Certificate Pinning

Certificate pinning strengthens the standard TLS trust model by restricting which certificates a mobile application will accept when communicating with its backend servers. Without pinning, an attacker who compromises a certificate authority or installs a rogue root certificate on the device can intercept encrypted traffic through a man-in-the-middle proxy.

There are two primary approaches to pinning. Public key pinning embeds the hash of the server's public key inside the application binary, which survives certificate renewals as long as the key pair stays the same. Certificate pinning embeds the full certificate, offering a tighter binding but requiring an application update every time the certificate rotates.

Implementing pinning correctly requires planning for key rotation, backup pins, and failure modes. A misconfigured pin set can lock users out of the application entirely. Developers should include at least one backup pin and use a reporting mechanism to detect pinning failures in production. On Android, Network Security Configuration provides a declarative way to define pins, while on iOS developers can validate pins inside URLSession delegate callbacks or use third-party libraries.

Attackers frequently attempt to bypass pinning through runtime hooking tools such as Frida and Objection. Security teams should therefore combine pinning with root and jailbreak detection, code obfuscation, and runtime integrity checks to raise the overall cost of interception.