MiTM Usage
MiTM Proxy is an absolutely amazing tool for figuring out messing with any (mobile) application which is backed by remote web-services. The August mobile application is no exception. In its default mode the August application uses a form of certificate pinning which will prevent MiTM proxy from being able to intercept/modify traffic. One of the most reliable ways to bypass certificate pinning on any jailbroken iOS device is to use SSL kill switch2. If disabling SSL system wide is not an option or the device is not jail broken you can use a hidden 'feature' of the August application which allows certificate pinning to be bypassed see Defeating Cert Pinning.
Below I've included a brief description of the three mitmproxy modes I find most useful and when/how to use them. The descriptions provided are no substitute for reading mitmproxy's excellent documentation.
This is mode should be used if a custom endpoint was specified in the August application.
mitmproxy -w $(date +%Y%m%d%H%M%S) \
--anticache \
-R https://production.august.com \
-p 1337 \
--setheader :~q:Host:production.august.com
This mode should be used if the computer running MiTM proxy is in the network path the phone is using to communicate with the internet (i.e. if the computer is providing the network connection to the phone).
mitmproxy -w $(date +%Y%m%d%H%M%S) \
--anticache \
--transparent \
--ignore '(^(.+\.)?apple\.com:443$)\
|(^(.+\.)?google\.com:443$)\
|(^(.+\.)?icloud\.com:443)$\
|(^(.+\.)?cydia\.com:443$)\
|(^(.+\.)?mzstatic\.com:443$)\
|(^(.+\.)?google-analytics\.com:443$)'
This mode should be used in all other situations.
mitmproxy -w $(date +%Y%m%d%H%M%S) \
--anticache \
-p 1337 \
--ignore '(^(.+\.)?apple\.com:443$)\
|(^(.+\.)?google\.com:443$)\
|(^(.+\.)?icloud\.com:443)$\
|(^(.+\.)?cydia\.com:443$)\
|(^(.+\.)?mzstatic\.com:443$)\
|(^(.+\.)?google-analytics\.com:443$)'
If you break yours or anyone else's lock it is your own fault. While I've tried to make both the tools and directions in this repository easy to use there is an inherent risk associated with any project like this. Please use all information provided on this site in a responsible manner. As with any lock picking only use these tools and information on locks you own or have permission to manipulate.