Configuring Xcode iOS Simulator with Burp Suite for Pentesting on macOS
Last updated
Was this helpful?
Last updated
Was this helpful?
Install Xcode from the Mac App Store, including the iOS Simulator add-on.
Install Burp Suite (Community or Professional Edition) on your macOS system. Download from .
Ensure both Burp Suite and Xcode are running on the same macOS system.
Identify Local IP Address:
Find your macOS system’s local IP address in System Preferences > Network > Wi-Fi > Details.
Example: 192.168.1.100.
Configure Burp Suite Proxy Listener:
Open Burp Suite and navigate to Proxy > Options (or Settings > Tools > Proxy in newer versions).
In the Proxy Listeners section, click Add (or edit the default listener).
Set Bind to port to 8080 (or another free port, e.g., 8082 or 8888).
Set Bind to address to Specific address and select your local IP address (e.g., 192.168.1.100) or All interfaces for broader access.
Confirm the listener is running (check for a tick in the Running column).
Set macOS Proxy Settings:
The iOS Simulator uses the macOS system’s network settings. Configure the proxy to route traffic through Burp Suite.
Go to System Preferences > Network > Wi-Fi > Advanced.
Enable Web Proxy (HTTP) and Secure Web Proxy (HTTPS).
Set both to 127.0.0.1 (localhost) and port 8080 (or the port chosen in Burp Suite).
Apply changes. Note: Launch the iOS Simulator after setting the proxy, as it uses the network settings at launch. Quit and restart the simulator if settings change.
Install Burp Suite CA Certificate in Simulator:
Open the iOS Simulator via Xcode: Xcode > Open Developer Tools > Simulator.
In the simulator, open Safari and navigate to http://burp or http://<your-local-ip>:<port> (e.g., http://192.168.1.100:8080).
Click CA Certificate to download the PortSwigger CA certificate.
Go to Settings > General > VPN & Device Management in the simulator.
Select the downloaded PortSwigger CA profile and click Install. Enter the device passcode if prompted.
Navigate to Settings > General > About > Certificate Trust Settings and toggle PortSwigger CA to enable trust. Confirm any warnings about root certificates.
Enable Interception in Burp Suite:
In Burp Suite, go to Proxy > Intercept.
Click Intercept is off to toggle it to Intercept is on. This allows Burp to capture and display HTTP/HTTPS traffic.
Test the Setup:
In the iOS Simulator, open Safari and visit a website (e.g., https://www.netflix.com).
Verify that Burp Suite captures the traffic in the Proxy > HTTP History tab.
If no traffic appears, ensure Intercept is off (to avoid blocking traffic) and verify proxy settings.
Optional: Scope Filtering:
To reduce noise in Burp Suite’s logs, add target websites to the scope.
In Proxy > HTTP History, right-click a request (e.g., https://www.netflix.com) and select Add to scope.
Check the scope in Target > Scope to ensure only relevant traffic is displayed.
No Traffic in Burp: Ensure the proxy listener is running, the correct IP and port are used, and the simulator was launched after proxy settings were applied. Check that Intercept is off unless actively inspecting requests.
Certificate Issues: Verify the PortSwigger CA certificate is installed and trusted in the simulator. Re-download if necessary.
Simulator Not Responding: Restart the simulator or Xcode. Ensure the macOS proxy settings are correct before launching.
