{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,29]],"date-time":"2026-01-29T23:06:53Z","timestamp":1769728013419,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":50,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,10,25]],"date-time":"2022-10-25T00:00:00Z","timestamp":1666656000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"H2020","award":["TRUST aWARE Project, Grant Agree- ment No. 101021377"],"award-info":[{"award-number":["TRUST aWARE Project, Grant Agree- ment No. 101021377"]}]},{"DOI":"10.13039\/100000001","name":"NSF (National Science Foundation)","doi-asserted-by":"publisher","award":["CNS-1564329, SaTC-1955227"],"award-info":[{"award-number":["CNS-1564329, SaTC-1955227"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Spanish Ministry of Science","award":["ODIO Project, PID2019-111429RB-C22"],"award-info":[{"award-number":["ODIO Project, PID2019-111429RB-C22"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,10,25]]},"DOI":"10.1145\/3517745.3561439","type":"proceedings-article","created":{"date-parts":[[2022,10,21]],"date-time":"2022-10-21T21:28:36Z","timestamp":1666387716000},"page":"605-618","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":19,"title":["A comparative analysis of certificate pinning in Android & iOS"],"prefix":"10.1145","author":[{"given":"Amogh","family":"Pradeep","sequence":"first","affiliation":[{"name":"Northeastern University"}]},{"given":"Muhammad Talha","family":"Paracha","sequence":"additional","affiliation":[{"name":"Northeastern University"}]},{"given":"Protick","family":"Bhowmick","sequence":"additional","affiliation":[{"name":"Virginia Tech"}]},{"given":"Ali","family":"Davanian","sequence":"additional","affiliation":[{"name":"University of California"}]},{"given":"Abbas","family":"Razaghpanah","sequence":"additional","affiliation":[{"name":"ICSI \/ Cisco Inc."}]},{"given":"Taejoong","family":"Chung","sequence":"additional","affiliation":[{"name":"Virginia Tech"}]},{"given":"Martina","family":"Lindorfer","sequence":"additional","affiliation":[{"name":"TU Wien, Austria"}]},{"given":"Narseo","family":"Vallina-Rodriguez","sequence":"additional","affiliation":[{"name":"AppCensus Inc., Spain"}]},{"given":"Dave","family":"Levin","sequence":"additional","affiliation":[{"name":"University of Maryland"}]},{"given":"David","family":"Choffnes","sequence":"additional","affiliation":[{"name":"Northeastern University"}]}],"member":"320","published-online":{"date-parts":[[2022,10,25]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"[n. d.]. AlternativeTo. https:\/\/alternativeto.net\/. (Accessed on 05\/17\/2022).  [n. d.]. AlternativeTo. https:\/\/alternativeto.net\/. (Accessed on 05\/17\/2022)."},{"key":"e_1_3_2_2_2_1","unstructured":"[n. d.]. Apktool. https:\/\/ibotpeaches.github.io\/Apktool\/.  [n. d.]. Apktool. https:\/\/ibotpeaches.github.io\/Apktool\/."},{"key":"e_1_3_2_2_3_1","unstructured":"[n. d.]. CertificatePinner (OkHttp 3.14.0 API). https:\/\/square.github.io\/okhttp\/3.x\/okhttp\/okhttp3\/CertificatePinner.html. (Accessed on 01\/17\/2021).  [n. d.]. CertificatePinner (OkHttp 3.14.0 API). https:\/\/square.github.io\/okhttp\/3.x\/okhttp\/okhttp3\/CertificatePinner.html. (Accessed on 01\/17\/2021)."},{"key":"e_1_3_2_2_4_1","unstructured":"[n. d.]. Checkra1n. https:\/\/checkra.in.  [n. d.]. Checkra1n. https:\/\/checkra.in."},{"key":"e_1_3_2_2_5_1","unstructured":"[n. d.]. crt.sh Certificate Search. https:\/\/crt.sh\/. (Accessed on 05\/17\/2022).  [n. d.]. crt.sh Certificate Search. https:\/\/crt.sh\/. (Accessed on 05\/17\/2022)."},{"key":"e_1_3_2_2_6_1","unstructured":"[n. d.]. Curl CA Extract: Extract CA Certs from Mozilla. https:\/\/curl.se\/docs\/caextract.html. (Accessed on 05\/19\/2022).  [n. d.]. Curl CA Extract: Extract CA Certs from Mozilla. https:\/\/curl.se\/docs\/caextract.html. (Accessed on 05\/19\/2022)."},{"key":"e_1_3_2_2_7_1","unstructured":"[n. d.]. Flexdecrypt. https:\/\/github.com\/JohnCoates\/flexdecrypt.  [n. d.]. Flexdecrypt. https:\/\/github.com\/JohnCoates\/flexdecrypt."},{"key":"e_1_3_2_2_8_1","unstructured":"[n. d.]. Frida. https:\/\/frida.re\/. (Accessed on 11\/15\/2021).  [n. d.]. Frida. https:\/\/frida.re\/. (Accessed on 11\/15\/2021)."},{"key":"e_1_3_2_2_9_1","unstructured":"[n. d.]. Frida-iOS-Dump. https:\/\/github.com\/AloneMonkey\/frida-ios-dump.  [n. d.]. Frida-iOS-Dump. https:\/\/github.com\/AloneMonkey\/frida-ios-dump."},{"key":"e_1_3_2_2_10_1","unstructured":"[n. d.]. google-play-scraper. https:\/\/pypi.org\/project\/google-play-scraper\/. (Accessed on 05\/18\/2022).  [n. d.]. google-play-scraper. https:\/\/pypi.org\/project\/google-play-scraper\/. (Accessed on 05\/18\/2022)."},{"key":"e_1_3_2_2_11_1","unstructured":"[n. d.]. GPlayCli. https:\/\/github.com\/matlink\/gplaycli. (Accessed on 05\/18\/2022).  [n. d.]. GPlayCli. https:\/\/github.com\/matlink\/gplaycli. (Accessed on 05\/18\/2022)."},{"key":"e_1_3_2_2_12_1","unstructured":"[n. d.]. mitmproxy. https:\/\/mitmproxy.org\/.  [n. d.]. mitmproxy. https:\/\/mitmproxy.org\/."},{"key":"e_1_3_2_2_13_1","unstructured":"[n. d.]. Radare2. https:\/\/rada.re\/.  [n. d.]. Radare2. https:\/\/rada.re\/."},{"key":"e_1_3_2_2_14_1","unstructured":"[n. d.]. ripgrep (rg). https:\/\/github.com\/BurntSushi\/ripgrep.  [n. d.]. ripgrep (rg). https:\/\/github.com\/BurntSushi\/ripgrep."},{"key":"e_1_3_2_2_15_1","unstructured":"Android Developer. 2021. Security with HTTPS and SSL (version updated 2021-01-26). https:\/\/web.archive.org\/web\/20210301223141\/https:\/\/developer.android.com\/training\/articles\/security-ssl. (Accessed on 05\/18\/2022).  Android Developer. 2021. Security with HTTPS and SSL (version updated 2021-01-26). https:\/\/web.archive.org\/web\/20210301223141\/https:\/\/developer.android.com\/training\/articles\/security-ssl. (Accessed on 05\/18\/2022)."},{"key":"e_1_3_2_2_16_1","unstructured":"Android Developer. 2022. Write automated tests with UI Automator. https:\/\/web.archive.org\/web\/20220907074832\/https:\/\/developer.android.com\/training\/testing\/other-components\/ui-automator. (Accessed on 09\/07\/2022).  Android Developer. 2022. Write automated tests with UI Automator. https:\/\/web.archive.org\/web\/20220907074832\/https:\/\/developer.android.com\/training\/testing\/other-components\/ui-automator. (Accessed on 09\/07\/2022)."},{"key":"e_1_3_2_2_17_1","unstructured":"App Defense Alliance. 2022. Mobile Application Security Assessment. https:\/\/appdefensealliance.dev\/masa. (Accessed on 09\/19\/2022).  App Defense Alliance. 2022. Mobile Application Security Assessment. https:\/\/appdefensealliance.dev\/masa. (Accessed on 09\/19\/2022)."},{"key":"e_1_3_2_2_18_1","unstructured":"Apple. [n. d.]. App Store Downloads on iTunes. https:\/\/apps.apple.com\/us\/genre\/ios\/id36. (Accessed on 05\/11\/2022).  Apple. [n. d.]. App Store Downloads on iTunes. https:\/\/apps.apple.com\/us\/genre\/ios\/id36. (Accessed on 05\/11\/2022)."},{"key":"e_1_3_2_2_19_1","volume-title":"Identity Pinning: How to configure server certificates for your app. https:\/\/developer.apple.com\/news\/?id=g9ejcf8y. (Accessed on 05\/18\/2022).","author":"Developer Apple","year":"2021","unstructured":"Apple Developer . 2021 . Identity Pinning: How to configure server certificates for your app. https:\/\/developer.apple.com\/news\/?id=g9ejcf8y. (Accessed on 05\/18\/2022). Apple Developer. 2021. Identity Pinning: How to configure server certificates for your app. https:\/\/developer.apple.com\/news\/?id=g9ejcf8y. (Accessed on 05\/18\/2022)."},{"key":"e_1_3_2_2_20_1","unstructured":"Apple Developer Documentation. 2022. NSPinnedDomains. https:\/\/developer.apple.com\/documentation\/bundleresources\/information_property_list\/nsapptransportsecurity\/nspinneddomains. (Accessed on 05\/19\/2022).  Apple Developer Documentation. 2022. NSPinnedDomains. https:\/\/developer.apple.com\/documentation\/bundleresources\/information_property_list\/nsapptransportsecurity\/nspinneddomains. (Accessed on 05\/19\/2022)."},{"key":"e_1_3_2_2_21_1","unstructured":"Charles Arthur. 2011. Rogue web certificate could have been used to attack Iran dissidents. https:\/\/www.theguardian.com\/technology\/2011\/aug\/30\/faked-web-certificate-iran-dissidents. (Accessed on 05\/17\/2022).  Charles Arthur. 2011. Rogue web certificate could have been used to attack Iran dissidents. https:\/\/www.theguardian.com\/technology\/2011\/aug\/30\/faked-web-certificate-iran-dissidents. (Accessed on 05\/17\/2022)."},{"key":"e_1_3_2_2_22_1","unstructured":"Martin Brinkmann. 2015. Dell does a Lenovo: ships laptops with rogue root CA - gHacks Tech News. https:\/\/www.ghacks.net\/2015\/11\/23\/dell-does-a-lenovo-ships-laptops-with-rogue-root-ca\/. (Accessed on 05\/17\/2022).  Martin Brinkmann. 2015. Dell does a Lenovo: ships laptops with rogue root CA - gHacks Tech News. https:\/\/www.ghacks.net\/2015\/11\/23\/dell-does-a-lenovo-ships-laptops-with-rogue-root-ca\/. (Accessed on 05\/17\/2022)."},{"key":"e_1_3_2_2_23_1","unstructured":"Can I Use. 2022. HTTP Public Key Pinning. https:\/\/caniuse.com\/?search=hpkp. (Accessed on 05\/18\/2022).  Can I Use. 2022. HTTP Public Key Pinning. https:\/\/caniuse.com\/?search=hpkp. (Accessed on 05\/18\/2022)."},{"key":"e_1_3_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.29"},{"key":"e_1_3_2_2_25_1","unstructured":"Google Developer. [n.d.]. Network Security Configuration. https:\/\/developer.android.com\/training\/articles\/security-config. (Accessed on 09\/08\/2021).  Google Developer. [n.d.]. Network Security Configuration. https:\/\/developer.android.com\/training\/articles\/security-config. (Accessed on 09\/08\/2021)."},{"key":"e_1_3_2_2_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382205"},{"key":"e_1_3_2_2_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00013"},{"key":"e_1_3_2_2_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382204"},{"key":"e_1_3_2_2_29_1","unstructured":"Google Developer. 2012. Jelly Bean. https:\/\/developer.android.com\/about\/versions\/jelly-bean.html#android-4.2. (Accessed on 05\/18\/2022).  Google Developer. 2012. Jelly Bean. https:\/\/developer.android.com\/about\/versions\/jelly-bean.html#android-4.2. (Accessed on 05\/18\/2022)."},{"key":"e_1_3_2_2_30_1","unstructured":"Google Developer. 2021. Security with HTTPS and SSL. https:\/\/developer.android.com\/training\/articles\/security-ssl. (Accessed on 05\/18\/2022).  Google Developer. 2021. Security with HTTPS and SSL. https:\/\/developer.android.com\/training\/articles\/security-ssl. (Accessed on 05\/18\/2022)."},{"key":"e_1_3_2_2_31_1","volume-title":"Proc. of the Network and Distributed System Security Symposium (NDSS).","author":"Han Jin","unstructured":"Jin Han , Qiang Yan , Debin Gao , Jianying Zhou , and Robert H. Deng . 2013. Comparing Mobile Privacy Protection through Cross-Platform Applications . In Proc. of the Network and Distributed System Security Symposium (NDSS). Jin Han, Qiang Yan, Debin Gao, Jianying Zhou, and Robert H. Deng. 2013. Comparing Mobile Privacy Protection through Cross-Platform Applications. In Proc. of the Network and Distributed System Security Symposium (NDSS)."},{"key":"e_1_3_2_2_32_1","unstructured":"IETF. 2012. RFC 6698 - The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. https:\/\/tools.ietf.org\/html\/rfc6698. (Accessed on 01\/17\/2021).  IETF. 2012. RFC 6698 - The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. https:\/\/tools.ietf.org\/html\/rfc6698. (Accessed on 01\/17\/2021)."},{"key":"e_1_3_2_2_33_1","unstructured":"IETF. 2015. RFC 7469 - Public Key Pinning Extension for HTTP. https:\/\/tools.ietf.org\/html\/rfc7469. (Accessed on 01\/17\/2021).  IETF. 2015. RFC 7469 - Public Key Pinning Extension for HTTP. https:\/\/tools.ietf.org\/html\/rfc7469. (Accessed on 01\/17\/2021)."},{"key":"e_1_3_2_2_34_1","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2022-0033"},{"key":"e_1_3_2_2_35_1","unstructured":"Adam Langley. 2011. ImperialViolet - Public key pinning. https:\/\/www.imperialviolet.org\/2011\/05\/04\/pinning.html. (Accessed on 01\/17\/2021).  Adam Langley. 2011. ImperialViolet - Public key pinning. https:\/\/www.imperialviolet.org\/2011\/05\/04\/pinning.html. (Accessed on 01\/17\/2021)."},{"key":"e_1_3_2_2_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3487552.3487813"},{"key":"e_1_3_2_2_37_1","volume-title":"Proc. of the USENIX Security Symposium.","author":"Oltrogge Marten","year":"2015","unstructured":"Marten Oltrogge , Yasemin Acar , Sergej Dechand , Matthew Smith , and Sascha Fahl . 2015 . To Pin or Not to Pin---Helping App Developers Bullet Proof Their TLS Connections . In Proc. of the USENIX Security Symposium. Marten Oltrogge, Yasemin Acar, Sergej Dechand, Matthew Smith, and Sascha Fahl. 2015. To Pin or Not to Pin---Helping App Developers Bullet Proof Their TLS Connections. In Proc. of the USENIX Security Symposium."},{"key":"e_1_3_2_2_38_1","volume-title":"Proc. of the USENIX Security Symposium.","author":"Oltrogge Marten","year":"2021","unstructured":"Marten Oltrogge , Nicolas Huaman , Sabrina Amft , Yasemin Acar , Michael Backes , and Sascha Fahl . 2021 . Why Eve and Mallory Still Love Android: Revisiting TLS (In) Security in Android Applications . In Proc. of the USENIX Security Symposium. Marten Oltrogge, Nicolas Huaman, Sabrina Amft, Yasemin Acar, Michael Backes, and Sascha Fahl. 2021. Why Eve and Mallory Still Love Android: Revisiting TLS (In) Security in Android Applications. In Proc. of the USENIX Security Symposium."},{"key":"e_1_3_2_2_39_1","unstructured":"Open Web Application Security Project (OWASP). 2021. Certificate and Public Key Pinning. https:\/\/owasp.org\/www-community\/controls\/Certificate_and_Public_Key_Pinning. (Accessed on 05\/18\/2022).  Open Web Application Security Project (OWASP). 2021. Certificate and Public Key Pinning. https:\/\/owasp.org\/www-community\/controls\/Certificate_and_Public_Key_Pinning. (Accessed on 05\/18\/2022)."},{"key":"e_1_3_2_2_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/2994459.2994473"},{"key":"e_1_3_2_2_41_1","volume-title":"Proc. of the USENIX Security Symposium.","author":"Possemato Andrea","year":"2020","unstructured":"Andrea Possemato and Yanick Fratantonio . 2020 . Towards HTTPS Everywhere on Android: We Are Not There Yet . In Proc. of the USENIX Security Symposium. Andrea Possemato and Yanick Fratantonio. 2020. Towards HTTPS Everywhere on Android: We Are Not There Yet. In Proc. of the USENIX Security Symposium."},{"key":"e_1_3_2_2_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3143361.3143400"},{"key":"e_1_3_2_2_43_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23353"},{"key":"e_1_3_2_2_44_1","volume-title":"Proc. of the USENIX Security Symposium.","author":"Reardon Joel","year":"2019","unstructured":"Joel Reardon , \u00c1lvaro Feal , Primal Wijesekera , Amit Elazari Bar On , Narseo Vallina-Rodriguez , and Serge Egelman . 2019 . 50 Ways to Leak Your Data: An Exploration of Apps' Circumvention of the Android Permissions System . In Proc. of the USENIX Security Symposium. Joel Reardon, \u00c1lvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, and Serge Egelman. 2019. 50 Ways to Leak Your Data: An Exploration of Apps' Circumvention of the Android Permissions System. In Proc. of the USENIX Security Symposium."},{"key":"e_1_3_2_2_45_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23143"},{"key":"e_1_3_2_2_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/2906388.2906392"},{"key":"e_1_3_2_2_47_1","volume-title":"Number of mobile app downloads worldwide from 2016 to","year":"2021","unstructured":"Statista. 2022. Number of mobile app downloads worldwide from 2016 to 2021 . https:\/\/www.statista.com\/statistics\/271644\/worldwide-free-and-paid-mobile-app-store-downloads\/. ( Accessed on 05\/18\/2022). Statista. 2022. Number of mobile app downloads worldwide from 2016 to 2021. https:\/\/www.statista.com\/statistics\/271644\/worldwide-free-and-paid-mobile-app-store-downloads\/. (Accessed on 05\/18\/2022)."},{"key":"e_1_3_2_2_48_1","volume-title":"Proc. of the Annual Computer Security Applications Conference (ACSAC).","author":"McMahon Stone Chris","year":"2017","unstructured":"Chris McMahon Stone , Tom Chothia , and Flavio D Garcia . 2017 . Spinner: Semi-Automatic Detection of Pinning without Hostname Verification . In Proc. of the Annual Computer Security Applications Conference (ACSAC). Chris McMahon Stone, Tom Chothia, and Flavio D Garcia. 2017. Spinner: Semi-Automatic Detection of Pinning without Hostname Verification. In Proc. of the Annual Computer Security Applications Conference (ACSAC)."},{"key":"e_1_3_2_2_49_1","volume-title":"Proc. of the USENIX Security Symposium.","author":"Tang Zhushou","year":"2020","unstructured":"Zhushou Tang , Ke Tang , Minhui Xue , Yuan Tian , Sen Chen , Muhammad Ikram , Tielei Wang , and Haojin Zhu . 2020 . iOS, Your OS, Everybody's OS: Vetting and Analyzing Network Services of iOS Applications . In Proc. of the USENIX Security Symposium. Zhushou Tang, Ke Tang, Minhui Xue, Yuan Tian, Sen Chen, Muhammad Ikram, Tielei Wang, and Haojin Zhu. 2020. iOS, Your OS, Everybody's OS: Vetting and Analyzing Network Services of iOS Applications. In Proc. of the USENIX Security Symposium."},{"key":"e_1_3_2_2_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/2674005.2675015"}],"event":{"name":"IMC '22: ACM Internet Measurement Conference","location":"Nice France","acronym":"IMC '22","sponsor":["SIGMETRICS ACM Special Interest Group on Measurement and Evaluation","SIGCOMM ACM Special Interest Group on Data Communication","USENIX Assoc USENIX Assoc"]},"container-title":["Proceedings of the 22nd ACM Internet Measurement Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3517745.3561439","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3517745.3561439","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3517745.3561439","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:49:16Z","timestamp":1750182556000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3517745.3561439"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,10,25]]},"references-count":50,"alternative-id":["10.1145\/3517745.3561439","10.1145\/3517745"],"URL":"https:\/\/doi.org\/10.1145\/3517745.3561439","relation":{},"subject":[],"published":{"date-parts":[[2022,10,25]]},"assertion":[{"value":"2022-10-25","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}