Certificate pinning is a security mechanism that hardcodes or embeds the expected TLS certificate, public key, or certificate authority for a specific host into an application. Instead of trusting any certificate signed by any trusted certificate authority, the application only accepts the specific certificate it has been configured to expect. This prevents attackers from intercepting traffic using fraudulent certificates, even if they have compromised a certificate authority.
How It Works
In standard TLS verification, a client trusts any certificate signed by a certificate authority (CA) in its trust store, which typically contains dozens of root CAs. If any of these CAs is compromised or issues a certificate fraudulently, an attacker can perform a man-in-the-middle attack with a valid-looking certificate. Certificate pinning eliminates this risk by restricting which certificates the application accepts.
There are several approaches to pinning. Certificate pinning stores the entire certificate and checks it against the server's certificate on each connection. Public key pinning stores only the public key, which remains constant even when the certificate is renewed. CA pinning restricts trust to a specific certificate authority rather than the entire trust store.
Mobile applications commonly implement certificate pinning to protect API communications. The expected certificate or public key is embedded in the application binary, and the networking code verifies each connection against this pin before transmitting data. If the server presents a different certificate, the connection is rejected. This protects against network-level interception even on compromised networks where an attacker controls the gateway.
Why It Matters
Certificate pinning adds a strong layer of defense against man-in-the-middle attacks, particularly for mobile applications communicating with backend APIs. However, during security assessments, pinning must be bypassed to inspect traffic and test the API for vulnerabilities. The presence of certificate pinning indicates security awareness, but it should not be the only defense; the underlying API must still implement proper authentication, authorization, and input validation.
Need your application tested? Get in touch.