SSL Pinning or Certificate Pinning
SSL pinning, also known as certificate pinning, is a security precaution that involves including the known server’s certificate within the client application’s codebase.
How it works:
-
Obtain the Server’s Public Key or Certificate: The public key or certificate of the expected server is obtained during the development phase and embedded into the client application.
-
Pin the Certificate or Public Key: The certificate or public key is ‘pinned’ in the application, meaning the app is configured to trust only this specific certificate or public key.
-
Verification: On attempting to connect to the server, the client application checks the server’s provided SSL certificate against the pinned certificate/public key.
-
Outcome:
- Match: If they match, the connection is secured as the server’s identity is verified.
- No Match: If there’s a mismatch, the connection is terminated to prevent potential Man-in-the-Middle (MitM) attacks or other security risks.
SSL pinning ensures that the client application communicates directly with the known, trusted server, adding an extra layer of security.