Wormholy
Wormholy is an iOS network debugging library that intercepts and displays all NSURLSession traffic via a shake-gesture interface. It requires no code imports and works transparently with Alamofire, AFNetworking, and other HTTP libraries, with export capabilities for Postman and cURL.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | pmusolino/Wormholy |
| Owner | pmusolino |
| Primary language | Swift |
| License | MIT — OSI-approved |
| Stars | 2.6k |
| Forks | 212 |
| Open issues | 11 |
| Latest release | 2.4.0 (2026-03-21) |
| Last updated | 2026-05-23 |
| Source | https://github.com/pmusolino/Wormholy |
What Wormholy is
Wormholy uses URLProtocol hooking to intercept NSURLSession requests/responses, injecting itself into URLSessionConfiguration.default and URLSessionConfiguration.ephemeral. It stores traffic logs in memory (configurable limit), surfaces request/response bodies and headers, and provides filtering and statistics. Requires iOS 16.0+, Swift 5, Xcode 15+.
Get the Wormholy source
Clone the repository and explore it locally.
git clone https://github.com/pmusolino/Wormholy.gitcd Wormholy# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Install via CocoaPods with :configurations => ['Debug'] or SPM to ensure it does not ship to production builds.
- Wormholy hooks URLSessionConfiguration.default and .ephemeral automatically; use Wormholy.setEnabled(_:sessionConfiguration:) before creating URLSession for per-config control.
- Configure ignoredHosts (suffix-matched), logging limit, and default filter early in app setup to tune noise and memory usage.
- Shake gesture is enabled by default; disable via Wormholy.shakeEnabled or WORMHOLY_SHAKE_ENABLED environment variable if collisions are expected.
- Manually trigger via NotificationCenter posting 'wormholy_fire' notification for non-shake workflows (e.g., menu button activation).
When to avoid it — and what to weigh
- Production monitoring required — Wormholy is explicitly designed for debug-only builds. The README recommends removal before production release; it is not a production telemetry or APM tool.
- Background URLSession traffic — Apple does not support custom URLProtocol classes with background URLSessionConfiguration, so Wormholy cannot intercept background session traffic.
- Memory-constrained environments — In-memory traffic logging and UI rendering may impact low-end devices or apps with tight memory budgets, even with the configurable log limit.
- Enterprise security/compliance requirements — Debug-only libraries introduce build complexity and potential supply-chain considerations; organizations with strict build verification policies should review separately.
License & commercial use
MIT License—permissive, allows modification and distribution. See LICENSE file in repository for authoritative terms.
MIT is a permissive OSI-approved license permitting commercial use, but only in debug builds. Since Wormholy is explicitly design-time-only and must be removed before production, commercial viability depends on internal build practices. No usage restrictions detected in the license itself, but production inclusion would violate the project's stated intent. Recommend internal legal/compliance review if uncertain.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Wormholy stores unencrypted request/response bodies and headers in app memory during debug sessions, making it unsuitable for production use or sensitive data handling. No encryption, obfuscation, or secure deletion of logged data is mentioned. Ensure it does not remain in production builds to avoid unintended data exposure. Custom URLProtocol hooking is a standard iOS mechanism but relies on correct CocoaPods/SPM configuration to avoid shipping to App Store.
Alternatives to consider
Charles Proxy
External HTTP/HTTPS debugging proxy; more powerful for non-native traffic inspection and replay, but requires manual setup and device/network configuration outside the app.
Proxyman
Modern native iOS debugging proxy with native app integration; similar feature set to Wormholy but runs as standalone app, avoiding build-time dependencies.
Alamofire-integrated logging (custom middleware)
For Alamofire users, inline interceptor/logger middleware provides similar visibility without a separate library, but requires code changes and loses transparency for non-Alamofire traffic.
Build on Wormholy with DEV.co software developers
Integrate Wormholy into your debug builds via CocoaPods or SPM—no code changes needed. Shake your device to inspect live traffic and export to Postman.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
Wormholy FAQ
Can I use Wormholy in production?
Does Wormholy intercept background URLSession traffic?
Do I need to import Wormholy in my code?
Can I disable Wormholy for specific URLSessionConfiguration instances?
Custom software development services
Adopting Wormholy is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source observability software in production.
Ready to streamline iOS network debugging?
Integrate Wormholy into your debug builds via CocoaPods or SPM—no code changes needed. Shake your device to inspect live traffic and export to Postman.