> Is it really that simple to inspect network traffic on an iPhone, namely to get it to trust the user-installed cert?

iOS still trusts user-installed certs by default, unlike Android's opt-in model.

However, this only applies to apps using the OS TLS stack. Apps packaging their open openssl may use their own set of certificate authorities. Also, most big apps use certificate pinning for most of their domains.

Apps from Twitter or Facebook probably won't work due to pinning. Quick and dirty could-have-been-a-single-web-page apps, such as this one, usually won't bother with any of that, and neither do many tracking libraries.

Of course, malicious apps can detect when someone is using an altered certificate and choose not to send traffic until the MitM is over.