MiTM - Non-HTTP TLS

You will want to read the following paper:

  • Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna. PiOS: Detecting Privacy Leaks in iOS Applications. NDSS 2011. (It received the Distinguished Paper Award.)

This is a fantastic piece of work that performs static analysis of iOS applications to detect privacy leaks.

They build a static analysis tool that analyzes iOS applications, detecting what private data the app reads, whether it sends that private data out over the network, and if so, to where. They then apply their static analysis tool to a large collection of iOS apps and show that their tool is effective and highly accurate; their work finds a large number of apps that are leaking private data (e.g., the unique ID of the phone that the app is running on).

I'd expect static analysis to be more effective than examining network traffic, and less tedious to use, so it is an important alternative to the approach you are currently taking.

Overall, this is a brilliant, innovative piece of research that I encourage you to read carefully.


You could try your luck with ettercap. You can configure it with a private key to use, and configure the cert that belongs with it in the iPhone's keystore. I'm not sure wether it picks up non-port-443 traffic by default, but I think it's able to decrypt any TLS connection if it has the key.


AFAIK Jabber and XMPP are XML based protocols, so there's no real reason why Burp couldn't intercept them.

Where you may be having problems is that there's no way within the client app to specify a proxy.

What I've done in the past with burp in this kind of instance is to use the "Support invisible proxying for non-proxy-aware client" option in the proxy options tab. you can specify your endpoint server and port there and then in the client specify a target server of the burp IP address and port and it'll forward on from there.