Has your cybersecurity been compromised?

We respect your privacy, and we hate spam as much as you. Which is why we will never share your email address with anyone.

Enquire Now

Enhancing Mobile App Security with SSL Pinning

By Mukhtar Serikbayev, Specialist Offensive Cybersecurity Consultant, Help AG  |  Posted Tuesday, 23rd July 2019

SSL is today the industry standard for ensuring mobile apps can transmit data in a secure manner. However, without a key step, it’s still possible for cyber criminals to snoop on these data connections. So let’s take a look at this key step – called SSL pinning – and how it can help you design and deliver more secure mobile applications.

When mobile applications communicate with a server, they typically use SSL to protect the transmitted data against eavesdropping and tampering. By default, SSL implementations used in apps trust any server that uses a certificate that is trusted by the operating system’s trust store. This store is a list of certificate authorities that is shipped with the operating system

With SSL pinning, however, the application is configured to reject all but one or a few predefined certificates. So, when this is utilized, whenever the application connects to a server, it compares the server certificate with the pinned certificate(s). If and only if they match, the server is considered as trusted and the SSL connection is established.

The Need for SSL Pinning

The main reason to use this technique is to ensure that your users’ data is better protected from man-in-the-middle attacks. Enabling certificate pinning prevents exploits commonly used back attackers. For example, if the hacker was trying to use a proxy to read the request’s data, then the client’s connection will fail and you would be able to notify your users that there might be a security issue.

Furthermore, using certificate pinning also protects your applications from someone who is trying to tamper with it. Certificate pinning helps developers fight some of this fraudulent behavior by preventing attackers from viewing and manipulating the data that is sent to servers.

What exactly should you store/pin?

  • Pin the certificate
  • Pin the public key (SPKI)

However, as with all other security measures, SSL Pinning is not a silver bullet and it won’t protect your users against local attacks. Neither will it be able to stop reverse engineering attacks, so Frida, Xposed modules to unpin, debugging, and repackaging all work. And it’s also worth noting that this security step won’t help if the device is rooted/jailbroken. Furthermore, it can be an operational headache and must be designed carefully. So it isn’t necessarily recommended for everyone.

That said, SSL pinning is certainly an important security enhancement – and if relevant, it’s one that must be implemented with care.



When working with our client base I quite often discuss how consumer IT impacts an organizations security infrastructure. Needless to say the smartphone generation have had a huge…

Read More

RSAC 2019: Paving the Way for #BETTER Cyber

Every year, the RSA Conference (RSAC), held in San Francisco, provides a glimpse of the what lies ahead for the cybersecurity industry and this edition was no different.…

Read More


At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures for some of the largest enterprises in the region. As a…

Read More

Back to Top