Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
Mobile apps talk to backends over (usually) TLS. Common bugs: TLS misconfig (trust any cert), certificate pinning missing or implemented wrong (allows MITM via custom CA), API authentication mistakes. Reverse-engineerable apps + intercepting proxies = an attacker can replay and modify API calls trivially without certificate pinning.
Defence: TLS 1.3 only, certificate pinning (TrustKit on iOS, NetworkSecurityConfig on Android), pin to public key hash (survives cert rotation), and document pinning rotation. Plus: re-do pinning at the app layer; OS-level pinning has been bypassable.
Use these three in order. Each builds on the one before.
In one paragraph, explain mobile cert pinning.
Walk me through key-pinning vs cert-pinning, and rotation.
Design pinning for an app whose cert rotates monthly.