How to Use Secure Certificate Pinning, Prevent MiTM Attacks

Last updated September 5, 2021 by Kai Kenan

Learn 3 Easy Steps to Use Secure Certificate Pinning to prevent MiTM Attacks in Android and iOS apps. Validate server certificates for TLS sessions.

What is Certificate Pinning?

Certificate Pinning is the process of embedding a mobile app with valid SSL certificate for trusted servers. An application which pins a certificate or public key no longer depends on external elements – (such as DNS or intermediate/public certificate authorities) – when making security decisions relating to a peer server’s identity. In mobile, the most common form of certificate pinning is embedding the server certificates inside the mobile app to ensure that the server certificate is always trusted. This will prevent hackers from presenting modified fraudulent certificates to the mobile app in an attempt to redirect the mobile user to a malicious site.

A host or service’s certificate or public key can be added to an application at development time, or it can be added upon first encountering the certificate or public key. The former – adding at development time – is preferred since preloading the certificate or public key out of band means the attacker cannot taint the pin by intercepting the session before the TLS handshake completes.

This KB describes step by step instructions to implement Secure Certificate Pinning in any iOS and Android apps without any coding.

What does Certificate Pinning Protect?

Appdome’s Secure Certificate Pinning automatically performs certificate validation by verifying the authenticity of the SSL/TLS certificates received from the server. This first occurs during the initial secure communication exchange (ie: the TLS/SSL handshake) between the app and a server.

Appdome enables developers to verify and pin certificates for specific domains in different methods. Each Service Domain can be configured using * as a wildcard value to impact multiple domains.

Below are the Certificate Pinning Schemes that can be configured using Appdome.

Secure Certificate Pinning Profiles:

Appdome offers the following 5 mutually exclusive options (pinning profiles) to implement Secure Certificate Pinning in any iOS or Android app:

  1. Chain Evaluation – evaluates the chain of trust used by the Root Certificate and Intermediate Certificate uploaded to Appdome by the user, and will trust only those intermediate and leaf certificates that are trusted by the uploaded certificates. Basically, this locks the chain of trust. Any mismatch is a security event.
  2. Strict Evaluation – evaluates the exact fingerprint of server certificate uploaded to Appdome against the certificate returned by the server. This is equivalent to Leaf certificate pinning. If the server returns a different certificate, the mismatch is a security event.
  3. Root Evaluation – only evaluates that the root CA returned for the specified domain/host (FQDN) matches the Root CA Certificate uploaded to Appdome. Because the CA certificates are valid for 10+ years, this setup will not require updates when the leaf certificate or the intermediate certificates are renewed (i.e., the server can return an updated intermediate or leaf certificate without invoking a security event). By pinning against the root certificate only, any changes to the customer’s intermediate or leaf certificates will work without having to update the app.
  4. Public Key Evaluation – only evaluates the server’s certificate public key to ensure complete continuity of service when the certificate is renewed if the new server certificate comes with the same public key.
  5. No Pinning – certificate chains received for the specific domain will not be verified by Appdome. They will normally fall back to the OS’s default verification process.

3 Easy Steps to Use Secure Certificate Pinning in Android & iOS apps

Please follow these 3 easy steps to add Secure Certificate Pinning to any iOS and Android app using Appdome. 

  1. Upload an Android or iOS App to Appdome’s no code security platform (.apk, .aab, or .ipa)
  2. In the Build Tab, under Security, expand Secure Communication, switch ON Secure Certificate Pinning
    • Click Add Pinning Profile
    • Enter a Service Domain
    • Select a Pinning Scheme
    • Add Certificate(s)
      • (Optional) Enable Threat Events and customize the Certificate Pinning Mismatch Message app.
  3. Click Build My App
Appdome Secure Certificate Pinning Schemes
Appdome Secure Certificate Pinning Schemes

Congratulations! You now have a mobile app secured with Certificate Pinning.

certificate pinning mobile apps

Appdome’s no-code mobile app security platform offers mobile developers, DevSec and security professionals a convenient and reliable way to protect Android and iOS apps with Secure Certificate Pinning. When an Appdome user clicks “Build My App,” Appdome leverages a microservice architecture filled with 1000s of security plugins, and an adaptive code generation engine that matches the correct required plugins to the development environment, frameworks, and methods in each app.


Here’s what you need to build secured apps with Secure Certificate Pinning

No Coding Dependency

Using Appdome, there are no development or coding prerequisites to build secured apps. There is no SDK and no library to manually code or implement in the app. The Appdome technology adds the relevant standards, frameworks, and logic to the app automatically, with no manual development work at all.

How to Sign & Publish Secured Mobile Apps Built on Appdome  

After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include 

Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome. 

How to Learn More

Check out the comprehensive KB on MitM Prevention to learn more detail about securing mobile data in transit.

You might want to check-out additional ways in which you can further secure your application’s communications like enforcing the TLS version, cipher suites, and certificate roles.

To zoom out on this topic, visit Appdome for Mobile App Security on our website.

If you have any questions, please send them our way at or via the chat window on the Appdome platform.

Or request a demo at any time.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

Have a question?

Ask an expert

JohnMaking your security project a success!