Why should all of a mobile app's network traffic use HTTPS, and what does certificate pinning add on top of that?
technical-conceptual · Junior level · software-engineering
What the interviewer is really asking
Assesses understanding of TLS protecting traffic in transit, the man-in-the-middle threat HTTPS mitigates, and the extra guarantee plus maintenance cost of certificate pinning.
What to say
- Explain that HTTPS/TLS encrypts traffic in transit and authenticates the server via certificates, so data can't be read or tampered with on hostile networks like public Wi-Fi.
- Describe the residual risk HTTPS alone leaves: if a trusted CA is compromised or a device has a rogue CA installed, an attacker can present a 'valid' certificate and run a man-in-the-middle attack.
- Explain pinning: the app only trusts your specific certificate or public key (ideally the SPKI hash) instead of any CA, closing that gap, while noting the real cost is maintenance, since a mishandled rotation can lock users out, so you keep backup pins.
What to avoid
- Saying HTTPS is unnecessary if the data 'isn't that sensitive', ignoring tokens and session info that travel on every request.
- Claiming pinning makes the app unhackable, with no awareness of its maintenance and rotation pitfalls.
- Disabling certificate validation or trusting all certs to make development easier and shipping that to production.
Example answers
Strong: HTTPS encrypts and authenticates traffic so someone on the same Wi-Fi can't read or modify it. But HTTPS still trusts any CA in the device store, so a compromised or attacker-installed CA enables a man-in-the-middle. Pinning narrows that trust to my own public key, usually the SPKI hash, so a forged cert is rejected. The catch is rotation: if my cert changes and the pin doesn't, users are locked out, so I keep backup pins.
Weak: HTTPS encrypts the data so it's secure. Certificate pinning is extra security that makes the app fully protected from hackers, so I'd turn it on for everything and not worry about the network after that.