Testing iOS SSL Pinning With Charles
So you have finished implementing SSL Pinning with your favorite tool (URLSession, AlamoFire, AFNetworking, etc…) and you want to test it. I would suggest using Charles on doing that.
As in “https://www.charlesproxy.com” stated, “Charles is an HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.”
So we can think of it as a tool acting like a man-in-the-middle attacker which is in your control.
First, we will install Charles and observe how it displays the traffic when we do not have SSL Pinning in our code.
1- Go to https://www.charlesproxy.com and download.
2- Install Charles Root Certificate into iOS Simulator since we will run our application in iOS Simulator. (Do this when your favorite iOS Simulator is open.)
3- Check if Charles Proxy CA certificate is turned on in simulator Settings -> General -> About -> Certificate Trust Settings
4- Enable SSL Proxying. At Charles, go to menu Proxy -> SSL Proxying Settings. Add new location with host * and port set to * as. shown below:
Now that we have setup Charles. I have a basic app which makes a request to https://jsonplaceholder.typicode.com/todos/1 . Without SSL Pinning, I can trace my call at Charles when I run my application:
Now, I changed the code and now I am making the request with SSL Pinning. This time Charles can not trace the call and that proves that my SSL Pinning works fine.