DET0646: Detection of SSL Pinning

This detection strategy matters because SSL pinning can limit defenders’ ability to inspect mobile command-and-control traffic. In legitimate apps, SSL pin...

MobileDET0646Detection StrategyObject v1.0 Modified May 12, 2026, 16:34 UTC (UTC+00:00)

This detection strategy matters because SSL pinning can limit defenders’ ability to inspect mobile command-and-control traffic. In legitimate apps, SSL pinning can protect users from interception; in adversary-controlled mobile activity, the same behavior can make incident analysis and network visibility harder. For leaders, the decision point is whether mobile security monitoring and incident response plans can still produce evidence when encrypted traffic cannot be easily intercepted or decrypted.

Executive priority

Prioritize this as a mobile security and incident response readiness issue, not just a network monitoring issue. The related ATT&CK technique is mobile-focused and applies to Android and iOS. Security leaders should ask whether SOC and IR teams can investigate suspicious mobile communications without depending solely on TLS interception, and whether they can distinguish expected certificate-pinning behavior in approved apps from suspicious use in malware or unauthorized applications.

Technical view

The ATT&CK object provides no official detection text, tactics, or platforms for DET0646, so teams should treat it as a coverage-validation prompt for the related mobile technique T1521.003. Validate whether mobile telemetry, application inventory, network metadata, certificate observations, and incident response workflows can identify or contextualize applications that enforce communication with predefined certificates. Detection engineering should account for the fact that SSL pinning may be benign in legitimate applications and may also reduce the usefulness of proxy-based traffic inspection during analysis.

Likely telemetry

Mobile device and application inventory for Android and iOS environments
Network metadata for mobile application communications, including destinations and TLS session characteristics where available
Certificate-related observations, including unexpected or rejected certificates where observable
Mobile security or EDR/MDM alerts related to suspicious applications or device compromise
Incident response artifacts from mobile app analysis and traffic analysis workflows

Detection direction

Confirm whether current mobile monitoring can surface suspicious communications even when payload inspection is unavailable.
Build context around known approved applications that legitimately use SSL pinning to reduce false positives.
Validate that analysts do not rely solely on TLS interception for mobile investigations, since SSL pinning may prevent that workflow.
Use the relationship to T1521.003 to focus detection review on adversary protection of command-and-control traffic, while preserving the distinction that SSL pinning is also common in legitimate software.
Document blind spots caused by limited mobile telemetry, unmanaged devices, or lack of application inventory.

Mitigation priorities

Establish or refresh an inventory of approved mobile applications and expected communication behavior.
Ensure mobile device management, mobile threat defense, or equivalent mobile security controls provide enough visibility for Android and iOS investigations where those platforms are in scope.
Prepare IR playbooks for cases where encrypted mobile traffic cannot be intercepted and analysis must rely on endpoint, application, certificate, and metadata evidence.
Use allowlisting, application governance, and device compliance processes to reduce unauthorized or unknown mobile applications in managed environments.
Capture evidence of mobile monitoring and investigation procedures for audit and compliance readiness where mobile access supports business operations.

Analyst notes and limits

DET0646 is a detection strategy object for Detection of SSL Pinning and is linked as detecting ATT&CK mobile technique T1521.003, SSL Pinning. The supplied ATT&CK fields do not include an official description or detection procedure for the detection strategy, so the take emphasizes validation questions and defensive evidence classes rather than specific analytics.

The detection strategy has no supplied official detection text, tactics, or platforms. Platform relevance is inferred only from the related technique, which lists Android and iOS. Local application inventory, mobile management coverage, and available telemetry are required before determining actual detection coverage or risk.

Official MITRE ATT&CK definition

Detection of SSL Pinning

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Mobile	T1521.003	SSL Pinning Sub-technique	This object detects SSL Pinning.

Relationship explorer

All related ATT&CK context

detects · Technique T1521.003: SSL Pinning Mobile

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: May 12, 2026, 16:34 UTC (UTC+00:00)
Raw hash: 4809ddfbfc0175a7...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 16:34 UTC (UTC+00:00)	Current bundle	`4809ddfbfc01…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack DET0646
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use