Certificate Pinning
| Plan | Platforms | MASVS |
|---|---|---|
| Team | Android, iOS | MASVS-NETWORK-2 |
Summary
Certificate Pinning verifies that HTTPS connections to configured domains present an approved certificate key. If the presented certificate chain does not match the configured pins, AppTego blocks the connection and applies your configured response.
Use this control for API traffic that carries credentials, payment data, health data, identity data, proprietary business data, or other high-value information.
What It Protects Against
- TLS interception by untrusted local proxies.
- Mis-issued or fraudulent certificates.
- Compromised or coerced certificate authorities.
- DNS or routing attacks that rely on presenting an unexpected certificate.
- Accidental trust of test, staging, or unmanaged certificates in production builds.
How It Works
You configure trusted certificate pins for one or more domains in the portal. AppTego packages that policy into the protected app. At runtime, the protected app compares the server certificate chain for configured domains against the approved pins before allowing the connection to proceed.
Pins can be scoped to specific hostnames or broader certificate authorities depending on your rotation model and risk tolerance. The exact platform implementation is handled by AppTego.
How to Enable the Control
Navigate to Connection Settings from the AppTego portal, and expand the Certificate Trust section. Under this section you will find the Certificate Pinning control. Click Enable, choose the response action, and save the configuration for the next build or for it to be applied with a live push (if enabled).
API Configuration Example
{
"CertificatePinning": {
"detection": true,
"action": "alert",
"title": "Certificate Pinning",
"message": "This connection does not match the configured certificate trust policy. Please check your network or contact support.",
"buttons": ["OK"],
"actions": ["close"],
"redirects": [""]
}
}| Field | Purpose |
|---|---|
detection | Enables certificate pinning enforcement. |
action | Selects the response style, such as alert, close, log, or warn. |
title / message | User-facing text shown when a response is displayed. |
buttons / actions / redirects | Defines the available response buttons and their outcomes. |
Setup
- Open the AppTego Portal.
- Go to Connection Settings or the certificate management area.
- Upload the production certificate or certificate authority you want to trust.
- Assign the certificate to the relevant domains.
- Add at least one backup pin for planned rotation.
- Save the configuration and build a protected app.
- Test the protected app against Development or Staging endpoints before releasing to Production.
Rollout And Rotation
| Stage | Recommendation |
|---|---|
| Development | Test pinning with non-production domains and a non-blocking response. |
| Staging | Validate every API, CDN, authentication, analytics, and third-party network flow. |
| Production | Release with current and backup pins, then coordinate backend certificate rotation with app adoption. |
| Rotation | Add the next pin before rotating certificates. Remove old pins only after the new chain is live and old builds are no longer relied on. |
User And App Impact
When pinning blocks a connection, users may see failed sign-in, failed sync, unavailable content, or a configured security message. This usually means the network path or server certificate chain does not match the approved policy.
Pinning can also block corporate TLS inspection and local debugging proxies. Align the policy with your enterprise customer requirements before enforcing strict responses.