Pinning Schemes
This article describes the Certificate Pinning Schemes that can be configured by using Appdome.
To select a pining scheme:
- Go to the Security tab > Secure Communication section.
- Enable (toggle On) Secure Certificate Pinning.
- Open the Pining Scheme drop-down list.
Secure Certificate Pinning Profiles
Appdome offers the following mutually exclusive options (pinning profiles) to implement Secure Certificate Pinning in any iOS or Android app:
- Chain Evaluation – evaluates the chain of trust used by the Root Certificate and Intermediate Certificate uploaded to Appdome by the user, and will trust only those intermediate and leaf certificates that are trusted by the uploaded certificates. Basically, this locks the chain of trust. Any mismatch is a security event.
- Strict Evaluation – evaluates the exact fingerprint of server certificate uploaded to Appdome against the certificate returned by the server. This is equivalent to Leaf certificate pinning. If the server returns a different certificate, the mismatch is a security event.
- Root Evaluation – only evaluates that the root CA returned for the specified domain/host (FQDN) matches the Root CA Certificate uploaded to Appdome. Because the CA certificates are valid for 10+ years, this setup will not require updates when the leaf certificate or the intermediate certificates are renewed (i.e., the server can return an updated intermediate or leaf certificate without invoking a security event). By pinning against the root certificate only, any changes to the customer’s intermediate or leaf certificates will work without having to update the app.
- Public Key Evaluation – only evaluates the server’s certificate public key to ensure complete continuity of service when the certificate is renewed if the new server certificate comes with the same public key.
- No Pinning – certificate chains received for the specific domain will not be verified by Appdome. They will normally fall back to the OS’s default verification process.
