White Papers
Read synopses of our white papers and download the full documents below.
-
Certificate Pinning Done Right
2026-06-15
Standard certificate pinning pins to the SHA-256 hash of a certificate's public key (SPKI) — a cryptographic artifact that changes whenever a key rotates, regardless of whether the organizational identity has changed. This produces two failures of the security it was meant to provide: a silent interception path, where an attacker who obtains a legitimate certificate from the same root CA defeats the pin without breaking it; and an operational burden that worsens as certificate lifetimes shrink toward 47 days, forcing app updates on the same cadence.
This paper argues that pinning should target the identity expressed through the certificate chain's naming conventions rather than the key.
-
Certificate Pinning Behind Enterprise Proxies
2026-06-24
Certificate pinning secures mobile application communications by verifying that the server presenting a certificate is the expected server — but standard pinning approaches fail in enterprise network environments where TLS introspection systems and proxies replace the server's certificate with their own. This forces SaaS providers into an uncomfortable choice: ship applications that break in enterprise environments, disable certificate pinning for enterprise customers, or maintain two separate builds.
This paper presents a third path: administrator-managed certificate pinning that works in enterprise environments without compromising security. Building on CN pinning — established in the first paper in this series — the approach delivers enterprise-specific pinning expressions through the application's existing authentication process, signed by the SaaS provider and validated against a public key embedded in the application. The enterprise administrator provides their network's certificate information to the SaaS provider; the SaaS provider signs and distributes it; the application composes it with its base pinning policy.
The result is a three-mode operational model — logging in, logged in, logging out — that maps directly to the authentication lifecycle enterprise applications already implement. CNPinning 1.2.0 provides the client-side implementation for both iOS and Android, including a bidirectional JWT reference implementation for server-side implementors. MAM and MDM deployment constraints are addressed directly, including the honest acknowledgment that MAM environments have fundamental limitations that pinning alone cannot resolve.