Building up on our knowledge from the previous article , we move on to explore ways of implementing certificate pinning in iOS apps. We’ll familiarize ourselves with the network security features built into iOS, walk through both the declarative and programmatic approaches to server trust authentication, discover the best practices for securely embedding pins, learn how to manage the employed security controls on per-environment basis, and wrap up with final thoughts and recommendations.

In light of our previous article on Certificate Pinning in Mobile Apps , which we strongly recommend you familiarize yourself with, it is evident that robustly adopting certificate pinning is vital for network-enabled mobile applications. This proactive step is crucial to thwart potential man-in-the-middle attacks that could jeopardize data security within the app. While Google advises against using certificate pinning for mobile apps, this is primarily a caution for those who lack proper backup pins or full control over certificate management.

Every mobile app that communicates over the network is expected to preserve the confidentiality and integrity of data in transit. The first step to meeting this requirement is to use the Transport Layer Security (TLS) protocol with secure cipher suites. This, however, still leaves the app exposed to a serious security threat, which is where certificate pinning comes into play. In this article, we will take a closer look at how certificate pinning works, including an overview of the underlying concepts and recommended implementation approaches for different trust models.