Is Certificate Pinning Worth it?

Pinning concept; overhead view of yellow and white push pins on a blue background

In a word - yes; when implemented correctly, certificate pinning is an effective method for securing mobile application traffic by restricting the accepted certificates to just those you are willing to trust. In its most secure manifestation, this trust sits outside the standard TLS certificate store managed by the device.

We’ve written extensively on the topic of certificate pinning and at the end of this article you’ll find links to more in-depth articles as well as a handy free tool for auto generating pinning configurations.

How does TLS protect the mobile channel?

TLS enables two parties to communicate securely using Public Key Infrastructure (PKI) and Certificate Authorities. With PKI a mobile app can check the validity of the backend server using certificates through a trusted third party (the Certificate Authority). A list of trusted certificates is held by the device in order to verify the identity of valid servers. 

The API channel between mobile applications and their backend servers is an increasingly common attack vector due to the rapid growth in mobile app usage. TLS alone is not enough to protect this channel  - it can be intercepted and manipulated.

If an attacker is able to modify the set of trusted device certificates, directly or via a device vulnerability, or fraudulently obtain a trusted certificate for the target domain, then a MitM attack is still possible.

A MitM attacker can intercept the encrypted traffic and trick the mobile app into thinking it is communicating with a valid backend server. The attacker is then able to modify or manipulate the traffic and transmit it back along the encrypted channel to the backend service.

Approov diagram showing Man in the Middle attack

What is certificate pinning and how does it prevent MitM attacks?

Certificate pinning replaces dependence on the device’s set of certificates with a set of certificates known and trusted by the app itself. For static pinning, the set of certificates trusted by the app (the pins) are distributed with the app itself. Updates to the permitted pins need to be distributed via a new version of the app. 

However, given how slow end users can be to install updates, there is a risk that the app will no longer function securely; the Barclays Bank mobile app experienced this exact issue a number of years ago.

Employing dynamic pinning improves on this by building a secure pin update mechanism into the app logic so that deployed apps can update their set of pins when the certificates used by required APIs change.

So, while the topic of certificate pinning of mobile apps is complex, we highly recommend the use of dynamic pinning to provide an additional, highly flexible, verification layer to protect your mobile business.

Need more information?

For a more in-depth explanation of dynamic certificate pinning take a look at this blog article: https://approov.io/blog/approov-dynamic-pinning

Download our whitepaper on preventing MitM attacks to get:

  • in-depth analysis of the techniques used by hackers,
  • details on how certificate pinning can help thwart mobile MitM attacks and,
  • methods to prevent hackers tampering with device environments; 

If you’d like to speak to one of our experts for some advice on your use case, please contact us.  We also provide a free tool to allow you to automatically generate the configuration required to implement static pinning in your mobile app connections.