However, this is a good opportunity to point out that if you're building an iOS or Android app, you should not only use TLS for all your connections, but also pin your certificates and only confirm a connection after validating that certificate.
There aren't many good reasons why a mobile app should need to depend on the CA system for security. In fact, in a mobile setting, if you're willing to create a separate API endpoint for your app, you can replace the CA system entirely; just create your own CA, sign your own certs, and ship your app with your own root certificate.
However, this is a good opportunity to point out that if you're building an iOS or Android app, you should not only use TLS for all your connections, but also pin your certificates and only confirm a connection after validating that certificate.
There aren't many good reasons why a mobile app should need to depend on the CA system for security. In fact, in a mobile setting, if you're willing to create a separate API endpoint for your app, you can replace the CA system entirely; just create your own CA, sign your own certs, and ship your app with your own root certificate.
reply