Certificate Pinning on Android / iOS in-App Browser

My company follows certificate pinning for mobile. We're starting to add login via an in-app browser in our mobile apps (similar to google, facebook, and other enterprise companies). I spoke to the web team implementing this feature, and they'd never heard for certificate pinning, which is a common practice on mobile.

I'm curious if chrome / safari automatically certificate pin, or if it's something you have to do manually in the browser.

I'm curious if chrome / safari automatically certificate pin, or if it's something you have to do manually in the browser.

Chrome was supporting HPKP but its has been removed in Chrome 72 release for both desktop and Android versions.

You can see a complete list of browser supporting it here, that now looks like this:

But ironically this site says that is removed for the desktop, but not for Android, and it seems that was never supported in iOS Safari.

and they'd never heard for certificate pinning, which is a common practice on mobile.

I would like to alert you for the fact that certificate pinning can be bypassed, therefore you cannot use it as the only security measure. You can read more in an article I wrote, Bypassing Certificate Pinning to see how certificate pinning can be bypassed in a mobile app.

In this article you will learn how to repackage a mobile app in order to make it trust custom ssl certificates. This will allow us to bypass certificate pinning.