Certificate pinning sounds like the holy grail for a secure mobile app. Your app then no longer trusts every Certificate Authority that Android or iOS trusts by default, but only a pre-approved set of public keys. An attacker with a fraudulently issued or locally installed root certificate then has no chance. Still, the Android Developers documentation explicitly advises against it, mainly because of the operational risks when a server configuration changes. A future CA change or certificate rotation could render the app completely inaccessible, and a fix requires an app-store update that users only install when they want to.

Why pinning remains enticing

Standard TLS validation leans on the operating system’s trust store. In it are more than a hundred root CAs. If one of those CAs is compromised, or if malware or a corporate proxy places an additional root CA on the device, an attacker can present a valid-looking certificate for your API. For a banking app, a healthcare app or an application that controls industrial controls, this is unacceptable. OWASP therefore classifies identity pinning as MASVS-NETWORK level 2 control, recommended for apps that process sensitive data.

The two golden rules

Those who do pin must follow two rules. The first is:pin public keys, not certificates. A certificate changes every 60 to 90 days with automated vendors such as Let’s Encrypt, but the underlying key pair can remain static. The hash of the SubjectPublicKeyInfo, SPKI for short, is your pin. Generate it with OpenSSL:

openssl s_client -connect api.jouwdomein.nl:443 | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl base64

The second is: always add a backup pin. That’s a second key pair that you keep offline and don’t hang in production yet. When you need to rotate, you put the backup pair on the server and the app already trusts it, no update needed. Only in a subsequent release do you introduce a new backup and delete the old primary.

Also remember that pinning is a line of defense, not an impenetrable wall. An attacker with root on the device can repackage the APK, modify the pins and re-sign the app. Therefore, pinning belongs in a broader strategy that includes Play Integrity, root detection, obfuscation and runtime checks.