Skip to main content
Version: 2.5.x.x RR

Certificate Pinning Recommendations

Nevis does not recommend using certificate pinning on the mobile app:

  • In case of high rollover scenarios, or
  • If you use certificate issuers that are not completely under your control, such as Let's Encrypt.

Using certificate pinning in the above mentioned cases brings some severe disadvantages as well as risk scenarios:

  • Certificate rollovers depend on end users frequently updating the mobile apps. Certificate rollovers must be well planned and executed as all mobile clients need to be up-to-date before the certificate rollover occurs.
  • If a CA invalidates a certificate unannounced for any reason (for example, in case of a security breach), all mobile clients are immediately affected.

The foregoing certificate pinning does not compromise the security of the communication between the mobile client and the backend, because:

  • The HTTP communication uses TLS - even without certificate pinning.
  • The mobile client only accepts valid, trusted CA signed certificates.
  • The mobile client performs hostname verification on the server certificate.