DEV.co
Open-Source Observability · pmusolino

Wormholy

Wormholy is an iOS network debugging library that intercepts and displays all NSURLSession traffic via a shake-gesture interface. It requires no code imports and works transparently with Alamofire, AFNetworking, and other HTTP libraries, with export capabilities for Postman and cURL.

Source: GitHub — github.com/pmusolino/Wormholy
2.6k
GitHub stars
212
Forks
Swift
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorypmusolino/Wormholy
Ownerpmusolino
Primary languageSwift
LicenseMIT — OSI-approved
Stars2.6k
Forks212
Open issues11
Latest release2.4.0 (2026-03-21)
Last updated2026-05-23
Sourcehttps://github.com/pmusolino/Wormholy

What Wormholy is

Wormholy uses URLProtocol hooking to intercept NSURLSession requests/responses, injecting itself into URLSessionConfiguration.default and URLSessionConfiguration.ephemeral. It stores traffic logs in memory (configurable limit), surfaces request/response bodies and headers, and provides filtering and statistics. Requires iOS 16.0+, Swift 5, Xcode 15+.

Quickstart

Get the Wormholy source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/pmusolino/Wormholy.gitcd Wormholy# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Development-phase API debugging

Quickly identify request/response mismatches, header issues, and status code errors without adding logging code to your app. Shake to inspect traffic in real-time.

Third-party HTTP library validation

Confirm that Alamofire, AFNetworking, and other abstracted HTTP calls are behaving as expected without modifying their configuration.

HTTPS certificate and SSL troubleshooting

Debug SSL certificate validation issues and inspect encrypted payloads without external proxy tools.

Implementation considerations

  • Install via CocoaPods with :configurations => ['Debug'] or SPM to ensure it does not ship to production builds.
  • Wormholy hooks URLSessionConfiguration.default and .ephemeral automatically; use Wormholy.setEnabled(_:sessionConfiguration:) before creating URLSession for per-config control.
  • Configure ignoredHosts (suffix-matched), logging limit, and default filter early in app setup to tune noise and memory usage.
  • Shake gesture is enabled by default; disable via Wormholy.shakeEnabled or WORMHOLY_SHAKE_ENABLED environment variable if collisions are expected.
  • Manually trigger via NotificationCenter posting 'wormholy_fire' notification for non-shake workflows (e.g., menu button activation).

When to avoid it — and what to weigh

  • Production monitoring required — Wormholy is explicitly designed for debug-only builds. The README recommends removal before production release; it is not a production telemetry or APM tool.
  • Background URLSession traffic — Apple does not support custom URLProtocol classes with background URLSessionConfiguration, so Wormholy cannot intercept background session traffic.
  • Memory-constrained environments — In-memory traffic logging and UI rendering may impact low-end devices or apps with tight memory budgets, even with the configurable log limit.
  • Enterprise security/compliance requirements — Debug-only libraries introduce build complexity and potential supply-chain considerations; organizations with strict build verification policies should review separately.

License & commercial use

MIT License—permissive, allows modification and distribution. See LICENSE file in repository for authoritative terms.

MIT is a permissive OSI-approved license permitting commercial use, but only in debug builds. Since Wormholy is explicitly design-time-only and must be removed before production, commercial viability depends on internal build practices. No usage restrictions detected in the license itself, but production inclusion would violate the project's stated intent. Recommend internal legal/compliance review if uncertain.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Wormholy stores unencrypted request/response bodies and headers in app memory during debug sessions, making it unsuitable for production use or sensitive data handling. No encryption, obfuscation, or secure deletion of logged data is mentioned. Ensure it does not remain in production builds to avoid unintended data exposure. Custom URLProtocol hooking is a standard iOS mechanism but relies on correct CocoaPods/SPM configuration to avoid shipping to App Store.

Alternatives to consider

Charles Proxy

External HTTP/HTTPS debugging proxy; more powerful for non-native traffic inspection and replay, but requires manual setup and device/network configuration outside the app.

Proxyman

Modern native iOS debugging proxy with native app integration; similar feature set to Wormholy but runs as standalone app, avoiding build-time dependencies.

Alamofire-integrated logging (custom middleware)

For Alamofire users, inline interceptor/logger middleware provides similar visibility without a separate library, but requires code changes and loses transparency for non-Alamofire traffic.

Software development agency

Build on Wormholy with DEV.co software developers

Integrate Wormholy into your debug builds via CocoaPods or SPM—no code changes needed. Shake your device to inspect live traffic and export to Postman.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

Wormholy FAQ

Can I use Wormholy in production?
No. The README explicitly recommends removing it before sending apps to production. It is a debug-only tool; shipping it may expose sensitive request/response data and violate App Store policies.
Does Wormholy intercept background URLSession traffic?
No. Apple does not permit custom URLProtocol classes in background URLSessionConfiguration. Only foreground and default/ephemeral sessions are supported.
Do I need to import Wormholy in my code?
No. When installed via CocoaPods or SPM, Wormholy is automatically injected. Manual imports are not required, reducing boilerplate.
Can I disable Wormholy for specific URLSessionConfiguration instances?
Yes. Use Wormholy.setEnabled(_:sessionConfiguration:) before creating the URLSession to opt out of tracking for particular configs, or set a default via Wormholy.setEnabled(_:) globally.

Custom software development services

Adopting Wormholy is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source observability software in production.

Ready to streamline iOS network debugging?

Integrate Wormholy into your debug builds via CocoaPods or SPM—no code changes needed. Shake your device to inspect live traffic and export to Postman.