May 15, 2023
  • All
  • Announcements
  • Product
  • Capacitor

Capacitor SSL Pinning: The Extra Layer of Security Your Mobile App Needs

Conner Simmons

Product Team

At Ionic, we talk a lot about mobile app security. As mobile apps become a more ubiquitous part of our lives, it’s never been more important to ensure that data accessed, used, and stored remains secure.

That’s why we developed the Ionic Enterprise SDK. It offers a trio of fully-managed security solutions–Auth Connect, Identity Vault, and Secure Storage–making it easier for you to ensure your mobile app users and their data remain safe. Now, we’re excited to bring another layer of security (and compliance) to your mobile apps – SSL Pinning for Capacitor!

SSL Pinning 101

What is it?

SSL pinning hard-codes a server’s SSL certificate or public key into an application as a means of preventing man-in-the-middle (MITM) attacks. Even if an attacker does manage to intercept the traffic between the application and the server (presenting a different certificate), the application refuses to establish a connection with their server.

Why does it matter?

SSL pinning is essential for mobile application security. It provides an additional layer of protection against MITM attacks, which are a common attack vector for mobile applications. In fact, OWASP has identified insecure communication as one of the top 10 risks to mobile apps and suggests SSL pinning as a great way to mitigate that risk. Without it, an attacker could potentially steal sensitive data, modify the data being transmitted, or even inject malicious code into the application.

However, SSL pinning is not a magic bullet. It should be used in conjunction with other security measures such as encryption, input validation, and secure coding practices. Think of it as one of many layers to the proverbial security onion. 

SSL Pinning for Capacitor

Capacitor’s SSL Pinning plugin takes the guesswork out of developing and maintaining your own secure communication layer and makes implementation simple. By leveraging certificates stored natively on-device and underpinned by the Capacitor HTTP plugin, you’ll rest easy knowing your users and their data are secure.


In capacitor.config.json:

  "plugins": {
    "SSLPinning": {
      "certs": ["sslCerts/productionCerts/primary.cer", "sslCerts/productionCerts/backup.cer"]

Or in capacitor.config.ts:

/// <reference types="@capacitor/sslpinning" />
import { CapacitorConfig } from '@capacitor/cli';
const config: CapacitorConfig = {
  plugins: {
    SSLPinning: {
      certs: ["sslCerts/productionCerts/primary.cer", "sslCerts/productionCerts/backup.cer"],
export default config;

Get started

Interested in adding a critical layer of protection to your mobile app? Talk to our sales team today to get access.

Conner Simmons

Product Team