I‘m facing the implementation of certificate pinning and often get asked why if there are trust stores within Android, iOS does not have such a concept. So I’m required to build the standard HPKP and Pin two public keys.
I have read the post What is certificate pinning? and asked myself what is the main difference between certificate pinning and a TrustStore concept? Do they do the same except they validate the full certificate instead of the sha256 of the public key?
Certificate pinning and a TrustStore are not the same concept. The difference is not necessarily in trusting the certificate vs trusting the public key used in it. You can pin certificates too.
Android's Trust store essentially contains of a bunch of certificate authority that are trusted by the Android developers or users(they can manually add root certificates). When you validate a certificate using a Trust Store, you know that the certificate was created by the trusted root and the certificate was meant for a particular host. This approach leaves you vulnerable to situations like the root CA losing its private key.
As mentioned on OWASP, certificate pinning is a good way to stay away from problems like these. I am going to borrow a paragraph from that article which might help you understand the difference:
When Do You Pin?
You should pin anytime you want to be relatively certain of the remote host's identity or when operating in a hostile environment. Since one or both are almost always true, you should probably pin all the time.A perfect case in point: during the two weeks or so of preparation for the presentation and cheat sheet, we've observed three relevant and related failures. First was Nokia/Opera willfully breaking the secure channel; second was DigiCert issuing a code signing certificate for malware; and third was Bit9's loss of its root signing key. The environment is not only hostile, it's toxic.
