This makes a lot of sense: if your mobile app just talks to your own servers, bake the SSL public key right into the app so you don’t need the network overhead of verifying it with a CA. And you can save money too because you can make a self-signed certificate if the server is only accessed from the app.
Originally shared by Mike Belshe
http://www.belshe.com/2012/02/04/rethinking-ssl-for-mobile-apps/
http://www.belshe.com/2012/02/04/rethinking-ssl-for-mobile-apps/
One thing that can be in addition is to verify the client key on the server as well. This keeps everything but your app from poking your rpc interface, unless someone goes through the trouble of extracting the key from the app. Its not foolproof but should keep out malicious passers by for minimal effort. You can also create several keys, one per version for example and be able to block them if necessary, as an alternative to versioned interfaces.
Mark Tinberg Nice. I wish I could put a +2 on your comment. 🙂 I like the phrase “malicious passers by”