Certificate transparency, as with certificate pinning, is about ensuring a secure network connection between the app and the backend service. In fact really it is about improving the apps trust of the network layer.

If you are concerned with protecting the source code of your mobile app then there are other tools you should look at, for example, R8, ProGuard, DexGuard, DashO, to name a few. However, these merely obfuscate your code. Ultimately if you are deploying code onto an untrusted device then the user of that device can do pretty much what they want with it. The tools above merely slow a determined hacker down.

From a backend perspective, to stop someone mimicking your service you are then talking about protecting the private key used for signing the certificates. If that were to leak there are options to get certificates revoked, although this is a flawed process and a much longer discussion.

At the end of the day application security is hard and you need to employ multiple layers of defence to protect your apps and services.

Matt Dolan has been eating doughnuts and developing with Android since the dark days of v1.6.

Matt Dolan has been eating doughnuts and developing with Android since the dark days of v1.6.