In today's digital landscape, website security has become more critical than ever. While numerous online tools exist for analyzing SSL certificates and HTTP security headers, it was frustrating to their limitations when working on mobile devices.
I decided to build HTTPInspector, a native iOS application that brings comprehensive website security analysis directly to your iPhone
What does HTTPInspector do?
HTTPInspector is designed to be your pocket security audit tool. The application takes any HTTPS URL and performs a comprehensive security analysis, providing insights that are typically only available through desktop tools or complex command-line utilities.
Visuals of HTTPinspector
This is a couple of visuals of the application, this is the main applicaiton:
This is the certificate in detail, showing the chain as well:
HTTPInspector Overview
The app analyzes three core security components:
SSL Certificate Analysis
The heart of HTTPInspector is its certificate inspection capability. For any website, the app extracts and displays:
- Certificate validity periods with precise expiry dates
- Certificate chain analysis showing the complete trust path
- Key strength evaluation (RSA key sizes, signature algorithms)
- Certificate authority information and issuer details
- Serial numbers and fingerprints for certificate verification
HTTP Security Header Evaluation
Modern web security relies heavily on HTTP headers that instruct browsers on security policies. HTTPInspector evaluates critical headers including:
- HSTS (HTTP Strict Transport Security) - Prevents protocol downgrade attacks
- Content Security Policy (CSP) - Mitigates XSS and injection attacks
- X-Frame-Options - Prevents clickjacking attempts
- X-Content-Type-Options - Blocks MIME type confusion
- Referrer-Policy - Controls information leakage
Each header is analyzed for presence, correctness, and security impact, with specific recommendations for improvement.
Security Grading System
HTTPInspector combines certificate strength and header analysis into an overall security grade from A+ to F. This scoring system considers:
- Certificate key strength and validity
- Proper certificate chain configuration
- Presence and configuration of security headers
- Overall security posture
The Challenge: Apple's Certificate Limitations
Apple's iOS Security framework, while robust for trust evaluation, provides extremely limited access to certificate details. Extracting basic information like certificate expiry dates proved nearly impossible using standard iOS APIs.
This limitation forced me to explore alternative approaches. The solution involved integrating OpenSSL, the industry-standard cryptographic library, into the iOS application. This integration required careful handling of different CPU architectures (simulator vs device) and complex memory management.
I've detailed this technical journey to get certificate expiry extraction working, in a separate blog post: iOS Security Analysis Tool and the Battle with Apple's Certificate APIs. That post covers the technical challenges, failed approaches, and the eventual OpenSSL-based solution that made HTTPInspector possible.
Why a Native iOS App?
You might wonder why I chose to build a native iOS app when web-based security analysis tools already exist. Several factors drove this decision:
Pleasant Mobile Experience
Most online security tools are designed for desktop use. They often have complex interfaces, small text, and poor touch interaction. HTTPInspector is built specifically for mobile devices with intuitive touch interfaces, readable fonts, and gesture-based navigation.
Offline Capability
Once the analysis is complete, all certificate and header information is stored locally. You can review security details without an internet connection, making it perfect for presentations, security audits, or situations with poor connectivity.
Speed and Efficiency
Native iOS apps can leverage device hardware and optimized networking stacks for faster analysis. HTTPInspector connects directly to servers without the overhead of web-based proxy services.
Privacy and Security
Your analysis requests go directly from your device to the target servers. There's no intermediate service logging your security analysis activities or the websites you're investigating.
Technical Architecture
HTTPInspector is built entirely in SwiftUI, providing a modern, responsive interface that adapts to different screen sizes and orientations. The app uses a delegate-based URLSession approach to intercept SSL handshakes, allowing detailed certificate inspection before the connection completes.
The security analysis engine processes both certificate data (via OpenSSL integration) and HTTP headers (via standard URLSession responses) to generate comprehensive security reports. Results are scored using a weighted algorithm that considers both the presence and strength of security measures.
Is this on the App Store?
No, this is currently limited to developer TestFlight access only - so at the moment, it’s not an application you can download and use unless you’re invited to be part of the test.
Conclusion
Building HTTPInspector taught me that sometimes the best solutions come from scratching your own itch. The frustration with existing mobile security tools led to creating something better suited for modern mobile workflows.
While the technical challenges were significant - particularly the certificate expiry extraction that required deep integration with OpenSSL - the result is a tool that makes website security analysis accessible, fast, and mobile-friendly.
Security analysis shouldn't be confined to desktop computers or poorly optimized websites. With HTTPInspector, comprehensive security evaluation fits in your pocket, ready whenever you need to verify that a website is properly secured.