For mobile applications, standard SSL certificate validation is often not enough. If an attacker penetrates the network and inserts a fake certificate signed by any recognized Certificate Authority, the app trusts it and allows the traffic to be read in plain text. This attack is called man-in-the-middle (MITM) and is especially dangerous on open Wi-Fi networks. SSL pinning was introduced specifically to solve this problem.
What SSL pinning is
SSL pinning is the practice of storing a hash of a specific certificate or key inside a mobile application as a pin. When connecting to the server, the app not only performs standard certificate validation but also verifies that the presented certificate matches the pin. If it does not match — for example, if the attacker presents a different certificate, even one signed by a real CA — the app immediately drops the connection. This approach has become standard practice in banking, payment and healthcare apps that require maximum security.
Types of pinning
Two main types are used in practice. Certificate pinning stores a hash of the entire certificate inside the app, providing the strictest check, but requiring an app update every time the certificate is renewed. Public key pinning stores only the public key hash, which is much more flexible — if you issue a new certificate with the same key, the app continues working without problems. Most modern applications choose public key pinning.
iOS and Android practice
On Android, pinning is declared through the Network Security Configuration XML file. This approach allows pinning without writing code, only through configuration. On iOS, a custom URLSession delegate is typically written, or the ServerTrustManager mechanism from Alamofire is used. On both platforms the OWASP MASVS standard treats pinning as a mandatory requirement.
Pinning risks
Although pinning provides powerful protection, incorrect implementation creates serious problems. The most common mistake is the app suddenly failing on the day the certificate is rotated. Users cannot launch the app until they install the new version. For this reason the pinning policy must always include several backup pins — a primary key and a reserve for the next rotation. Some companies also use a dynamic pin update mechanism from the server, but this partially opens the attack surface to MITM.
Sayt.uz practice
The Sayt.uz mobile application updated its SSL pinning policy in May 2036. Three backup pins were embedded and the certificate rotation cycle was tuned to 6 months. After the new policy, the number of attempted MITM attacks dropped by 84 percent, and the success rate of mobile payment transactions reached 99.2 percent. For Sayt.uz clients, SSL pinning integration into a mobile app costs 1,245,000 soum, while technical consulting on certificate rotation costs 380,000 soum. For banking and payment services this is recommended as a mandatory measure.