I watched a dev team spend two weeks debugging why their mobile app suddenly stopped connecting to their servers. The culprit? A pinned certificate that expired. Their users couldn't log in. Revenue dropped. All because of a security feature working exactly as designed.
Certificate pinning is one of those techniques that sounds great in theory but can bite you hard in practice.
What Certificate Pinning Actually Does
When your app connects to a server over HTTPS, it normally trusts any certificate signed by a recognized Certificate Authority. That's usually fine - until someone compromises a CA or sits between you and the server with a forged certificate.
Certificate pinning says "I don't care what the CA thinks - I only trust THIS specific certificate for this host."
Here's the flow:
- Connection starts - Your app reaches out to the server
- Certificate received - Server presents its SSL certificate
- Comparison - App checks the cert against a pre-stored copy (the "pin")
- Decision - Match? Proceed. No match? Kill the connection.
This stops man-in-the-middle attacks cold. An attacker can't just generate a fake certificate because your app knows exactly what the real one looks like.
The Trade-Off Nobody Talks About
Here's what security blogs often skip: pinning creates operational headaches.
Certificates expire. CAs rotate their intermediates more frequently now. If your pinned certificate changes and your app doesn't know about it, every user gets locked out until they update.
I've seen this happen at least a dozen times. AWS actually recommends against pinning their ACM certificates for exactly this reason - they rotate keys during renewal, and your app will just stop working.
Since early 2024, outages caused by certificate pinning have increased significantly across the industry.
Should You Actually Use It?
Honest answer? It depends - and the industry is shifting.
Cloudflare, AWS, and many security teams now acknowledge that outage risk often outweighs security benefit. Modern certificate transparency logs and improved CA practices have reduced the attack surface pinning was designed to protect.
If you're building a banking app or handling extremely sensitive data, it might make sense. But even then, follow these rules:
- Use SPKI pinning over full certificate pinning (survives cert renewals if you keep the same key)
- Always include backup pins from a different CA
- Consider dynamic pinning that updates without app releases
For everyone else? Focus on proper certificate validation, API security, and runtime monitoring instead.
The Bottom Line
Certificate pinning stops MITM attacks. It also stops your users when someone forgets to update a certificate.
Before implementing it, ask yourself: do you have the operational maturity to manage certificate lifecycles without causing outages? If the answer isn't a confident yes, you might create more problems than you solve.
