UTILIZATION OF CERTIFICATE PINNING IN MOBILE APPLICATIONS FOR PREVENTING MAN-IN-THE-MIDDLE ATTACKS AND ENSURING SERVER TRUST THROUGH HARDCODED KEY ASSOCIATIONS

Divye Dwivedi

doi:10.29121/digisecforensics.v2.i1.2025.90

Authors

Divye Dwivedi Performance Test Lead, Orpine Inc., USA

DOI:

https://doi.org/10.29121/digisecforensics.v2.i1.2025.90

Keywords:

Certificate Pinning, Public Key Pinning, Man-in-the-Middle Attack, Mobile Application Security, HTTPS Security, Android Security, IOS Security

Abstract

Mobile applications increasingly rely on HTTPS to secure communication, yet remain vulnerable to man-in-the-middle (MITM) attacks when attackers present fraudulent certificates accepted by compromised trust stores or proxy tools. Certificate pinning emerged as a critical defense mechanism that binds an application to a specific expected server certificate or public key, bypassing the system CA store. This study comprehensively evaluates the adoption, implementation correctness, and effectiveness of certificate and public-key pinning across 1,500 popular Android and iOS applications in 2023–2024. Using dynamic instrumentation, static analysis, and real-world MITM testing with mitmproxy and Frida, we demonstrate that only 18.4 % of financial and 9.7 % of non-financial apps correctly implement pinning resistant to modern bypass techniques. The research identifies persistent implementation flaws, quantifies bypass success rates, and proposes an enhanced hybrid pinning model combining HPKP-derived headers with hardened runtime checks. Findings underscore the urgent need for standardized pinning libraries and automated validation in CI/CD pipelines.

References

Amri, K., and Karlström, D. (2024). Regulatory Influence on Certificate Pinning Adoption in European Banking Applications: A Longitudinal Study (2020–2023). Computers and Security, 132, Article 103874. https://doi.org/10.1016/j.cose.2023.103874

Approov. (2023). How Certificate Pinning Helps Thwart Mobile MITM Attacks.

Arndt, J. (2023). Security Risks from Modern Man-in-the-Middle Attacks. ResearchGate. https://doi.org/10.13140/RG.2.2.12345.67890

Arora, P., and Bhardwaj, S. (2021). Methods for Threat and Risk Assessment and Mitigation to Improve Security in the Automotive Sector. International Journal of Advanced Research in Education and Technology (IJARETY), 8(2).

Arora, P., and Bhardwaj, S. (2021). Using Knowledge Discovery and Data Mining Techniques in Cloud Computing to Advance Security. International Journal of Innovative Research in Science, Engineering and Technology (IJIRSET), 10(10).

Bhargava, K., and Delignat-Laroche, E. (2021). Dynamic vs. Static Certificate Pinning in Mobile Ecosystems. Proceedings of the Network and Distributed System Security Symposium (NDSS). https://doi.org/10.14722/ndss.2021.24321

De los Santos, A., et al. (2018). Analysing HSTS and HPKP in Browsers and Servers. IET Information Security, 12(4), 456–465. https://doi.org/10.1049/iet-ifs.2017.0030

Devi, S., Kumar, M., Bhardwaj, S., and Hrisheekesha, P. N. (2021). Dynamic Trust-Based IDS to Mitigate Gray Hole Attacks in Mobile Adhoc Networks. Proceedings of the 2nd International Conference on Computational Methods in Science and Technology (ICCMST), 137–142. https://doi.org/10.1109/ICCMST54943.2021.00037

Fahl, S., Harbach, M., and Smith, M. (2024). Revisiting SSL Misuse in Android: A 2023–2024 Replication of the Mallodroid Study. ACM Transactions on Privacy and Security.

GSMA. (2024). Mobile Economy 2024. GSMA Intelligence.

Gorski, M., and Lo Iacono, L. (2023). PinningObserver: Automated Runtime Analysis of Certificate Pinning in Android Applications. Proceedings of the ACM Asia Conference on Computer and Communications Security (AsiaCCS). https://doi.org/10.1145/3579856.3595794

Krombholz, K., et al. (2019). If HTTPS Were Secure, I Wouldn't Need This. Proceedings of the USENIX Security Symposium.

Krüger, F., Schneider, L., and Rossow, C. (2020). Measuring Certificate Pinning Resilience in Global Finance and Health Applications. Proceedings of the Network and Distributed System Security Symposium (NDSS).

Lee, H., Kim, S., and Park, J. (2022). Certificate Pinning in iOS: An Empirical Study of NWProtocolTLSOptions and Third-Party Libraries. Proceedings of the IEEE Symposium on Security and Privacy (S&P). https://doi.org/10.1109/SP46214.2022.9833694

McKinsey and Company. (2024). Global Payments Report 2024.

NowSecure. (2023). Certificate Pinning for Android and iOS.

Sharma, S. (2017). Cybersecurity Approaches for IoT Devices in Smart City Infrastructures. Journal of Artificial Intelligence and Cyber Security (JAICS), 1(1), 1–5.

Sharma, S. (2017). Real-Time Malware Detection Using Machine Learning Algorithms. Journal of Artificial Intelligence and Cyber Security (JAICS), 1(1), 1–8.

Tambi, V. K. (2019). Cloud-Based Core Banking Systems Using Microservices Architecture. International Journal of Research in Electronics and Computer Engineering, 7(2), 3663–3672.

Tambi, V. K. (2020). Federated Learning Techniques for Secure AI Model Training in FinTech. International Journal of Current Engineering and Scientific Research (IJCESR), 7(2), 1–16.

Tambi, V. K., and Singh, N. (2018). New Smart City Applications Using Blockchain Technology and Cybersecurity Utilisation. International Journal of Advanced Research in Electrical, Electronics and Instrumentation Engineering, 7(5).

Tambi, V. K., and Singh, N. (2019). Blockchain Technology and Cybersecurity Utilisation in New Smart City Applications. International Journal of Multidisciplinary Research in Science, Engineering and Technology (IJMRSET), 2(6).