Testing iOS SSL Pinning With Charles

So you have finished implementing SSL Pinning with your favorite tool (URLSession, AlamoFire, AFNetworking, etc…) and you want to test it. I would suggest using Charles on doing that.

As in “https://www.charlesproxy.com” stated, “Charles is an HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.”

So we can think of it as a tool acting like a man-in-the-middle attacker which is in your control.

First, we will install Charles and observe how it displays the traffic when we do not have SSL Pinning in our code.

1- Go to https://www.charlesproxy.com and download.

2- Install Charles Root Certificate into iOS Simulator since we will run our application in iOS Simulator. (Do this when your favorite iOS Simulator is open.)

Install Certificate into iOS Simulator

3- Check if Charles Proxy CA certificate is turned on in simulator Settings -> General -> About -> Certificate Trust Settings

Turning on certificate

4- Enable SSL Proxying. At Charles, go to menu Proxy -> SSL Proxying Settings. Add new location with host * and port set to * as. shown below:

Enable SSL Proxying

Now that we have setup Charles. I have a basic app which makes a request to https://jsonplaceholder.typicode.com/todos/1 . Without SSL Pinning, I can trace my call at Charles when I run my application:

Tracing the request

Now, I changed the code and now I am making the request with SSL Pinning. This time Charles can not trace the call and that proves that my SSL Pinning works fine.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store