Zomato May 9, 2022

Giving Android a security boost (Part One)

Security
Android
Original Article

Article Summary

Zomato's Android team is tackling a critical vulnerability that most apps ignore. Your encrypted HTTPS traffic might not be as secure as you think.

This deep dive from Zomato's engineering blog breaks down SSL pinning and why default Android certificate trust isn't enough. It's part one of a series on hardening mobile app security against man-in-the-middle attacks.

Key Takeaways

Critical Insight

SSL pinning adds a critical security layer by preventing your app from trusting malicious certificates that attackers inject into the device's trust store.

Part two promises to reveal the implementation details and tradeoffs between certificate and public key pinning strategies.

Recent from Zomato

Rewriting the Network Connection Layer in Our Android Apps

Zomato rewrote their Android network layer for faster, better flow.

Zomato Nov 22, 2022

Our Android App Has Been Eating but Shedding Weight

Zomato trimmed their Android app’s size while keeping it tasty.

Zomato Oct 18, 2022

How We Improved Our iOS App Compile Time by 99%

Zomato boosted iOS compile speed by 99% with major tune-ups.

Zomato Sep 13, 2022

How We Cut the Build Time for Our Android App by 95%

Zomato slashed Android build times by 95% with clever shortcuts.

Zomato Aug 16, 2022

Related Articles

How AI Is Transforming the Adoption of Secure-by-Default Mobile Frameworks

Meta describes how they design secure-by-default mobile frameworks that wrap unsafe Android APIs like intent launching, and how they leverage generative AI (Llama) to automate the migration of large codebases to these secure frameworks at scale.

Meta Dec 15, 2025

Accelerating on-device ML on Meta’s apps with ExecuTorch

WhatsApp/Messenger moved key models on-device; reduced model load & inference time and improved ANR metrics. (Engineering at Meta)

Meta Jul 28, 2025

Transforming App Security from Necessary Evil to Performance Advantage

Guardsquare’s CPO shows how profile-based config can improve perf & security together. (droidcon, droidcon nyc 2025)

Guardsquare Jul 23, 2025

One Codebase, Three Platforms: X's Experience with Kotlin Multiplatform

X (formerly Twitter) engineers share their experience rewriting the X app using Kotlin Multiplatform. Starting with just 5 Android engineers, they built end-to-end encrypted direct messages shared across Android, iOS, and web. The talk covers their modular architecture with Decompose, challenges with Swift/JS interop, database persistence on web, and how KMP enabled a small team to move 40% faster while maintaining native UI on all platforms.

X (formerly Twitter) May 20, 2025