Setting up Charles to inspect SSL traffic
In Charles, open the Proxy menu, then select Proxy Settings. On the SSL tab you can add a self-signed certificate for your API host. You may need to allow your Mac or iPhone Simulator to trust this certificate chain, to do that follow this guide.
Once done, you should be able to inspect SSL traffic.
Setting a breakpoint in Charles
Under the Proxy menu, select Breakpoints. Add a response breakpoint for your hostname and Charles will pause before sending the response, allowing you to edit it.
Enabling SSL Pinning on AFNetworking
AFRequestOperation object, you can set the
SSLPinningMode property to
AFSSLPinningModePublicKey. This property is only compiled in if AFNetworking is built with
_AFNETWORKING_PIN_SSL_CERTIFICATES_ defined. If you're using CocoaPods, this is already defined.
Add your certificate to the bundle
If you don't have your certificate, you can download it from the site using the link above. Note that this will be in PEM format (it will contain "BEGIN CERTIFICATE" / "END CERTIFICATE" lines). We'll need to convert this to DER format using the following command:
openssl x509 -in cert.crt -out cert.cer -outform der
We can now drag this certificate into Xcode.
Why Not AFSSLPinningModeCertificate?
If we use the certificate pinning mode, then we're tied to that exact certificate. When it expires, we'll have to provide a new update to the application with the updated cert. Alternatively, we could provide a mechanism for an app to download an updated SSL cert from the server, but this opens up an opportunity for a malicious person to intercept this and supply their own certificate.