass.
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | api-discovery-mobile-mitmproxy |
| description | Capture mobile app API traffic using mitmproxy with HTTPS decryption, certificate trust setup for iOS/Android, and certificate pinning bypass. |
| tech_stack | ["mobile-native","web"] |
| language | ["python"] |
| capability | ["encryption"] |
| version | mitmproxy stable |
| collected_at | "2025-07-16T00:00:00.000Z" |
Source: https://docs.mitmproxy.org/stable/, https://raw.githubusercontent.com/mitmproxy/mitmproxy/main/docs/src/content/concepts/certificates.md
Capture and decrypt HTTPS API traffic from mobile apps (iOS/Android) using mitmproxy as an intercepting proxy. When internal system API documentation is missing or incomplete, this technique reveals the actual API calls mobile apps make — endpoints, parameters, headers, auth tokens, and response schemas — enabling API inventory, reverse engineering, and security assessment.
pip install mitmproxy
# or
brew install mitmproxy
# For bulk recording — use mitmdump
mitmdump -w traffic.out
# For interactive inspection (small samples only)
mitmproxy
# For web UI (beta)
mitmweb
Default proxy listens on 0.0.0.0:8080.
Set the device's WiFi proxy to <your-machine-ip>:8080, then visit http://mitm.it/ in the device browser and install the CA certificate for the platform.
After installing the profile, go to Settings → General → About → Certificate Trust Settings and toggle ON "Enable full trust for root certificates" for the mitmproxy certificate. Missing this step is the #1 setup failure.
.cer file via Settings → Security → Install from storagenetwork_security_config.xml to trust user CAs# Save all traffic
mitmdump -w session.out
# Filter POST requests only from saved session
mitmdump -nr session.out -w posts_only.out "~m post"
# Filter by domain
mitmdump -nr session.out -w api_traffic.out "~d api.internal.com"
# Run a Python script to transform traffic on the fly
mitmdump -s extract_endpoints.py
Use mitmdump's Python scripting to extract method + path + params from captured flows and output JSON for the endpoint inventory pipeline:
# extract_endpoints.py
from mitmproxy import http
def response(flow: http.HTTPFlow):
print(f"{flow.request.method} {flow.request.pretty_url}")
| Command | Purpose |
|---|---|
mitmdump -w outfile | Save all traffic to file |
mitmdump -nr infile -w outfile "~m post" | Filter saved traffic (POST only) |
mitmdump -nC outfile | Replay all requests from saved session |
mitmdump -s script.py | Run Python script on live/recorded traffic |
mitmdump -ns script.py -r srcfile -w dstfile | Scripted transformation of saved traffic |
| Filter | Matches |
|---|---|
~m post | POST requests only |
~m get | GET requests only |
~d example.com | Domain |
~s 200 | Response status 200 |
| Tool | Platform | Method |
|---|---|---|
apk-mitm | Android | Patch APK to remove pinning |
objection | iOS + Android | Frida runtime unpinning |
ssl-kill-switch2 | iOS + macOS | Blackbox pinning disable |
android-unpinner | Android | Frida injection via APK mod |
| File | Use |
|---|---|
~/.mitmproxy/mitmproxy-ca-cert.pem | Distribute to macOS, Linux, iOS |
~/.mitmproxy/mitmproxy-ca-cert.p12 | Windows |
~/.mitmproxy/mitmproxy-ca-cert.cer | Android |
# Client cert for upstream server
mitmdump --set client_certs=DIRECTORY -w out # lookup by hostname: example.org.pem
# Require client cert from connecting clients (MQTT/IoT)
mitmdump --set request_client_cert=True --set client_certs=client-cert.pem
ignore_hosts.mitmdump -w for bulk recording.~/.mitmproxy/mitmproxy-ca.pem (which includes the private key).api-discovery-endpoint-inventory — extract method + path + params from captured flows and feed into inventory normalizationapi-discovery-network-tab-capture — browser-based capture misses mobile-only endpoints; mitmproxy fills this gapobjection or ssl-kill-switch2 for runtime bypass