What is Certificate Pinning?

Certificate pinning is a security practice where an application trusts only specific server certificates or public keys, instead of accepting any chain signed by a broad set of certificate authorities. It is common in mobile apps and some desktop clients to reduce risk from mis-issued or rogue CA certificates during a man-in-the-middle attack.

How pinning is implemented

After the normal TLS handshake validation, the app compares the server’s key or certificate to one or more pinned values shipped in the binary or config. If there is no match, the connection closes. Pinning the public key (often the SPKI hash) is more flexible than pinning the full leaf certificate, because renewals can keep the same key pair.

Best practice includes backup pins so a key compromise or rotation does not brick all installs. Browser HTTP Public Key Pinning (HPKP) was largely abandoned because misconfiguration could lock users out; app-level pinning is a separate design with its own operational tradeoffs.

Connection to fraud and trusted measurement

Pinning protects the channel between your app and your API. It does not stop click fraud in the browser, but it matters for first-party SDKs that collect telemetry or risk signals. A trustworthy path reduces tampering by proxies that terminate TLS in enterprise networks, which can interfere with pinning unless you plan for inspection roots.

Fraud vendors and advertisers rely on accurate client behavior and server-side correlation to catch ad fraud and click fraud. Pinning is one piece of integrity for those pipelines; layered detection still uses bot signals, IP quality, and multi-signal models like those behind ClickPatrol.

Abisola

Meet Abisola! As the content manager at ClickPatrol, she’s the go-to expert on all things fake traffic. From bot clicks to ad fraud, Abisola knows how to spot, stop, and educate others about the sneaky tactics that inflate numbers but don’t bring real results.

View all posts by Abisola (Abisola)