Mobile Security

Certificate Pinning

A security technique where a mobile application hardcodes the expected server certificate or public key, rejecting connections that present any other certificate even if it is otherwise validly signed.

Certificate pinning protects against man-in-the-middle attacks by ensuring that a client will only accept communication with a server presenting a specific, pre-known certificate or public key. Standard TLS validation relies on the device's certificate authority store, which can be modified by an attacker who controls the device or who has compromised a CA. Pinning bypasses CA trust entirely.

Implementations exist at the platform level (Apple App Transport Security pinning, Android Network Security Configuration) and at the application level (custom URLSessionDelegate or X509TrustManager implementations). Native code implementations are significantly harder to bypass than framework-layer implementations.

Bypass tooling — particularly Frida and Objection — is mature and effective against typical implementations. High-assurance applications combine pinning with anti-tampering, root/jailbreak detection, and integrity checks to raise the cost of bypass.

See: Certificate Pinning Bypass: Frida, Objection, and What Still Works.

← Back to Glossary