[planb]

I have read that, but they used tcpdump only to detect what kind of traffic Siri sends after failing to use a normal HTTP proxy. Setting up a custom SSL certification authority is exactly what sshmitm does - but it does not (yet) support transparent proxying. Somehow they have redirected traffic for guzzoni.apple.com to a fake server that acts as a man in the middle (probably simply by using their own DNS), but what I wanted to know is what software they used to fake that server.

[trotsky]

Not sure what they used, but this software should be suitable:

http://www.thoughtcrime.org/software/sslsniff/

[ahlatimer]

They did mention using their own DNS: "In that case, the simplest solution is to fake an HTTPS server, use a fake DNS server, and see what the incoming requests are."

[nitrogen]

It's possible to do transparent proxying using iptables on Linux. Also, as ahlatimer mentioned, pointing the phone at your local DNS server and adding records for all the relevant domains would work, too.