Why should all of a mobile app's network traffic use HTTPS, and what does certificate pinning add on top of that?

technical-conceptual · Junior level · software-engineering

What the interviewer is really asking

Assesses understanding of TLS protecting traffic in transit, the man-in-the-middle threat HTTPS mitigates, and the extra guarantee plus maintenance cost of certificate pinning.

What to say

What to avoid

Example answers

Strong: HTTPS encrypts and authenticates traffic so someone on the same Wi-Fi can't read or modify it. But HTTPS still trusts any CA in the device store, so a compromised or attacker-installed CA enables a man-in-the-middle. Pinning narrows that trust to my own public key, usually the SPKI hash, so a forged cert is rejected. The catch is rotation: if my cert changes and the pin doesn't, users are locked out, so I keep backup pins.

Weak: HTTPS encrypts the data so it's secure. Certificate pinning is extra security that makes the app fully protected from hackers, so I'd turn it on for everything and not worry about the network after that.

Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.