Secure Certificate Pinning for iOS and Android

This Knowledge Base article explains how to use Appdome no-code mobile app security to implement secure certificate pinning in any mobile app.

What is Certificate Pinning?

Certificate Pinning is the process of embedding a host with its trusted X.509 certificate (or public key). An application which pins a certificate or public key no longer depends on external elements – (such as DNS or CAs) – when making security decisions relating to a peer server’s identity. In mobile, the most common form of certificate pinning is embedding the host certificate inside the mobile app to ensure that the server certificate is always trusted (ie: that it has not been modified by an attacker).

A host or service’s certificate or public key can be added to an application at development time, or it can be added upon first encountering the certificate or public key. The former – adding at development time – is preferred since preloading the certificate or public key out of band means the attacker cannot taint the pin by intercepting the session before the TLS handshake completes.

Learn how to implement Secure Certificate Pinning in any iOS and Android apps using Appdome – no code or coding required.

Appdome Secure Certificate Pinning

Appdome’s Secure Certificate Pinning automatically performs certificate validation by verifying the authenticity of the SSL/TLS certificates received from the server. This first occurs during the initial secure communication exchange (ie: the TLS/SSL handshake) between the app and a server.

Appdome allows developers to verify and pin certificates for specific domains in different methods. Each Service Domain can be configured using * as a wildcard value to impact multiple domains.

Below are the Certificate Pinning Schemes that can be configured using Appdome.

Appdome Secure Certificate Pinning Profiles:

Appdome offers the following 3 mutually exclusive options (pinning profiles) to implement Secure Certificate Pinning in any iOS or Android app:

  1. Chain Evaluation – allows uploading individual certificate files in either PEM or DER format or multiple files in a single ZIP. These certificates will be treated as CA certificates and will replace the default predefined CA certificates for the specific domain.
    Appdome will pin these trusted CA certificates to the app, and use it for session validation to the specified domain.
  2. Strict Evaluation – allows uploading individual certificate files in either PEM or DER format or multiple files in a single ZIP. These certificates will be used to create a full certificate pinning with multiple certificates on all sessions. This means that any leaf certificate in a chain received from a server for the specific domain must match one of the certificates given in order to pass verification.
  3. No Pinning – certificate chains received for the specific domain will not be verified by Appdome. They will normally fall back to the OS’s default verification process.

Optional Settings:

When you enable Appdome’s optional Protect Service Domains Only setting, Appdome will perform certificate validation only on the Service Domains that you specify. All other domains will not be inspected or validated. This provides you maximum flexibility to control the security posture of your app.

Prerequisites to implement Secure Certificate Pinning using Appdome 

How to implement Secure Certificate Pinning

Please follow these steps to add a mobile app to your Appdome account.
If you don’t have an Appdome account, click here to create an account.

  1. Open the Build tab
  2. Go to the Security tab
  3. Click  Secure Communications to expend the bundle
  4. Click on the toggle to enable Trusted Session
  5. Click on the toggle to enable SecureAPITM
  6. Enter a Service Domain.
  7. Select a Pinning Scheme.
  8. Add Certificate(s).
  9. (Optional) Enable Protect Service Domains Only to inspect and validate only to domains included in the Service Domain list.
  10. (Optional) Enable +DEV Events and customize the Certificate Pinning Mismatch Message app.
  11. Click Build My App.

secure certificate pinning

The technology behind Build My App has two major elements – (1) a microservice architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets.

Congratulations! You now have a mobile app fully integrated with Secure Certificate Pinning.

certificate validation via appdome trusted session

What to do After I Build My App?

After you build your app, there are a few additional steps needed to complete your project.

How Do I Learn More?

Check out the comprehensive KB on Trusted Session to learn more detail about each component of Trusted Session.

You might want to check-out additional ways in which you can further secure your application’s communication like enforcing the TLS version, cipher suites, and certificate roles.

To zoom out on this topic, visit Appdome for Mobile App Security on our website or request a demo at any time.

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Thank you!Thanks for visiting Appdome! Our mission is to make mobile integration easy. We hope we’re living up to the mission with your project.

Kai Kenan

Have a question?

Ask an expert

GilMaking your security project a success!