Presumably by configuring the system-level HTTP proxy settings to point to a tool like mitmproxy or similar running on a machine on their LAN, and then installing a locally signed root CA certificate generated by the proxy, to enable it to decrypt TLS connections. I'm not familiar with the process on iOS, but it's pretty straightforward on Android. Some apps bundle their own root CA certificate (see "certificate pinning") and ignore the system certificates, which defeats this method unless you can decompile the app package, replace the bundled certificate with your own, and recompile/sideload the modified package. It's also possible they statically analyzed the app package to discover URLs.
alt Hacker News
Presumably by configuring the system-level HTTP proxy settings to point to a tool like mitmproxy or similar running on a machine on their LAN, and then installing a locally signed root CA certificate generated by the proxy, to enable it to decrypt TLS connections. I'm not familiar with the process on iOS, but it's pretty straightforward on Android. Some apps bundle their own root CA certificate (see "certificate pinning") and ignore the system certificates, which defeats this method unless you can decompile the app package, replace the bundled certificate with your own, and recompile/sideload the modified package. It's also possible they statically analyzed the app package to discover URLs.