Debunking Myths and Best Practices for MitM Protection in Mobile Apps

To protect against Man-in-the-Middle (MitM) attacks in mobile, you need robust end-to-end security that includes certificate pinning as part of a broader solution which eliminates on-device threats and allows fast and easy pin rotation. See this blog for a short overview of the MitM issue in mobile. 

There are however some myths out there about how to best address MitM so this blog addresses those directly and lays out the steps to achieving the “best” protection for your apps. 

Myth Number 1: The MitM Problem Is Solved Because You Use TLS

Developers often say “We use HTTPS for all API traffic, so we’re safe from MitM attacks.”

Unfortunately, that’s a myth: TLS can be bypassed: 

• Attackers can use rooted/jailbroken devices or emulators to disable certificate checks.
  
  
• Proxy tools (e.g., Burp Suite, mitmproxy) can intercept API traffic with forged certificates.

MITM on mobile is still a top attack vector, whether or not you use TLS —just ask any security tester.

Myth Number 2: Using Pinning is Not Recommended

Many developers believe pinning should be avoided because “Google and Apple don’t recommend it.” But this is a misunderstanding—what they caution against is static certificate pinning implemented poorly.

It is true that Google’s Android documentation highlights risks with hardcoded pins: 

“Pinning can cause apps to break when certificates are rotated or reissued.”
(Source: Android Network Security Config) and Apple also notes: “Pinning can interfere with your ability to update server certificates.” (Source: Apple Security Best Practices)

However these warnings are not against pinning itself, but against:

• Failing to update pins with cert rotations.
  
  
• Embedding pins directly in the app binary where they are hard to maintain and easy to extract.

So it is important not to be confused. Pinning is highly effective, if done properly. The OWASP Mobile Security Testing Guide (MSTG) explicitly recommends certificate pinning as part of defense-in-depth:  “Certificate pinning protects mobile apps against MitM attacks in cases where the attacker can compromise a root CA or install their own CA certificate on a device.” See also this OWASP Cheatsheet on pinning.  

The issue isn’t pinning—it’s static pinning and the operational headaches that come with it when cert and pin rotation requires app updates. 

Myth Number 3: Even if On-Device MitM is Possible its Not a Big Problem, Since Its Limited to that Device

Since installing tools like Burp Suite or mitmproxy is only possible if you have access to that individual device, the impact is limited? Right? Wrong! This is also a myth: On-Device MitM Enables API Abuse at Scale: 

• Attackers use on-device MITM not just to spy on their own data, but to reverse Engineer API traffic using tools like mitmproxy, Burp Suite, or Charles Proxy,  allowing an attacker to inspect every request and response, and expose API endpoints, request formats, authentication tokens, and parameter structures. By doing this, attackers can easily script API interactions outside your app.
• Attackers can also Build Bots & Emulator Farms. Once APIs are understood, attackers scale abuse by automating requests to execute attacks on your API: credential stuffing (login API abuse), data scraping (pricing, inventory, user info) and other bulk operations (e.g., ticket purchases, coupon abuse).
• Attackers also use MitM to harvest API Keys & Secrets. These can include API keys/tokens intercepted during on-device MitM. Attackers replay or embed these secrets in fake clients. Your API now serves malicious scripts and fake apps, not legitimate mobile clients.

This extends far beyond the single device. Your API is always the final target for attackers,  not an individual user or device.

The Good, Better, Best of MitM Prevention

So that brings us to the Good, Better, Best of MitM protection. Except we also added a “Terrible” which we discussed briefly first!

Summary Table

Terrible: “Just Use TLS” 

We already discussed the “HTTPS is enough” myth. TLS uses the OS trust store. If a malicious or user-installed CA exists, forged certs will validate. Also, attackers can intercept traffic on compromised devices, and common tools like Burp Suite make this trivial.

“TLS alone is like locking your door but leaving the key under the mat.”

Good: Static Certificate Pinning

For this, you employ certificate pinning but you hardcode your API server’s public key or cert fingerprint in the app. You can even use Approov’ s free pin generation tool to immediately create pins for your domain. 

Pros

• Blocks MitM even with a forged certificate.
• Simple for small apps and infrequently rotated certs.

Cons

• API requests fail if the cert doesn’t match.
• Cert rotation = broken app unless redeployed.
• Pins are in the binary → attackers can extract or patch them.
• Adds maintenance burden.

Better: Dynamic Certificate Pinning 

Unlike static pinning, where the server's certificate or public key is hard-coded into the app during development, dynamic pinning allows the app to fetch and update these trust anchors at runtime:

• Pins are not hardcoded.
• Delivered dynamically to the app at runtime after passing integrity attestation.

Pros

• Cert rotation? Just update pins and they are automatically made available to apps - no app update needed.
• Pins are never in app binary → nothing to reverse-engineer.

This does requires a library or SDK (eg Approov SDK) on the device to receive the pins and a secure (cloud) API that provides the latest certificates in a secure format.

Best: Dynamic Pinning + Attestation + Trust Enforcement

This approach combines dynamic pinning with runtime app and device integrity checks. MitM tools running on the device are identified and blocked. In addition, pins and certificates, as well as API secrets (keys, tokens) are only delivered to untampered apps on uncompromised devices thus eliminating the threat of on-device MitM attacks.

Approov, for example, does this in two ways: 

1. Managed trust roots - the Approov SDK will check the certificate chains for all connections to APIs registered with Approov. The check ensures that the public key pin of the root certificate of the chain is among the set of roots registered with Approov. This set is not derived from the certificate trust store on the device (which attackers can manipulate). Instead it is managed by Approov and delivers a new set whenever there is an update.
2. Dynamic pinning - the Approov SDK will ensure that certificate chains include a certificate pin that has been registered with Approov for the specific target API of a connection. Instead of including the pins in the app package (and therefore limiting the lifetime of the app package on user devices), pins are stored in the Approov cloud and can be updated at any time. The Approov SDK checks that it has the latest set of pins every time it performs an attestation (every 5 mins while the app is active). This allows for zero downtime pin updates when they need to be rotated. 

For a detailed breakdown of how these options  work: consult this Approov Knowledge Base article.

Pros

• Stops all classes of MitM:
  • Proxy tools
  • Fake apps
  • Rooted/emulated devices
    
    
• Blocks API scraping/bots in addition to MitM.
  
  
• Provides complete API trust.

This is defense-in-depth MitM protection for mobile APIs.

Conclusion: Aim for the Best Solution to Eliminate MitM Attacks

Mobile app developers must aim for a solution which implements dynamic pinning integrated with attestation and trust enforcement. This will eliminate the threat of any kind of MitM attack: 

• Avoids hardcoding pins in app binaries
• Allows backend-controlled pin updates without needing app redeployments
• Ensures pins are only delivered to verified apps after passing integrity attestation
• Eliminates on-device attacks

This solution is:

• Highly effective at preventing any kind of MITM attack
• Easy to manage even in environments with frequent certificate rotations

And a final thought: Pinning is still essential for mobile API security—just avoid static implementations. With modern dynamic pinning solutions, you get all the benefits of pinning without the operational risks.

Approov are experts in mobile app and API security. We would be happy to discuss this on a call.