Targets HTTP decryption has been broken since macOS 12

[debookee]

Since 2011, Debookee intercepts and decrypts IPv4 traffic of "any device on the same network, in just a simple click".

We discovered that an update of macOS Monterey breaks a behavior of pf firewall's routing internally used by Debookee (to redirect traffic to mitmproxy and sslsplit components)

his bug affects the final version of macOS 12 and all subsequent macOS versions.

Which traffic Debookee can see and decrypt normally

• IPv4 & IPv6 traffic of the mac running Debookee (called Own Traffic)

• Seen in menu : Own Traffic → HTTP ✅
• Seen in menu : Own Traffic → Traffic statistics ✅

• IPv4 traffic of other devices on the same network (called Targets), if interception works through ARP spoofing.

• Seen in menu : Target → HTTP ❌
• Seen in menu : Target → Traffic statistics ✅

What are the consequences ?

Only Target's IPv4 traffic (decrypted or not) is affected : it's not seen in HTTP view.

Own Traffic is not affected although it uses the same routing rules. (looks that the bug affects packets concerned by IP forwarding and if IP source is different that NIC's IP)

• NA, SSL & PRO modules are affected for target's traffic.
• WM module is not affected

Actions taken

• The bug was submitted in August 2022 via Apple's Feedback Assistant (as of November 2024: still no response).
• Users are warned on our website that some key features of Debookee don't work at the moment, on the website, and also at the payment process with a dedicated check box to read this text before buying new licenses (as Own Traffic decryption still works, we don't suspend licenses purchases)

Technical details

• Debookee uses this method to configure pf firewall and decrypt Target's traffic and Own Traffic at the same time
• Bug reported to mitmproxy issues : Unable to get transparent mode to work in OSx 12.0 mitmproxy/mitmproxy#4835
• Related bug reported to Apple : https://openradar.appspot.com/FB9658819

We're very sorry about those consequences and will do our best to find a workaround meanwhile Apple works on this bug.
Thanks for any feedback or technical consideration !

Thomas

---

Updates

August 08, 2022:

• Bug filled at Apple - FB11087263 - pf firewall transparent routing failure in macOS 12 & 13 beta
• → As of November 2024: still no response

June 13, 2025:

• Intercepted Target traffic decryption has been fully removed from Debookee due to unresolved macOS bugs and increasing system-level restrictions.
• The future of Debookee remains uncertain.

[arifkyi]

Hello, Thanks for declare this,

since the title is macOS 12 and 13, what about in Sonoma macOS 14 apple M3 ?

[debookee]

Hello, Thanks for declare this,

since the title is macOS 12 and 13, what about in Sonoma macOS 14 apple M3 ?

Still no answer, hardware and software has changed significantly, we're considering removing the target decryption feature from the app entirely.

[arifkyi]

Hello,

Thanks for reply my question promptly.
Ok let see then

[ChrisKader]

I first heard about your software today and went to the site to buy it and saw your banner. Of course, I went down the rabbit hole. I found the "cause" and a potential fix but I want to test it on some other mac devices.

[ChrisKader]

I have not bought a copy of Debookee yet so my fix is based on the reproduction info provided in the bug report.

[debookee]

I first heard about your software today and went to the site to buy it and saw your banner. Of course, I went down the rabbit hole. I found the "cause" and a potential fix but I want to test it on some other mac devices.

@ChrisKader Happy to hear more! Please contact us by email (support@iwaxx.com) to exchange more deeply about your findings

[rdahlin]

Any news on this? Why not book a One-on-one lab appointment at Apple during WWDC?

[debookee]

Any news on this? Why not book a One-on-one lab appointment at Apple during WWDC?

@rdahlin I gave up. Inertia and the lack of response from Apple support won. Version 8.2.0 has completely removed Target traffic decryption. The future is uncertain, especially with how fast macOS releases are coming and the increasing system and hardware restrictions.