Static Certificate Pinning vs. Dynamic Certificate Pinning?

What are the differences between static certificate pinning and dynamic certificate pinning?

The main differences between static and dynamic certificate pinning on mobile devices are:

Static pinning hardcodes a set of expected certificate hashes or public keys in the app code. Dynamic pinning rotates certificate hashes at runtime.
  • With static pinning, reversing the app can expose the pinned certificates. Dynamic pinning makes it harder to extract expected certificates.
  • Static pins remain constant allowing them to be bypassed once identified. Dynamic pins change frequently to thwart this.
  • Apps with static pinning need updating to change pinned certs. Dynamic pinning allows cert rotation without updates.
  • If a static pinned certificate is compromised, the app remains vulnerable until updated. Dynamic pinning limits exposure to a short validity period per certificate.
  • Static pinning requires knowing all backend server certs in advance which may not be feasible. Dynamic pinning can retrieve certs on-demand.
  • Performance impact is less with static pinning as expected certs are hardcoded. Dynamic pinning requires fetching valid certs.
In summary, dynamic pinning provides stronger security for mobile apps by continuously evolving expected certificates rather than relying on fixed pins that can be circumvented.