HTTP Public Key Pinning vs Certificate Transparency, which is better and why?


We are rolling out a new mobile app. Our security team recommends us to pin the public key in order to avoid MITM. iOS already has CT checks and we can enable that for the Android app as well.

The security team’s arguments for pinning are:

  1. Pinning is a more hardened solution
  2. CT is more reactive, we might have to live with a rogue certificate until it is revoked and logged in CT logs
  3. CT checks would not work in environments where corporate assets may have company PKI deployed and MITM attack is done using the company PKI

My argument for not pinning: Assume we generate a certificate and it is a 2048-bit RSA key pair. The certificate expires in 1 year, maybe 2. We go to the CA for a new certificate and the CA says “No, your key is too small, come back with a 4096 RSA key pair”. In effect, because we pinned the public key in the app, the app is bricked.

Now we release a new version of the app, but it takes typically > 1 month for the app to be adopted by all the customers. During this time, while our customers are trying to access the app at home, trying to look for offers to come and spend money in our ecosystem, they won’t be able to use the app and hence we stand to lose the customer and potential revenue.

A rogue certificate might affect 1, maybe 2 customers if someone is really being targeted to be hacked (MITM target), but the above risk is a risk to the entire customer base and for amount of time that is not directly quantifiable.

Does it really makes sense to pin? If yes, how do we mitigate the above scenario? Am I not seeing something?