I am Paulo Renato, a Developer Advocate for Mobile and API Security and I am making me available to reply to any questions you may have about certificate pinning on mobile apps.
I am the maintainer for the Mobile Certificate Pinning Generator web page, that allows you generate your certificate pinning configurations for Android and iOS.
You can also find me answering security questions on StackOverflow.
FInally, I am also the author of a series of articles on Mobile and API security, where some of the articles are about implementing certificate pinning, bypassing pinning and secure against bypassing it. You can see the series of articles on this Twitter Thread:
🧵 A thread on #Mobile #ApiSecurity
— Paulo Renato (@exadra37) July 12, 2022
🗓️ Today a #developer on Likedin asked me for help on how to minimize the risk of #ReverseEngineering an #ApiKey on a #MobileApp
✍️ Turns out that I wrote a series of blog posts to educate #developers on this concern
Read all in sequence ⬇️ pic.twitter.com/H9ssL3ooed
Top comments (2)
How often should developers update the pinned certificates in their apps, and why is this important?
This may depend on the compliance requirements of the market the mobile app is targeting, but the widely used practice its to rotate them every year.
For example the backend may have been compromised and the certificates are now available to attackers that will then be able to use them in MitM attacks to intercept traffic between the mobile app and backend, thus being able to extract secrets, modify and replay requests, and more important gathering enough info to build a bot to automate such attacks.