TLS Certificate Pinning
      Back to home
      1. Approov Mobile Security Knowledge Base
      2. Mobile API Security
      3. TLS Certificate Pinning

      Should we use HTTPS or TLS Certificate Pinning to protect Mobile APIs?

      Securing Mobile API Communications: A Good, Better, Best Approach

      Static vs Dynamic Pinning

      Comparison Chart

      This chart provides a clear, at-a-glance comparison of the three approaches.

      By adopting a dynamic pinning solution, you provide the strongest possible defense against MitM attacks while maintaining operational agility and ensuring continuous service for your users.

      For senior mobile developers, ensuring the security of data in transit is a top priority. While HTTPS is the baseline, evolving threats require more robust solutions. This article compares three levels of security for your mobile app's API connections: HTTPS, static certificate pinning, and dynamic certificate pinning with Approov.

      Good: Standard HTTPS

      HTTPS is the foundation of secure mobile communication. It encrypts the data exchanged between your mobile app and the backend server, preventing casual eavesdropping. It relies on the Transport Layer Security (TLS) protocol and a chain of trust model managed by Certificate Authorities (CAs).

      • How it Works: When an app connects to a server, the server presents a TLS certificate. The mobile OS verifies that this certificate was issued by a trusted CA. If the check passes, an encrypted channel is established.
      • Limitations:
      • Vulnerable to MitM Attacks: HTTPS is susceptible to Man-in-the-Middle (MitM) attacks. If an attacker can install a malicious root CA certificate on a user's device, they can intercept and decrypt all traffic.
      • No Server Identity Guarantee: Any certificate from a valid CA is trusted. This means a mis-issued certificate or a compromised CA can allow an attacker to impersonate your backend server.
      • Manual Certificate Management: Your team is responsible for monitoring certificate expirations and manually updating them, which can be error-prone.

      HTTPS alone is a basic security measure, but it's not enough to protect against determined attackers.

      Better: Static Certificate Pinning

      Static certificate pinning is a significant security enhancement over standard HTTPS. It hardcodes (or "pins") the specific public key or certificate of your backend server directly into the mobile app.

      • How it Works: During a TLS handshake, the app doesn't just check if the server's certificate is from a trusted CA; it also verifies that the certificate's public key or the certificate itself matches the pinned one. This blocks connections to any server that doesn't have the exact, expected certificate, effectively neutralizing MitM attacks that rely on rogue CAs.
      • Limitations:
      • Inflexible and High Maintenance: When your server certificate changes (whether planned or in an emergency), you must update the pinned certificate in the app. This requires releasing a new version of your app and waiting for users to update it, which can cause service disruptions for those who are slow to upgrade.
      • Pins Can Be Extracted: Since the pins are stored within the app's code, a skilled attacker can often reverse-engineer the app, find the pins, and use them in malicious scripts or repackaged apps.
      • High Developer Workload: The process of managing pins, especially across multiple API endpoints and development environments, is a manual and demanding task for the development team.

      Static pinning improves security but introduces significant operational friction and can still be circumvented.

      Best: Dynamic Certificate Pinning with Approov

      Dynamic pinning, especially when enhanced with a solution like Approov, offers the most robust and flexible approach. It moves pin management out of the app and into the cloud, providing superior security with lower operational overhead.

      • How it Works: The app, at runtime, fetches the latest pins from a secure, independent service (like the Approov cloud). These pins are delivered over a secure channel and are updated automatically. This means you can rotate your server certificates without ever needing to release a new version of your app.
      • Key Advantages of Approov's Approach:
      • Real-time Pin Updates: Certificates can be updated on the fly via a dashboard or CLI, ensuring seamless transitions and eliminating the risk of service downtime due to certificate changes.
      • Runtime App Attestation: Approov goes beyond just securing the channel. It verifies the integrity of your app at runtime, ensuring it hasn't been tampered with or is running in an unsafe environment (e.g., on a rooted device). This prevents attackers from using your API with repackaged or malicious apps.
      • Pins Never Stored in App: The pins are fetched dynamically and managed securely, meaning there are no hardcoded secrets in the app for an attacker to extract.
      • Low Developer Workload: Pin management is centralized and automated, freeing developers from manual updates and complex pin management workflows.
      • Instant Emergency Updates: If a certificate is compromised, you can instantly push an update to all app instances, providing immediate protection without waiting for app store reviews.