Certificate pinning protects mobile app traffic from man-in-the-middle (MITM) attacks. Even with SSL, a malicious actor who can install a custom certificate authority on a device can intercept traffic. Pinning specifies exactly which certificate(s) or public key(s) your app will trust for a given domain.
Problem it solves
By default, Android and iOS trust any certificate issued by a CA the device trusts. Older Android versions (< API 24 / Nougat) even trust user-installed CAs by default. Malicious apps or Wi-Fi captive portals can prompt users to install rogue certificates, enabling traffic interception.
Certificate vs public key pinning
- Certificate pinning: pin to a specific certificate. Simpler, but requires an app update when the certificate renews.
- Public key pinning: pin to the public key used to sign the certificate. Survives certificate renewal as long as the key pair is reused — more operationally flexible.
Caution
Incorrect pinning can brick the app (all network calls fail). Always pin a backup certificate or key, test thoroughly on real devices, and have a rollback plan.
Status
Reference article. Implementation patterns documented in the blog post.