In this episode I show how you can self-sign a certificate in Charles to inspect and modify requests & responses to an API. Using a technique called SSL Pinning, we can prevent this type of man in the middle attack and make our applications more secure.
Episode Links Episode Source Code SSL on Heroku Serverfault - How to download ssl certificate from a site - This is useful if you don't have the certificate. Note that this downloaded the cert in PEM format. Converting between x509 certificate formats Charles Proxy Setting up Charles to inspect SSL traffic In Charles, open the Proxy menu, then select Proxy Settings. On the SSL tab you can add a self-signed certificate for your API host. You may need to allow your Mac or iPhone Simulator to trust this certificate chain, to do that follow this guide. Once done, you should be able to inspect SSL traffic. Setting a breakpoint in Charles Under the Proxy menu, select Breakpoints. Add a response breakpoint for your hostname and Charles will pause before sending the response, allowing you to edit it. Enabling SSL Pinning on AFNetworking On an AFRequestOperation object, you can set the SSLPinningMode property to AFSSLPinningModePublicKey. This property is only compiled in if AFNetworking is built with _AFNETWORKING_PIN_SSL_CERTIFICATES_ defined. If you're using CocoaPods, this is already defined. Add your certificate to the bundle If you don't have your certificate, you can download it from the site using the link above. Note that this will be in PEM format (it will contain "BEGIN CERTIFICATE" / "END CERTIFICATE" lines). We'll need to convert this to DER format using the following command: openssl x509 -in cert.crt -out cert.cer -outform der We can now drag this certificate into Xcode. Why Not AFSSLPinningModeCertificate? If we use the certificate pinning mode, then we're tied to that exact certificate. When it expires, we'll have to provide a new update to the application with the updated cert. Alternatively, we could provide a mechanism for an app to download an updated SSL cert from the server, but this opens up an opportunity for a malicious person to intercept this and supply their own certificate.