DEV Community

Cover image for Ask me Anything About Certificate Pinning
Paulo Renato
Paulo Renato

Posted on

Ask me Anything About Certificate Pinning

I am Paulo Renato, a Developer Advocate for Mobile and API Security and I am making me available to reply to any questions you may have about certificate pinning on mobile apps.

I am the maintainer for the Mobile Certificate Pinning Generator web page, that allows you generate your certificate pinning configurations for Android and iOS.

You can also find me answering security questions on StackOverflow.

FInally, I am also the author of a series of articles on Mobile and API security, where some of the articles are about implementing certificate pinning, bypassing pinning and secure against bypassing it. You can see the series of articles on this Twitter Thread:

🧵 A thread on #Mobile #ApiSecurity

🗓️ Today a #developer on Likedin asked me for help on how to minimize the risk of #ReverseEngineering an #ApiKey on a #MobileApp

✍️ Turns out that I wrote a series of blog posts to educate #developers on this concern

Read all in sequence ⬇️ pic.twitter.com/H9ssL3ooed

— Paulo Renato (@exadra37) July 12, 2022

Top comments (2)

Collapse
 
tmiracco profile image
tmiracco

How often should developers update the pinned certificates in their apps, and why is this important?

Collapse
 
exadra37 profile image
Paulo Renato

How often should developers update the pinned certificates in their apps,

This may depend on the compliance requirements of the market the mobile app is targeting, but the widely used practice its to rotate them every year.

and why is this important?
It's important to rotate them as a precaution measure against unknown leak of the certificates.

For example the backend may have been compromised and the certificates are now available to attackers that will then be able to use them in MitM attacks to intercept traffic between the mobile app and backend, thus being able to extract secrets, modify and replay requests, and more important gathering enough info to build a bot to automate such attacks.