Dynamic certificate pinning

Question

I have an iOS application that will be distributed to multiple customers, each using their own network infrastructure. I would like to add some certificate pinning capabilities,

Answer 1

Its possible. I haven't tried myself, but I think you are looking for something like this.

https://github.com/wultra/ssl-pinning-ios

Answer 2

Operationally, it will be a lot easier to manage and recover from misconfigurations if you embed the certificates or keys in the App. If you just pin whatever certificate the server sent to the App the first time, you have no mechanism to support a new certificate once the current one expires or gets rotated. If that's still what you would like to do, I would recommend looking at the HPKP specification, which implements the same mechanism but for browsers: https://tools.ietf.org/html/rfc7469

Also, if the App servers are not directly under your control, there is a high change that pinning will end up bricking the App, if the server's certificate unexpectedly changes. Will the team building the App be informed about infrastructure/certificate changes on the App/customer servers, so they can release an update just in time? If not, you should not do it.