Lack of Certificate Pinning


The application does not implement certificate pinning when establishing secure network connections. Certificate pinning is the process of associating a pre-defined, authorized host with their expected X509 certificate or public key. Without certificate pinning, an attacker can perform a Man In The Middle (MITM) attack to intercept user data. 


An attacker with access to the application’s network traffic can use a lack of certificate pinning to intercept secure communications. An attacker could acquire a valid certificate through a compromised CA or by installing a trusted user CA on the device. Once the certificate is trusted, an attacker can perform Man In The Middle attacks on encrypted communications and capture sensitive or personal information.

Risk Rating


How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas



Subscribe here in order to gain access to the AppSec Findings Database


Leave a Reply