Mobile App API Capture with mitmproxy

Mobile apps often talk to backends that the web doesn't expose, or to the same backends with simpler auth (a long-lived token, a static API key). For scrapers, the mobile API can be a much easier target, once you can see the traffic.

mitmproxy is the standard tool. This lesson is the end-to-end setup.

What mitmproxy does

mitmproxy is a transparent HTTPS interception proxy. You:

1. Run it on your desktop (defaults to port 8080).
2. Configure the mobile device to send all traffic through <your-desktop-IP>:8080.
3. Install mitmproxy's CA certificate on the device.
4. The proxy decrypts HTTPS, shows you everything, and re-encrypts on the way out.

The device sees a trusted certificate (signed by mitmproxy's CA, which you installed) and proceeds normally. mitmproxy sees plaintext.

Install

pip install mitmproxy
# or
brew install mitmproxy
# or
docker run --rm -it -p 8080:8080 -v ~/.mitmproxy:/home/mitmproxy/.mitmproxy mitmproxy/mitmproxy

Three frontends:

• mitmproxy, interactive terminal UI. Best for live triage.
• mitmweb, browser-based UI at http://localhost:8081. Easier visually.
• mitmdump, headless, for scripting and capture-to-file.

Step 1, start the proxy

mitmweb --listen-port 8080

mitmweb is the friendliest. It opens a browser tab showing the (initially empty) flow list.

Step 2, find your desktop IP

The phone needs to reach your desktop. On the same Wi-Fi:

# macOS
ipconfig getifaddr en0
# Linux
hostname -I
# Windows
ipconfig | grep IPv4

Say it's 192.168.1.50.

Step 3, configure the device's proxy

Android (Wi-Fi proxy)

1. Settings → Wi-Fi → long-press your network → Modify → Advanced.
2. Proxy: Manual.
3. Proxy hostname: 192.168.1.50.
4. Proxy port: 8080.
5. Save.

iOS

1. Settings → Wi-Fi → ⓘ on your network.
2. Configure Proxy → Manual.
3. Server: 192.168.1.50, Port: 8080.
4. Save.

Android Emulator

emulator -avd <name> -http-proxy http://192.168.1.50:8080

iOS Simulator

Inherits from the host Mac's proxy settings (System Preferences → Network → Advanced → Proxies).

Step 4, install the CA cert

On the device, browse to http://mitm.it (mitmproxy's special host).

You'll see install buttons for each platform. Follow:

Android

1. Download mitmproxy-ca-cert.crt.
2. Settings → Security → Install from storage → pick the cert.
3. On Android 11+, system certs only work for system apps by default. For apps to trust mitmproxy, either:

• Use a debug build with network_security_config.xml that trusts user CAs.
• Root the device and install the cert as a system cert.
• Use the emulator (root by default; cert install is simpler).

iOS

1. Download the profile.
2. Settings → General → VPN & Device Management → install the profile.
3. Critical: Settings → General → About → Certificate Trust Settings → toggle ON for mitmproxy.

Without that last step, iOS doesn't actually trust the cert.

Step 5, capture traffic

Open the target app on the phone. Use it. Watch flows appear in mitmweb.

Each flow shows:

• The request (URL, method, headers, body).
• The response (status, headers, body).
• Timing.

Click any to drill in. Right-click → "Copy as cURL" for instant replay.

Step 6, replay and modify

# Save captured flows to disk
mitmdump -w capture.flow

# Replay later
mitmdump -nr capture.flow

# Modify on the fly with a script
mitmdump -s modify.py

modify.py:

from mitmproxy import http

def request(flow: http.HTTPFlow):
  if "api.example.com" in flow.request.host:
  flow.request.headers["X-Debug"] = "scraping"

Step 7, extract the data

Once you've identified the right endpoint:

1. Copy as cURL.
2. Paste in terminal, replays the captured request.
3. Translate to Python or PHP.

The captured curl will have:

• The full URL.
• All headers, including auth.
• The request body.

Strip non-essential headers (lesson 3.8). You now have a programmatic scraper for the mobile API.

SSL pinning, the common blocker

Some apps validate the server's certificate against a hardcoded fingerprint (SSL pinning). The device-installed mitmproxy CA doesn't match → app refuses to connect.

Symptoms:

• The app shows "Network error" or similar.
• mitmweb shows TLS handshake failures.
• The app works without the proxy (proves it's not your network).

Workarounds: lesson 3.48 covers SSL pinning bypass techniques (Frida, objection, custom builds).

Alternative tools

• Charles Proxy, similar to mitmproxy, GUI-first, paid.
• Proxyman, macOS-native, polished UI.
• Burp Suite, security-tester-focused, very feature-rich, paid pro tier.
• HTTP Toolkit, modern, free, friendly UI; built for developers.

For pure scraping, mitmproxy or HTTP Toolkit are usually enough. Burp is overkill unless you're doing security testing.

A worked example, capturing a mobile API call

Target: a sneaker app that exposes inventory via internal API.

1. Start mitmweb.
2. Configure phone's proxy to point at your desktop.
3. Install mitmproxy CA on phone; enable Certificate Trust (iOS).
4. Open the app, search "Air Max."
5. mitmweb shows: GET https://api.example.com/v3/products?q=Air+Max, returning a JSON list of products with prices, sizes, SKUs.
6. Copy as cURL.
7. Paste in terminal. Works.
8. Note: the auth header is X-Client-Token: <very-long-token>. Inspect, looks like a long-lived token, not a JWT.
9. Translate to Python requests. Loop over queries. Done.

The whole capture-to-scraper took ~30 minutes. The mobile API is often much friendlier than the web equivalent.

Capture etiquette

• Don't reverse-engineer apps you don't have permission to scrape. Mobile-app ToS prohibit it explicitly in many cases.
• Don't redistribute captured tokens. They're tied to your account.
• Respect rate limits. Mobile APIs often have aggressive limits; the app's own throttling masks them.

Hands-on lab

Conceptual lesson, no Catalog108 mobile app exists. Action: set up mitmproxy on your desktop. Configure your phone (or an Android emulator) to route through it. Install the CA cert. Browse any app you have a personal account on. Inspect the API traffic. The skill compounds, every mobile API you'll ever scrape uses this same workflow.