Today, we, developers have it easier than anytime before. The AI bubble was supposed to replace us or at the very least, lower our hourly rate. Instead we have gained even more flexibility and speed. Always improving AI agents lured a lot of people to coding. The number of apps released each day went exponential. But speed shouldn’t come at a cost of security. Not when so many people can get affected.

Most apps follow a typical client-server setup and in that setup, you just cannot assume that every response your app receives actually comes from your back-end server. Attackers can spoof your API’s URL, intercept traffic or revers engineer your client to launch man-in-the-middle attacks. Never assume that because you are nice, the internet is too.

One of effective approaches for verifying who your app is talking to, is called certificate pinning. It might sound fancy, but the idea is simple: ensure your app only accepts connections from servers using an expected certificate or public key.

When your client app connects to your API over a secure connection (HTTPS), it checks that the server’s certificate is valid and issued by a trusted certificate authority (CA).

By implementing certificate pinning, you add another check. Your client app verifies that the certificate or its public key matches the one that your client app expects. If it does not match, the connection is rejected. Even, if the certificate is otherwise valid.

Couple conditions have to be met, for you to be able to implement certificate pinning:

  • your server must use secure connection (HTTPS) with a valid certificate from a trusted CA and
  • you need to embed the certificate’s public key or its fingerprint in your client app.

For public apps, certificates from providers like Let’s Encrypt are totally fine. For internal web apps, a certificate can be issued by any CA that your users computers trust. It still needs to be valid though. Do note, that mobile apps don’t automatically trust private CAs and it can be a hassle to install one on mobile devices.

So let’s say you got everything set up. The only thing left to do is to implement certificate pinning. First, you need to extract your server certificate’s public key (or its fingerprint). You can do that using your browser (by navigating to your API address) or tools like OpenSSL. Then, you embed the value in your mobile, web or desktop client and add logic to compare the server’s certificate against the embedded value during the SSL/TLS handshake. Most platforms have libraries that simplify this.

You have to take into consideration that a certificate will expire. Thus, you will need to release new version of your app to support newly issued certificate. Also, make sure you test well in testing or staging environments as you can easily lock users out of your application, if pinning is not done correctly.

Certificate pinning is a straightforward but powerful way to boost your app’s security. It ensures that only your API can talk to your app.

If you are curious to try it yourself, there are great tutorials online. In next post, I will present a simple certificate pinning implementation in .NET command line app. Stay tuned.