What are the differences between static certificate pinning and dynamic certificate pinning?
The main differences between static and dynamic certificate pinning on mobile devices are:Static pinning hardcodes a set of expected certificate hashes or public keys in the app code. Dynamic pinning rotates certificate hashes at runtime.
- With static pinning, reversing the app can expose the pinned certificates. Dynamic pinning makes it harder to extract expected certificates.
- Static pins remain constant allowing them to be bypassed once identified. Dynamic pins change frequently to thwart this.
- Apps with static pinning need updating to change pinned certs. Dynamic pinning allows cert rotation without updates.
- If a static pinned certificate is compromised, the app remains vulnerable until updated. Dynamic pinning limits exposure to a short validity period per certificate.
- Static pinning requires knowing all backend server certs in advance which may not be feasible. Dynamic pinning can retrieve certs on-demand.
- Performance impact is less with static pinning as expected certs are hardcoded. Dynamic pinning requires fetching valid certs.