Zomato May 16, 2022

Giving Android a security boost (Part Two)

Security
Android
Original Article

Article Summary

Zomato's Android team breaks down SSL certificate pinning: the security feature that could brick your app if done wrong.

Part two of Zomato's security series dives deep into X.509 digital certificates and pinning strategies. The team explains what certificates actually contain and how to choose the right pinning approach without painting yourself into a corner during certificate rotation.

Key Takeaways

Critical Insight

Public key pinning offers the security of SSL pinning without the certificate rotation headaches that force constant app updates.

The article reveals why pinning root certificates creates the largest attack surface and which certificate format extensions actually matter.

Recent from Zomato

Rewriting the Network Connection Layer in Our Android Apps

Zomato rewrote their Android network layer for faster, better flow.

Zomato Nov 22, 2022

Our Android App Has Been Eating but Shedding Weight

Zomato trimmed their Android app’s size while keeping it tasty.

Zomato Oct 18, 2022

How We Improved Our iOS App Compile Time by 99%

Zomato boosted iOS compile speed by 99% with major tune-ups.

Zomato Sep 13, 2022

How We Cut the Build Time for Our Android App by 95%

Zomato slashed Android build times by 95% with clever shortcuts.

Zomato Aug 16, 2022

Related Articles

How AI Is Transforming the Adoption of Secure-by-Default Mobile Frameworks

Meta describes how they design secure-by-default mobile frameworks that wrap unsafe Android APIs like intent launching, and how they leverage generative AI (Llama) to automate the migration of large codebases to these secure frameworks at scale.

Meta Dec 15, 2025

Accelerating on-device ML on Meta’s apps with ExecuTorch

WhatsApp/Messenger moved key models on-device; reduced model load & inference time and improved ANR metrics. (Engineering at Meta)

Meta Jul 28, 2025

Transforming App Security from Necessary Evil to Performance Advantage

Guardsquare’s CPO shows how profile-based config can improve perf & security together. (droidcon, droidcon nyc 2025)

Guardsquare Jul 23, 2025

One Codebase, Three Platforms: X's Experience with Kotlin Multiplatform

X (formerly Twitter) engineers share their experience rewriting the X app using Kotlin Multiplatform. Starting with just 5 Android engineers, they built end-to-end encrypted direct messages shared across Android, iOS, and web. The talk covers their modular architecture with Decompose, challenges with Swift/JS interop, database persistence on web, and how KMP enabled a small team to move 40% faster while maintaining native UI on all platforms.

X (formerly Twitter) May 20, 2025