How do you check for certificate pinning with Alamofire?
So, I followed Alamofire's Read Me instructions regarding their new server trust policy. Received the certificate from the server, added it to my project and implemented the following code in my project:
let serverTrustPolicies: [String: ServerTrustPolicy] = [
"someserver.withvalidcer.com": .PinCertificates(
certificates: ServerTrustPolicy.certificatesInBundle(),
validateCertificateChain: true,
validateHost: true
)
]
let manager = Manager(
configuration: NSURLSessionConfiguration.defaultSessionConfiguration(),
serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
)
My question is, how can I check this?
I tried changing my base api url to our test server which has a different valid certificate, but the api calls are not rejected. And I have verified that the code works for the required api calls.
source to share
Great question!
I would recommend using some kind of proxy software to try and get in the middle of the API calls (Charles Proxy, Burp, etc.). When binding is enabled, all network requests should fail because the proxy software will serve the wrong certificate. Then, if you disable certificate pinning, the service calls should work correctly through the proxy.
Another way would be to temporarily change the certificate on the server and you should also see that the web services are down as well.
source to share