I am trying to debug Vine API using Charles debug proxy. I have an IOS version of Vine app running in my device and I have set WiFi proxy.
I could debug API calls from all other applications by enabling ssl proxying. But SSL proxying is not working for Vine (api.vine.com). I tried Twitter, Facebook and Flickr apps. I could debug Facebook and Flickr APIs and could see JSON response but for Twitter this fails.
As Vine is owned by Twitter, my doubt is if Twitter has implemented some security in their APIs or changed some protocols to ensure that APIs cannot be debugged. If that is the case why Facebook has not implemented the same? Their APIs can be easily debugged.
Please find screenshots attached.
Vine API
Flickr API
Facebook API
Twitter API
It seems that Twitter is using SSL pinning.
At last I found the reason. Twitter is using SSL pinning in their app to secure their APIs from man in the middle attack. There is a hint about this in their API documentation
More information about pinning can be found here.