Is Certificate Pinning Worth it?

Pinning concept; overhead view of yellow and white push pins on a blue background

In a word – yes; when implemented correctly, certificate pinning is an effective method for securing mobile application traffic by restricting the accepted certificates to just those you are willing to trust. In its most secure manifestation, this trust sits outside the standard TLS certificate store managed by the device.

We’ve written extensively on the topic of certificate pinning and at the end of this article you’ll find links to more in-depth articles as well as a handy free tool for auto generating pinning configurations.

How does TLS protect the mobile channel?

TLS enables two parties to communicate securely using Public Key Infrastructure (PKI) and Certificate Authorities. With PKI a mobile app can check the validity of the backend server using certificates through a trusted third party (the Certificate Authority). A list of trusted certificates is held by the device in order to verify the identity of valid servers. 

The API channel between mobile applications and their backend servers is an increasingly common attack vector due to the rapid growth in mobile app usage. TLS alone is not enough to protect this channel  – it can be intercepted and manipulated.

If an attacker is able to modify the set of trusted device certificates, directly or via a device vulnerability, or fraudulently obtain a trusted certificate for the target domain, then a MitM attack is still possible.

A MitM attacker can intercept the encrypted traffic and trick the mobile app into thinking it is communicating with a valid backend server. The attacker is then able to modify or manipulate the traffic and transmit it back along the encrypted channel to the backend service.

Approov diagram showing Man in the Middle attack

What is certificate pinning and how does it prevent MitM attacks?

Certificate pinning replaces dependence on the device’s set of certificates with a set of certificates known and trusted by the app itself. For static pinning, the set of certificates trusted by the app (the pins) are distributed with the app itself. Updates to the permitted pins need to be distributed via a new version of the app. 

However, given how slow end users can be to install updates, there is a risk that the app will no longer function…