How safe is storing public key for certificate pinning?

Question

It is usually recommended to store public key for certificate pinning for mobile devices. Similar recommendation are made in this owasp article. Though the application can be modified to tamper with public key itself. So how secure is to store public key for certificate pinning?

Answer 1

Revealing the public key is safe. That's the main principle behind public key cryptography.

If someone can tamper the public key inside your android app, they can also tamper with other parts of the app (for example removing encryption completely or redirecting requests to an attacker).

Answer 2

The main question for you is secure against what?

If you mean just generally, like is it safe to store the public key, then yes, it is. That's why it is known as the public key.

If you're trying to secure against MiTM attacks from stuff such as a Trusted CA signing a cert it should not have, then just using cert pinning is enough. So long as the cert is part of your application, and base OS does a signature verification of your application, any changes to the cert and by extension to your app should be detected and the application should not be allowed to run.

If you're trying to prevent the end user from sniffing the HTTPS connection, then yes, he could replace the cert with his own and sniff to his heart's content. You could verify the cert by comparing the hash of the cert, encrypt the cert etc, but there is no way to guarantee the user will not be able to reverse engineer your application.