We need to implement certificate pinning in our mobile app. We have used Appcelerator Titanium as the framework to build the same. There is a module with AFNetworking that supports Certificate Pinning.
The concern is, if we store the certificate within the app and bundle it whilst being uploaded to the App Store/Play Store; what happens if the certificate expires? Do we have to push another update with the renewed certificate bundled? Or is there a mechanism to get the certificate updated within the mobile app?
if we store the certificate within the app and bundle it whilst being uploaded to the App Store/Play Store; what happens if the certificate expires?
You include a truststore in the app which contains the trusted CA root to validate SSL connection. If the root expires then your SSL connection will fail. It is the expected behaviour. You can ignore it (java - ignore expired ssl certificate), but then you are decreasing your security level, that was the main reason to include the trustore
Do we have to push another update with the renewed certificate bundled?
This action will solve the issue. Be aware that if you use a trusted CA (like verisign), the certificates have very long expiration time, so this is not going to be a common action. In fact you'll know well in advance when it expires
Or is there a mechanism to get the certificate updated within the mobile app?
I think it is possible to set a service to download the new trustore before the root CA expires, and use it in Android application with a custom trust manager