Certificate Pinning
Certificate pinning is a security technique in which an application is hard-coded to trust only a specific TLS certificate, public key, or certificate authority for a given server, rejecting connections presented with any other certificate…
Definition
Certificate pinning is a security technique in which an application is hard-coded to trust only a specific TLS certificate, public key, or certificate authority for a given server, rejecting connections presented with any other certificate even if it would otherwise be validly signed by a trusted root CA.
Overview
Normally, TLS/SSL connections are validated by checking that a server's certificate chains up to a certificate authority (CA) present in the client's trust store — a large, shared list of CAs that operating systems and browsers trust by default. This model works well generally, but it has a structural weakness: if any trusted CA (out of the hundreds present in a typical trust store) is compromised, misconfigured, or coerced into issuing a fraudulent certificate for a domain, an attacker can potentially perform a man-in-the-middle attack against any client that relies purely on standard chain-of-trust validation, since the fraudulent certificate would still validate successfully against the trust store. Certificate pinning eliminates reliance on the full CA trust store for a specific connection by embedding ('pinning') the expected certificate, its public key, or a cryptographic hash of the public key (commonly via HTTP Public Key Pinning historically, or more often today through platform-specific mobile app mechanisms) directly into the client application. When the app connects to the server, it compares the presented certificate or public key against the pinned value and refuses the connection if they don't match — even if the presented certificate is otherwise validly signed by a legitimate CA. This defends specifically against CA compromise, malicious or misissued certificates, and interception by tools like corporate TLS-inspecting proxies or malware that install a rogue trusted root certificate on a device. Certificate pinning is most commonly implemented in mobile applications (iOS and Android both provide platform APIs or libraries like TrustKit and OkHttp's CertificatePinner to support it), since mobile apps are self-contained binaries under the developer's full control, unlike web browsers where pinning was historically supported via the now-deprecated HTTP Public Key Pinning (HPKP) header, which browsers dropped due to its high risk of accidentally locking users out of a site if pins were misconfigured or certificates rotated without updating pins in time. This 'bricking' risk — pinning the wrong or soon-to-expire certificate and losing the ability to connect at all — is the central operational tradeoff of certificate pinning: it significantly raises the security bar against MITM attacks but requires careful pin rotation planning (typically pinning an intermediate CA or including backup pins) whenever certificates are renewed, or app updates can become unable to reach their own backend.
Key Concepts
- Hard-codes a specific certificate, public key, or key hash that a client will trust for a server
- Rejects connections presenting any other certificate, even if validly signed by a trusted CA
- Defends against compromised, misissued, or fraudulently obtained CA certificates
- Protects against interception by rogue proxies or maliciously installed trusted root certificates
- Most commonly implemented in mobile apps via platform APIs or libraries (TrustKit, OkHttp)
- Historically supported on the web via HTTP Public Key Pinning (HPKP), now deprecated
- Requires careful pin rotation planning to avoid 'bricking' connectivity on certificate renewal
- Often pins an intermediate CA or includes backup pins to reduce rotation risk