保護DataHogo
Security Encyclopedia/Mobile Security (Advanced)
highCWE-295A05:2021

Certificate Pinning Missing

Without certificate pinning, attackers on the same network can intercept your app's HTTPS traffic with a rogue certificate authority.

How It Works

TLS normally trusts any certificate signed by a system-trusted CA. On a corporate or public network, a proxy with a custom CA cert can intercept all HTTPS traffic. Certificate pinning makes your app accept only your specific certificate or public key, blocking any MITM proxy regardless of its CA.

Vulnerable Code
// BAD: standard fetch — trusts any system-trusted certificate
const response = await fetch('https://api.myapp.com/user', {
  headers: { Authorization: `Bearer ${token}` }
  // no pinning — interceptable by corporate proxies or malicious APs
});
Secure Code
// GOOD: use react-native-ssl-pinning for certificate pinning
import { fetch } from 'react-native-ssl-pinning';

const response = await fetch('https://api.myapp.com/user', {
  method: 'GET',
  sslPinning: { certs: ['cert_sha256_fingerprint'] }, // rejects other certs
  headers: { Authorization: `Bearer ${token}` }
});

Real-World Example

Pen testers routinely bypass mobile app security by setting up a Burp Suite proxy on a shared WiFi network. Apps without certificate pinning expose all their API calls, tokens, and user data to this attack.

How to Prevent It

  • Implement certificate pinning using react-native-ssl-pinning (RN) or TrustKit (iOS/Android native)
  • Pin the public key (SPKI) rather than the full certificate to survive cert renewals
  • Always provide at least one backup pin in case your primary certificate needs to be rotated
  • Test certificate pinning with a proxy tool (Charles, Burp Suite) to verify it works before release

Affected Technologies

React Nativeiosandroid

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Deep Link Hijacking

medium

Custom URL schemes without host verification let malicious apps intercept your app's deep links and steal OAuth tokens or sensitive parameters.

CWE-926A01:2021

Clipboard Exposure

low

Sensitive data copied to the clipboard (passwords, tokens, card numbers) persists there indefinitely and can be read by any app.

CWE-312A02:2021

Screenshot Not Prevented

low

Banking and payment screens without screenshot protection allow sensitive data to be captured by malware or appear in Android's recent apps screen.

CWE-200A02:2021

Root/Jailbreak Detection Missing

medium

Running a financial or health app on a rooted or jailbroken device means all security controls can be bypassed by the device owner.

CWE-919A08:2021