SSL Pinning, by its very definition, involves embedding or "pinning" a specific server certificate, public key, or its hash within the client-side mobile application. This pre-configured, hardcoded value is used during the TLS handshake to verify that the application is communicating with the intended server, not a malicious one. The statement that SSL Pinning does not mean hardcoding the public key into the code is fundamentally incorrect, as this embedding is the core of the pinning mechanism.

A. This option is incorrect because statement C is false, meaning not all statements are true.

B. This is a primary goal of SSL Pinning. It mitigates man-in-the-middle (MITM) attacks by ensuring the app only trusts a specific certificate, preventing attackers from using a fraudulent certificate signed by a compromised Certificate Authority.

D. This accurately describes the process. The mobile app (client-side) performs an extra verification step, comparing the server's certificate against the pre-bundled (pinned) public key hashes.

1. OutSystems Documentation

"Mobile Apps Security

" Section: "Protecting Data in Transit." This official guide states: "Certificate pinning consists of embedding (or "pinning") a list of trusted certificates to the client application. During the SSL handshake

the client application checks if the server certificate is in its trust list." This confirms the "embedding" or "hardcoding" nature of the technique.

2. OutSystems Forge

"SSL Pinning Plugin

" Overview. The description for this officially supported component explains its function: "This plugin allows you to check the server certificate against a fingerprint that you have previously stored in your application." Storing the fingerprint within the application is a direct implementation of hardcoding the trust anchor.