Askeal Logo

Certificate Pinning

Certificate pinning is a security technique that ensures a client application only accepts a specific certificate or public key when establishing a TLS connection, preventing attackers from using fraudulent or misissued certificates.

What is certificate pinning?How it typically works?Common techniquesImpactFurther reading

What is certificate pinning?

Certificate pinning is an additional validation layer in TLS connections. Normally, when a client such as a browser or mobile app connects to a server, it trusts the server’s certificate if it has been issued by any certificate authority in the system’s trust store. While this works in most cases, it creates a potential weakness: if a certificate authority is compromised or issues a fraudulent certificate, attackers can impersonate a server and perform a man-in-the-middle attack. Pinning reduces this risk by configuring the client to only trust a predefined certificate or public key for a given domain. This way, even if a malicious certificate is presented, the connection will be rejected unless it matches the pinned value. For SecOps and AppSec teams, certificate pinning is an important defense against HTTPS interception and advanced adversaries.

How it typically works?

  1. Configuration: developers embed a known certificate or public key inside the application.
  2. Connection: when the client initiates a TLS session with a server, it receives the server’s certificate.
  3. Validation: the client compares the certificate or key against the pinned value.
  4. Decision: if there is a match, the connection proceeds. If not, the connection is blocked.

This mechanism ensures that only the expected certificate is ever trusted, even if other certificate authorities attempt to validate a fraudulent one.

Common techniques

  • Static pinning: the application is shipped with a hardcoded certificate or public key. Simple but requires updates when certificates are rotated.
  • Dynamic pinning: the application downloads and caches the expected certificate during the first trusted connection. More flexible but can be abused if the initial connection is intercepted.
  • Public key pinning: instead of pinning an entire certificate, only the public key is pinned, making certificate renewal easier without breaking connections.
  • Mobile app pinning: frequently used in mobile banking and payment apps to prevent attackers from intercepting HTTPS traffic with debugging proxies.
  • SSL pinning bypass: attackers sometimes attempt to disable or patch pinning logic during reverse engineering of applications. Obfuscation and runtime checks are used to counter this.

Impact

Certificate pinning significantly raises the bar for attackers attempting HTTPS interception. Even if a trusted certificate authority is compromised or misused, the client will only trust the pinned certificate or key. This makes it a powerful defense against man-in-the-middle attacks in sensitive environments such as mobile banking, healthcare, or government applications.

However, pinning also introduces operational challenges. Certificates expire regularly, and if an application is pinned to a certificate that changes, users may be locked out until the application is updated. For this reason, many organizations prefer pinning public keys rather than full certificates. SecOps teams must balance the added security with the potential risk of service disruption.

Pinning is not a universal replacement for proper certificate validation but rather a complementary defense. When implemented correctly, it ensures that even if the trust ecosystem is attacked, communications remain protected.

Further reading

  • OWASP: Certificate and Public Key Pinning. Read more
  • NIST: TLS Guidelines. Read more
  • Android Developers: Security with HTTPS and SSL. Read more
  • Apple Developer: About App Transport Security and Pinning. Read more
  • Cloudflare: What is SSL Pinning? Read more

Related topics

TLS / HTTPSVPNMan-in-the-Middle AttackZero Trust Security