Comment by zanecodes
1 day ago
Presumably by configuring the system-level HTTP proxy settings to point to a tool like mitmproxy or similar running on a machine on their LAN, and then installing a locally signed root CA certificate generated by the proxy, to enable it to decrypt TLS connections. I'm not familiar with the process on iOS, but it's pretty straightforward on Android. Some apps bundle their own root CA certificate (see "certificate pinning") and ignore the system certificates, which defeats this method unless you can decompile the app package, replace the bundled certificate with your own, and recompile/sideload the modified package. It's also possible they statically analyzed the app package to discover URLs.
In addition, there are TLS downgrade attacks that can trick a client into using SSL or a less secure cipher suite. Clients (and servers) can also prevent this, but it’s the classic long tail of vulns where it may mean blocking older clients, which might include third parties or abandoned automation.