How TrustPin Works
TrustPin is a cloud-based certificate pinning platform that protects mobile applications from man-in-the-middle attacks, compromised Certificate Authorities, and other network-based threats.
What is TrustPin?
TrustPin provides dynamic certificate pinning for mobile and desktop applications. Instead of hardcoding certificate pins into your app, TrustPin delivers and manages pins remotely through a secure, globally distributed platform.
The Problem
Traditional SSL/TLS validation trusts any certificate signed by the 100+ Certificate Authorities (CAs) in your device’s trust store. This creates vulnerabilities:
- Compromised CAs: If any CA is hacked, attackers can issue valid certificates for your domains
- Rogue WiFi: Malicious hotspots can intercept traffic with forged certificates
- Man-in-the-middle attacks: Network attackers can impersonate your servers
- Government surveillance: State actors can compel CAs to issue surveillance certificates
The Solution
Certificate pinning restricts your app to trust only specific certificates or public keys. TrustPin makes this easy by:
- Managing pins remotely - Update pins without releasing new app versions
- Zero-downtime rotation - Seamlessly rotate certificates without breaking your app
- Global distribution - Deliver pin configurations through a fast, reliable CDN
- Cryptographic signing - Ensure configuration integrity with ECDSA signatures
Core Concepts
Certificate Pinning
Certificate pinning validates that a server’s certificate matches a pre-configured cryptographic hash (pin). TrustPin supports two pinning methods:
SPKI Pinning (Recommended):
- Pins the public key, not the entire certificate
- Survives certificate renewal with the same key pair
- Perfect for auto-managed certificates (AWS ACM, Let’s Encrypt)
- Use this for production apps
Leaf Certificate Pinning:
- Pins the entire certificate
- Breaks when certificate renews
- Requires manual pin updates before renewal
- Use only for manually managed certificates
Pinning Modes
Strict Mode (Production):
- Rejects ALL unregistered domains
- Recommended for production apps
- Maximum security
Permissive Mode (Development):
- Allows unregistered domains to bypass pinning
- Use only for development and testing
- Logs pinning events for debugging
Configuration Signing
All configurations are signed with ECDSA P-256 to ensure integrity:
This prevents:
- Configuration tampering
- Man-in-the-middle attacks on the CDN
- Unauthorized pin modifications
Security Model
TrustPin implements multiple security layers:
Configuration Integrity
- All configurations signed with ECDSA P-256
- Signature verified on mobile devices
- Prevents tampering and MITM attacks
Transport Security
- TLS 1.2+ for all connections
- A+ SSL Labs rating
- HSTS enabled
- Certificate Transparency enabled
Runtime Protection
- Per-request certificate validation
- Protects against compromised CAs
- Detects rogue WiFi hotspots
- Blocks man-in-the-middle attacks
Audit Logging
- All configuration changes logged
- Security events tracked
- 1-year retention
- GDPR compliant
Key Features
Remote Pin Management
Update certificate pins without releasing new app versions. Changes propagate to all devices within minutes.
Zero-Downtime Rotation
Configure multiple pins per domain to enable seamless certificate rotation:
Attack Prevention
TrustPin protects against:
Man-in-the-Middle (MITM) Attacks
- Detects certificate mismatches
- Rejects forged certificates
- Logs security events
Compromised Certificate Authorities
- Validates against specific pins
- Ignores CA trust store
- Prevents fraudulent certificates
Rogue WiFi Hotspots
- Validates server certificates
- Blocks SSL interception
- Protects user credentials
DNS Spoofing
- Certificate validation prevents impersonation
- Pins tied to specific domains
TrustPin is one layer of defense in depth.
Performance
TrustPin adds minimal overhead to your application:
| Operation | Overhead | Frequency |
|---|---|---|
| Initial Setup | ~100ms | Once per app launch |
| Pin Fetch (CDN) | 50-200ms | Every 10 minutes |
| Certificate Validation | 1-5ms | Per HTTPS request |
| Local Cache Lookup | <1ms | Nearly instant |
Getting Started
- Sign up at app.trustpin.cloud
- Create a project and configure domains
- Integrate the SDK into your mobile app
- Test in staging with permissive mode
- Deploy to production with strict mode
Learn More
Dive deeper into how TrustPin works:
- Certificate Pinning - Deep dive into pinning methods and best practices
Or get started:
- Project Setup - Configure your first project
- SDK Integration - Integrate TrustPin into your app
- Deployment - Deploy to production
Resources
- Dashboard: app.trustpin.cloud
- Status: status.trustpin.cloud
- Support: support@trustpin.cloud