When building mobile apps that consume APIs over the internet, HTTPS is mandatory—but sometimes it’s not enough.
If your app handles sensitive data (finance, health, enterprise), you might want to go one step further:
👉 Certificate Pinning (aka “SSL pinning”)
This article explains:
What SSL pinning actually is (and what it isn’t)
How to implement it in Android
In a second part, these topics will be covered:
How to implement it in iOS (both
.cerand Public Key approaches)The real trade-offs nobody tells you
🧠 What is SSL Pinning (really)?
Despite the name, modern apps use TLS, not SSL.
👉 The correct term is:
Certificate Pinning
or TLS Pinning
But “SSL pinning” is still widely used.
🔐 Default HTTPS behavior
By default, your app trusts any valid certificate signed by trusted Certificate Authorities (CAs).
That means:
App → HTTPS → Server (valid cert) → OK
🚨 The problem
If an attacker installs a malicious certificate (e.g. on public WiFi), they could:
- Intercept traffic
- Decrypt requests
- Act as a proxy (MITM attack)
🔐 What Pinning Changes
Instead of trusting all valid certs:
👉 Your app trusts only a specific certificate or public key
If it doesn’t match → ❌ connection rejected
📱 Android Implementation (OkHttp)
Android makes this relatively straightforward thanks to OkHttp.
✔️ Public Key Pinning (recommended)
val certificatePinner = CertificatePinner.Builder()
.add("api.yourservice.com", "sha256/AAAAAAAAAAAAAAAAAAAA...")
.build()
val client = OkHttpClient.Builder()
.certificatePinner(certificatePinner)
.build()
🧪 How to get the SHA-256 hash
You can extract it using OpenSSL:
openssl s_client -connect api.yourservice.com:443 -servername api.yourservice.com \
| openssl x509 -pubkey -noout \
| openssl pkey -pubin -outform der \
| openssl dgst -sha256 -binary \
| openssl enc -base64
Wrapping Up (Part 1)
At this point, we’ve covered what SSL pinning really is, what problems it solves (and what it doesn’t), and how to implement it on Android using a modern, production-ready approach.
If there’s one takeaway from this first part, it’s this:
Pinning is not about replacing your security model — it’s about strengthening the transport layer.
On Android, the ecosystem makes it relatively straightforward to adopt public key pinning with tools like OkHttp. However, the real challenge isn’t implementation — it’s operational discipline:
- Handling certificate rotation
- Avoiding hard failures in production
- Understanding when pinning actually adds value
Before moving forward, ask yourself:
Do I really need pinning, or am I trying to compensate for missing backend security?
In the next part, we’ll move to iOS — where things are a bit more low-level, and where the trade-offs become even more evident.
Top comments (0)