EIVUS

SSL Pinning for Mobile and API Clients

Pin certificates or public keys to prevent MITM; rotation and fallback.

Back to blog

Certificate or key pinning reduces MITM risk for sensitive apps. Plan for pin rotation and expiration; support backup pins. Balance security and operational burden. Use in combination with TLS 1.2+ and HSTS.

What pinning does

  • MITM: Without pinning, a client trusts any cert that chains to a CA the device trusts. An attacker with a CA (or compromised network) can present a fake cert and intercept traffic. Pinning restricts the client to accept only specific cert(s) or public key(s).
  • Where: Mobile apps (iOS/Android) and sometimes thick API clients. Browsers generally do not support pinning (HPKP was deprecated). Use for app-to-backend or API-to-API when you control both sides.
  • What to pin: Certificate pin (hash of cert) or public key pin (hash of subject public key). Key pin survives cert renewal with same key; cert pin changes when you rotate cert. Backup pin allows a second trusted cert/key for rotation.

Rotation and fallback

  • Expiration: Pins expire or you rotate certs. If the app only has one pin and the cert changes, the app will fail to connect until you ship an update with the new pin. Always have at least one backup pin (e.g. next cert or key).
  • Rollout: Before rotating: add new cert/key and pin it in the app (backup pin). Ship app update. After enough adoption, make the new pin primary and remove the old. Then rotate the server cert. This way old and new app versions work during the transition.
  • Operational burden: Pinning ties app releases to cert lifecycle. Plan rotation calendar and test in staging. Consider short-lived certs (e.g. Let's Encrypt) and automation so rotation is routine.

Best practices

  • TLS 1.2+: Use strong TLS and disable weak ciphers. Pinning does not replace TLS; it adds a second check.
  • HSTS: On the server, enable HSTS so browsers use HTTPS only. For mobile/API, pinning is the extra layer.
  • Scope: Pin only the host(s) you need. Do not pin third-party APIs you do not control—they rotate certs on their schedule.
  • Failure handling: If pin check fails, do not silently fall back to no pinning (defeats the purpose). Fail closed or show a clear error. Log for debugging.

Summary

Certificate or key pinning reduces MITM risk for sensitive apps. Plan for pin rotation and expiration; support backup pins. Balance security and operational burden. Use with TLS 1.2+ and HSTS.

Clients who trust us