Client certificate pinning considerations for mobile apps

1422 views

                  final class PinnedSessionDelegate: NSObject, URLSessionDelegate {
    func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
        guard let serverTrust = challenge.protectionSpace.serverTrust else {
            completionHandler(.cancelAuthenticationChallenge, nil)
            return
        }

        completionHandler(.useCredential, URLCredential(trust: serverTrust))
    }
}

Certificate pinning is useful in high-risk mobile scenarios, but it has real operational cost. I use it selectively, plan backup pins, and make sure the team can rotate infrastructure without bricking clients. Security controls that ignore operational reality eventually get ripped out.

Kai Nakamura

More from Kai Nakamura

Client certificate pinning considerations for mobile apps

0 Comments

More from Kai Nakamura