How to Apply Certificate Pinning to Specific Domains in iOS, Android apps

Learn how to apply certificate pinning to specific domains in Android and iOS apps.

When you build Appdome Certificate Pinning into mobile apps, you can specify the domains on which you wish to use certificate pinning.

What is Certificate Pinning?

Certificate Pinning is the process of embedding a mobile app with valid SSL certificates for trusted servers. According to OWASP, A mobile application that pins a certificate or public key no longer depends on external elements (such as DNS or intermediate/public certificate authorities) to make security decisions relating to a peer server’s identity. In mobile, the most common form of certificate pinning is embedding the server certificates inside the mobile app to prevent the app from connecting to a malicious server whose certificates may have been compromised. This ensures that the app only connects to trusted servers or destinations.

Generally speaking, it is best to pin trusted certificates during the app development process (rather than upon first encountering the certificate or public key). Adding the trusted certificates at development time means the attacker cannot taint the pin by intercepting the session before the TLS handshake completes.

Appdome is a no-code mobile app security platform designed to add security features, like certificate pinning to Android and iOS apps without coding. This KB shows mobile developers, DevSec and security professionals how to use Appdome’s simple ‘click to build’ user interface to quickly and easily add secure certificate pinning to any mobile app in seconds to prevent MitM attacks.

This KB describes step-by-step instructions to implement Secure Certificate Pinning in any iOS and Android apps without any coding.

What does Secure Certificate Pinning Protect?

Appdome’s Secure Certificate Pinning prevents mobile apps from connecting to compromised servers or endpoints. It encrypts and securely stores the certificate(s) of known trusted servers in the app and validates the certificate before the connection is established. If there is a certificate mismatch, the session is denied or dropped.

Appdome’s Secure Certificate Pinning automatically performs certificate validation by verifying the authenticity of the SSL/TLS certificates received from the server. This first occurs during the initial secure communication exchange (ie: the TLS/SSL handshake) between the app and a server.

Appdome’s technology prevents attackers from gaining control over the session before the TLS handshake completes. When an application initiates a handshake with the server, Appdome’s technology inspects the traffic to validate the integrity and authenticity of certificates, CAs, as well as session state information, and more. This inspection occurs before a would-be attacker can take control over the session or insert an altered certificate as part of the initial handshake. If Appdome detects that any element of the encryption model or session has been modified, the session is automatically dropped and an App Compromise Notification is presented to the user, thus preventing the MitM attack.

Appdome enables developers to verify and pin certificates for specific domains in different methods. Each Service Domain can be configured using * as a wildcard value to impact multiple domains.

Below are the Certificate Pinning Schemes that can be configured using Appdome.

Secure Certificate Pinning Profiles:

Appdome offers the following 3 mutually exclusive options (pinning profiles) to implement Secure Certificate Pinning in any iOS or Android app:

  • Chain Evaluation – allows uploading individual certificate files in either PEM or DER format or multiple files in a single ZIP. These certificates will be treated as CA certificates and will replace the default predefined CA certificates for the specific domain.
    Appdome will pin these trusted CA certificates to the app, and use it for session validation to the specified domain.
  • Strict Evaluation – allows uploading individual certificate files in either PEM or DER format or multiple files in a single ZIP. These certificates will be used to create a full certificate pinning with multiple certificates on all sessions. This means that any leaf certificate in a chain received from a server for the specific domain must match one of the certificates given in order to pass verification.
  • No Pinning – certificate chains received for the specific domain will not be verified by Appdome. They will normally fall back to the OS’s default verification process.

Follow These Easy Steps to Use Secure Certificate Pinning in Android & iOS apps

Please follow these easy steps to add Secure Certificate Pinning to any iOS and Android app using Appdome.

  1. Upload an Android or iOS App to Appdome’s no code security platform (.apk, .aab, or .ipa)
  2. In the Build Tab, under Security, expand Secure Communication, switch ON Secure Certificate Pinning
  3. Enter a Service Domain
  4. Select a Pinning Scheme
  5. Add Certificate(s)
  6. Click Build My App

secure certificate pinning ios android

Optional Settings:

 

Congratulations! You now have a mobile app secured with Certificate Pinning.

certificate pinning mobile apps

Appdome’s no-code mobile app security platform offers mobile developers, DevSec and security professionals a convenient and reliable way to protect Android and iOS apps with Secure Certificate Pinning. When an Appdome user clicks “Build My App,” Appdome leverages a microservice architecture filled with 1000s of security plugins, and an adaptive code generation engine that matches the correct required plugins to the development environment, frameworks, and methods in each app.

Prerequisites

Here’s what you need to build secured apps with Secure Certificate Pinning

No Coding Dependency

Using Appdome, there are no development or coding prerequisites to build secured apps. There is no SDK and no library to manually code or implement in the app. The Appdome technology adds the relevant standards, frameworks, and logic to the app automatically, with no manual development work at all.

How to Sign & Publish Secured Mobile Apps Built on Appdome

After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include:

Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome.

How to Learn More

Check out the comprehensive KB on Secure Communication to learn more detail about securing mobile data in transit.

You might want to check-out additional ways in which you can further secure your application’s communications like enforcing the TLS version, cipher suites, and certificate roles.

To zoom out on this topic, visit Appdome for Mobile App Security on our website.

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Or request a demo at any time.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

Alan Bavosa

Have a question?

Ask an expert

KarenMaking your security project a success!