Certificate Pinning

Certificate pinning is an important security measure for mobile apps that communicate with servers over HTTPS.

What Is Certificate Pinning?

Certificate pinning is a technique used to enhance the security of applications, including mobile apps, and websites that use SSL/TLS encryption to protect communications. The purpose of certificate pinning is to protect against various types of attacks, including Man-in-the-Middle (MitM) attacks, where an attacker intercepts and alters the encrypted traffic between a mobile app and the server it communicates with. Certificate pinning is often used in mobile apps to protect sensitive data, such as login credentials, financial information, or personal data.

How Does Certificate Pinning Work?

Certificate pinning works by associating a specific SSL/TLS certificate with a particular domain name or IP address. When a mobile app establishes a connection with a server, it checks the server's SSL/TLS certificate to ensure that the certificate matches the pinned certificate. App developers can do iOS certificate pinning and Android certificate pinning. 

Here's a high-level overview of how certificate pinning works in a mobile app:

  1. A certificate pin list is created when an app is ready to deploy. This list could contain a secure hash value of each pinned certificate. Each hash will have an associated list of domains that should be "pinned". The list could also just have the certificates. The app developer embeds this certificate pin list in the app code or a configuration file.
  2. When the mobile app tries to establish a secure connection with a server, the certificate pinning code checks if the server's domain is on a pin list and, if so, validates that the certificate presented by the server matches the hash value in the pin list.
  3. If the server's certificate matches the pinned certificate, the connection is established and data can be exchanged between the app and server.
  4. If the server's certificate doesn't match the pinned certificate, the connection is refused and the app can be configured to display an error message.

Certificate pinning requires careful management of the pinned certificate. If the certificate expires or is replaced for some other reason, the mobile app will need to be updated with the new pinned certificate to maintain a secure connection. No-code offerings provide a convenient way to update a mobile app with a new pinned certificate without requiring an app developer to write code.

How Can a Certificate Be Pinned in a Mobile App?

Common methods to pin a certificate in a mobile app include: 

  1. Embedding the certificate in a mobile app’s code. In this method, the app developer includes the certificate directly in the app's source code or resources. When the app establishes a connection with a server, it checks the server's SSL/TLS certificate against the embedded certificate. If the certificates match, the connection is established.
  2. Using a configuration file. Another approach is to store the pinned certificate in a configuration file that is included with the mobile app. The app reads the configuration file when it starts up and uses the pinned certificate to check the server's SSL/TLS certificate.
  3. Using a public key hash. In this method, the mobile app pins the public key of the server's SSL/TLS certificate, rather than the entire certificate. To do this, the app calculates the SHA-256 hash of the public key and stores the hash in the app code or configuration. When the app connects to the server, it checks the hash of the public key against the stored hash. If they match, the connection is established.
  4. Combining multiple methods. Some mobile apps may use a combination of the above methods to pin certificates, such as embedding the certificate in the app code and also using a public key hash.

The Importance of Certificate Pinning for Mobile Apps

Certificate pinning is an important piece of a multi-layered security strategy for mobile apps because mobile devices are vulnerable to attacks due to their reliance on wireless networks and cellular data connections, which can be easily intercepted by attackers. By using certificate pinning, mobile app developers can add an extra layer of security to their apps and protect users from potential security breaches.

Certificate pinning should be a capability of a Mobile RASP (Runtime Application Self-Protection) solution as a way to defend against Man-in-the-Middle (MitM) attacks.

Blue Cedar Provides Certificate Pinning


Blue Cedar Enforce

Blue Cedar Data Protection, a capability of Blue Cedar App Security, implements certificate pinning as a way to prevent Man-in-the-Middle (MitM) attacks on mobile apps. This is one of many mobile app security features provided by Blue Cedar App Security.

Blue Cedar Enhance

Blue Cedar also provides an easy way to incorporate mobile app security into a mobile app. That is via Blue Cedar Enhance, Blue Cedar’s no-code integration service that adds new functionality to mobile apps without requiring a single line of code to be written. Blue Cedar Enhance integrates mobile app security into iOS and Android mobile app binaries, regardless of the libraries and frameworks that underpin these app binaries.

The Blue Cedar Platform

Blue Cedar Mobile App Security and Blue Cedar Enhance are delivered by the Blue Cedar Platform, a CI/CD friendly SaaS solution that also provides deployment services, such as app import and code signing, to streamline delivery of secured mobile apps.