How to Use Certificate Pinning Schemes in Mobile Apps Using AI

This Knowledge Base article describes how to use Appdome’s AI/ML in your CI/CD pipeline to continuously deliver plugins that implement Certificate Pinning Schemes (aka: profiles) in Android and iOS apps to prevent MitM attacks. This article describes the Certificate Pinning Schemes that can be configured on Appdome.

What Are Certificate Pinning Schemes?

Certificate Pinning Schemes define how mobile apps validate SSL/TLS certificates to prevent Man-in-the-Middle (MitM) attacks and ensure secure communication with trusted servers. Attackers may intercept encrypted traffic using fraudulent certificates, compromised Certificate Authorities (CAs), or malicious proxies to decrypt sensitive data. By implementing certificate pinning, apps verify server authenticity based on predefined certificates or cryptographic properties, blocking unauthorized or rogue connections. Without proper certificate pinning, apps remain vulnerable to network-based threats, increasing the risk of data interception, credential theft, and regulatory non-compliance in financial, healthcare, and enterprise applications.

How Appdome Protects Mobile Apps With Certificate Pinning Schemes

Appdome’s dynamic Certificate Pinning Schemes plugins enforce SSL/TLS certificate pinning in Android and iOS apps, securing app-to-server communications against MitM attacks. Using AI/ML-driven automation, Appdome applies pinning without manual coding, SDKs, or server modifications. The plugins offers multiple pinning profiles to meet different security and operational requirements.

To select a pinning scheme:

1. Go to the Security tab > Secure Communication section.
2. Enable (toggle On) Certificate Pinning.
3. Open the Pinning Scheme drop-down list.
   

Certificate Pinning Profiles/Schemes

Appdome offers the following mutually exclusive pinning schemes (aka: pinning profiles) to implement Certificate Pinning in any iOS or Android app:

• Chain Evaluation – verifies the chain of trust for the Root and Intermediate Certificates uploaded to Appdome. It ensures that only intermediate and leaf certificates trusted by the uploaded certificates are accepted, effectively locking the chain of trust. Any mismatch triggers a security event.
• Strict Evaluation – evaluates the exact fingerprint of server certificate uploaded to Appdome against the certificate returned by the server. This is equivalent to Leaf certificate pinning. If the server returns a different certificate, the mismatch is a security event.
• Root Evaluation – only evaluates that the root CA returned for the specified domain/host (FQDN) matches the Root CA Certificate uploaded to Appdome. Because the CA certificates are valid for 10+ years, this setup will not require updates when the leaf certificate or the intermediate certificates are renewed (i.e., the server can return an updated intermediate or leaf certificate without invoking a security event). By pinning against the root certificate only, any changes to the customer’s intermediate or leaf certificates will work without having to update the app.
• Public Key Evaluation – only evaluates the server’s certificate public key to ensure complete continuity of service when the certificate is renewed if the new server certificate comes with the same public key.
• No Pinning – certificate chains received for the specific domain will not be verified by Appdome. They will normally fall back to the OS’s default verification process.

 Related articles:

• How to Block Mobile Bots with Client Certificates, Authenticate Legitimate Mobile Apps
• How to Block Mobile Bots Using Session & Header Secrets
• How to Encrypt Shared Preferences in Android apps
• How to Connect to Trusted Mobile Hosts with URL Whitelisting on Android & iOS Apps

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.