Giving Android a security boost (Part One)
Article Summary
Zomato's Android team is tackling a critical vulnerability that most apps ignore. Your encrypted HTTPS traffic might not be as secure as you think.
This deep dive from Zomato's engineering blog breaks down SSL pinning and why default Android certificate trust isn't enough. It's part one of a series on hardening mobile app security against man-in-the-middle attacks.
Key Takeaways
- Standard HTTPS trusts any CA certificate, enabling attackers to inject fake certificates
- SSL pinning locks your app to specific certificates or public keys
- Certificate pinning is easiest but requires updates when certificates rotate regularly
- Public key pinning stays valid even when certificates change (Google's approach)
- Without pinning, proxy tools can intercept all your encrypted app traffic
SSL pinning adds a critical security layer by preventing your app from trusting malicious certificates that attackers inject into the device's trust store.
About This Article
Zomato's Android app was vulnerable to man-in-the-middle attacks. Attackers could use self-signed certificates or compromise root CAs to intercept traffic, since the standard TLS model relies on device trust stores.
Zomato implemented SSL pinning to lock the app to specific certificates or public keys for each host. The app now rejects any certificate that doesn't match the pinned ones, adding an extra security layer beyond standard TLS validation.
By pinning public keys instead of certificates, Zomato's app stays secure even when Google rotates certificates monthly. This approach eliminates the need for frequent app updates while still verifying the server's identity.