Certificate pinning ensures mobile apps only trust specific certificates for API communication — preventing man-in-the-middle attacks even on compromised networks. Testing evaluates: is pinning implemented correctly (pinning the leaf certificate vs intermediate vs root)? Can pinning be bypassed through common techniques (Frida, Objection, SSL Kill Switch)? Does the app fail securely when pinning detects a mismatch? And is pinning applied to all network communication, not just primary API endpoints?
Technical
Mobile App Certificate Pinning: Implementation and Bypass Testing
Certificate pinning prevents MitM attacks on mobile apps. Testing whether your pinning implementation actually resists bypass techniques.