How to Apply Certificate Pinning to Specific Domains in iOS, Android apps Using AI

Learn how to apply certificate pinning to specific domains in Android and iOS apps.

When you build Appdome Certificate Pinning into mobile apps, you can specify the domains on which you wish to use certificate pinning.

What is Certificate Pinning?

Certificate Pinning is a security technique where trusted SSL/TLS certificates are embedded into a mobile app to ensure it only connects to pre-defined, trusted servers. By validating certificates during the TLS/SSL handshake, certificate pinning mitigates the risk of man-in-the-middle (MiTM) attacks, where attackers use compromised or fraudulent certificates to intercept communications. This prevents apps from connecting to malicious servers and safeguards sensitive data.

Attackers commonly target mobile apps by manipulating DNS, public certificate authorities, or session data to insert altered certificates. Implementing certificate pinning during development ensures secure app-server communication, protecting app data, and ensuring compliance with standards such as OWASP MASVS and PCI-DSS.

How Appdome Protects Mobile Apps With Certificate Pinning

Appdome’s dynamic Certificate Pinning plugin for Android/iOS embeds trusted certificates securely inside the app, encrypting and protecting them with Appdome’s ONEShield™ app shielding (RASP) technology. During the TLS/SSL handshake, the plugin validates certificates, session states, and Certificate Authorities (CAs) to detect mismatches or modifications. If a compromised certificate is detected, the connection is blocked before attackers can intercept or manipulate communications. Developers can pin certificates for specific domains or use wildcard values to secure multiple endpoints, ensuring trusted app-server communication and preventing MiTM attacks.

Prerequisites

Here’s what you need to build secured apps with Secure Certificate Pinning

• Appdome account (If you don’t have an Appdome account, create a free Appdome account here)
• Mobile App (.ipa for iOS, or .apk or .aab for Android)
• Signing Credentials (e.g., signing certificates and provisioning profile)

Secure Certificate Pinning Profiles:

Appdome offers the following 5 mutually exclusive options (pinning profiles) to implement Secure Certificate Pinning in any iOS or Android app:

• Chain Evaluation – evaluates the chain of trust used by the Root Certificate and Intermediate Certificate uploaded to Appdome by the user, and will trust only those intermediate and leaf certificates that are trusted by the uploaded certificates. Basically, this locks the chain of trust. Any mismatch is a security event.
• Strict Evaluation – evaluates the exact fingerprint of server certificate uploaded to Appdome against the certificate returned by the server. This is equivalent to Leaf certificate pinning. If the server returns a different certificate, the mismatch is a security event.
• Root Evaluation – only evaluates that the root CA returned for the specified domain/host (FQDN) matches the Root CA Certificate uploaded to Appdome. Because the CA certificates are valid for 10+ years, this setup will not require updates when the leaf certificate or the intermediate certificates are renewed (i.e., the server can return an updated intermediate or leaf certificate without invoking a security event). By pinning against the root certificate only, any changes to the customer’s intermediate or leaf certificates will work without having to update the app.
• Public Key Evaluation – only evaluates the server’s certificate public key to ensure complete continuity of service when the certificate is renewed if the new server certificate comes with the same public key.
• No Pinning – certificate chains received for the specific domain will not be verified by Appdome. They will normally fall back to the OS’s default verification process.