DebugSwift logoDebugSwift
← Back to blog

Network

In-App Network Inspection on iOS

Capture URLSession traffic, WebSockets, and encrypted responses without leaving the simulator.

Inspecting HTTPS traffic on iOS traditionally means standing up a man-in-the-middle proxy: generate a root CA, trust it on the simulator, route traffic through Charles or Proxyman, and hope certificate pinning does not block you. That workflow works — and for cross-app traffic on a Mac, it is often the right tool. For day-to-day iOS development inside your own app, in-process capture is faster and avoids the TLS trust dance entirely.

How proxy debugging works (and where it hurts)

A debugging proxy terminates TLS at the proxy machine. Your app connects to the proxy using a certificate signed by a locally trusted root CA; the proxy connects to the real server using the server's certificate. Traffic is decrypted in the middle, inspected, and re-encrypted. On macOS this is straightforward. On iOS you must install the root CA on each simulator or device, configure proxy settings, and handle apps that pin certificates — banking SDKs, some auth libraries, and security-hardened APIs will reject the proxy's certificate outright.

In-process capture with URLSession hooks

DebugSwift takes a different approach. After setup(), it swizzles URLSessionConfiguration factory methods so every session your app creates — including Alamofire, async URLSession, and third-party SDKs that use URLSession under the hood — flows through the same monitoring pipeline. Requests and responses are logged before encryption on the way out and after decryption on the way in. No certificate is substituted. Pinning continues to work because TLS still terminates inside your app's network stack.

let debugSwift = DebugSwift()
debugSwift.setup()show()

// Optional: filter noise or scope to your API
DebugSwift.Network.shared.ignoredURLs = ["https://analytics.example.com"]
DebugSwift.Network.shared.onlyURLs = ["https://api.myapp.com"]
Network tab with captured requests

What you see in the inspector

  • Request and response headers with syntax-highlighted JSON bodies
  • Timing information for each transaction
  • Status codes, redirects, and error states
  • Filtering by URL pattern to cut analytics noise
  • Encrypted payloads decrypted in-place when you register AES keys or custom decryptors
HTTP monitoring JSON body detail

Encrypted APIs

Some backends return AES-encrypted JSON wrapped in base64. A proxy shows ciphertext. DebugSwift can decrypt responses in the inspector when you register your key or a custom decryptor closure — the ciphertext remains available in the raw view for comparison.

Encrypted response decrypted to JSON

Mocking without a backend

The Response Modifier rewrites status codes and bodies for matching URLs at runtime. Test error states, empty lists, and edge-case payloads without deploying a staging server. Rules can be generated from live traffic you just captured.

When to use a proxy instead

In-app capture excels for URLSession-based traffic inside your DEBUG build. A system proxy still wins when you need to inspect traffic from multiple apps simultaneously, debug WKWebView content that bypasses URLSession, capture CLI tools, or set request breakpoints mid-flight. Many teams use both: DebugSwift for daily iOS work, a macOS proxy for cross-process or pinning-heavy scenarios.

Getting started

Add DebugSwift via SPM, call setup() inside #if DEBUG, and tap the floating debug ball. Every URLSession request from that point forward appears in the Network tab. If you create URLSessionConfiguration before setup(), inject the monitoring configuration manually — see the configuration docs for details.

Debug inside your app. Ship with confidence.

Open-source in-app debugging toolkit for iOS. Inspect network traffic, monitor performance, browse resources, and debug UI, all from a floating overlay inside your app.