Certificate Pinning
Certificate pinning restricts app traffic so protected builds trust only the certificate keys you approve for your domains. It reduces exposure to man-in-the-middle interception, mis-issued certificates, compromised certificate authorities, and unmanaged TLS inspection.
Use this guide to plan the certificate lifecycle. For the per-control reference, see Certificate Pinning.
Pinning is powerful because it narrows trust. That also means mistakes can block real users, so pair every strict pinning rollout with a tested rotation plan and clear ownership.
When To Use Pinning
| Use case | Recommendation |
|---|---|
| Banking, payments, identity, healthcare, or regulated data | Use pinning for production API domains and pair it with proxy detection. |
| Enterprise app with managed network inspection | Test carefully. Pinning may block approved inspection proxies unless your policy and backend certificate chain are designed for it. |
| Apps with frequent certificate rotation | Use backup pins and a planned rotation window before enforcing strict responses. |
| Early development or unstable backend TLS | Delay enforcement until certificates, domains, and CDN behavior are stable. |
Pinning Model
| Pin type | What it protects | Operational tradeoff |
|---|---|---|
| Leaf certificate pin | A specific server certificate. | Strong binding, but requires careful rotation before the certificate changes. |
| Intermediate or CA pin | A trusted issuing certificate in the chain. | Easier renewal, but broader trust than a leaf pin. |
| Domain-specific pin | One or more hostnames. | Best for production APIs, authentication endpoints, and regulated data flows. |
| Broad or wildcard domain policy | A larger hostname set where supported by your configuration. | Useful for consistent API estates, but requires full inventory of backend, CDN, analytics, and third-party endpoints. |
Certificate pinning is configured for domains and certificate entries in AppTego. Do not rely on a broad policy until every required endpoint and certificate chain has been tested in a protected build.
Recommended Rotation Runbook
- Inventory production domains and third-party endpoints used by the app.
- Upload the current production pin and at least one backup pin.
- Build a protected Staging app and test all login, API, payment, analytics, and support flows.
- Confirm CDN, certificate renewal, and disaster-recovery certificate plans with the backend team.
- Release a production build that contains both current and backup pins.
- Rotate backend certificates only after the build with backup pins has reached the required adoption threshold.
- Remove old pins in a later release after traffic confirms the new certificate chain is active.
User And App Impact
If pin validation fails, the protected app blocks the affected network connection. Depending on your configuration, AppTego can log the event, show a message, redirect the user, or terminate the app. Users may report that the app cannot sign in, sync, load content, or complete a transaction when a certificate chain is unexpected.
Common causes include expired certificates, unplanned backend certificate rotation, corporate TLS inspection, captive portals, incorrect domain mapping, or test environments using certificates that were not added to the configuration.
Testing Checklist
| Area | What to verify |
|---|---|
| Domains | Every production hostname used by the app has the intended pin policy. |
| Backup pins | The app remains functional when the backend presents the next planned certificate chain. |
| Failure behavior | Wrong certificates produce the expected log, message, redirect, or termination behavior. |
| Managed devices | Enterprise customers that use network inspection understand the policy impact. |
| Release process | Certificate rotation is coordinated with protected app releases and adoption targets. |
Ownership Checklist
| Owner | Responsibility |
|---|---|
| Mobile release team | Builds and validates protected apps containing the current and backup pins. |
| Backend or infrastructure team | Owns certificate issuance, renewal, CDN behavior, and emergency replacement. |
| Security team | Defines strictness, exception handling, and monitoring expectations. |
| Support team | Handles user reports when network policy blocks access. |