This seems like it's going to get real hairy real quick (and I know nothing about this stuff) but it's definitely something we should look into.

I'm thinking that we could maybe provide an NSURL session subclass that uses SSL pinning. It wouldn't be the default, but it'd be part of the public API. The idea would be that you can then instantiate your API Client with the pinned session object like so:

let cert: NSData // fetch from the bundle or whatever
let session = PinnedSession(cert: cert)
let client = APIClient(session: session)