loading...

How to intercept API calls from mobile devices

jonathan366 profile image Jonathan Pereira ・2 min read

Ever wondered how to capture the API calls being made in the background while your mobile app or mobile browser is fetching data from the internet? This quick guide will give you some answers.

I'll be using a proxy server to inspect the web traffic originating from the mobile device. I'm using the Postman client and my Android smartphone for this purpose.

What is a Proxy Server?


Simply put, a proxy server is a gateway between the client and the server. In our case, we will use the mobile device as a client, and make the computer act as a proxy between the client and the server. The flow is setup in a way that the internet traffic passes through the proxy server while attempting to reach the web address you requested.

What is Postman?


Postman is a API Development Environment catering to every stage of the API Lifecycle. It is used by over 7M developers globally. The Postman Proxy is one of the feature available out-of-the-box on the Postman client.

Capturing API calls using Postman

  1. To get started, we need the computer and the mobile device to be connected to the same wireless network. I’m going to use a Mac laptop and an Android smartphone.

  2. Click on the Proxy Settings button in the top menu bar.

  3. The Proxy Settings modal should show. Make a note of the port mentioned. I’ll use the default post “5555”. Select the target to capture the requests. I’ll use the “History” sidebar panel. Click on Connect.

  4. Find the IP address of your computer. You should see this in your Network settings.

  5. Configure HTTP Proxy on the mobile device. You can do this by going to Settings -> Wi-Fi and selecting the Modify Network option. Enter the computer’s IP address as your Proxy Host. Set the proxy port to the same as the port in the Postman app, i.e. 5555.

You should have everything working!

Open a browser on the mobile device or any app and keep an eye on the Postman app. I entered www.mit.edu in my Chrome for Android browser. As the browser started contacting the server, all of the calls start appearing in the Postman sidebar.

Where can you use this?

  • To help you to understand the communications between the client and server. This could be useful from a security standpoint to highlight malicious requests.
  • To makes it easier to debug by pinpointing where the app crashes or throws an error.
  • To identify behavior differences among mobile devices (based on hardware and resolutions), which help to isolate bugs seen on certain devices.

Note:

  • Postman currently supports only HTTP traffic in the Proxy feature. Support for HTTPS is expected to be added soon.

Discussion

pic
Editor guide