Your app trusts TLS certificates to know it is talking to the real server, but how would you know if someone fraudulently obtained a certificate for your domain? Certificate Transparency is the system built to answer that. It is a set of public, append-only logs that record issued certificates, so a certificate issued for your domain, by you or by an attacker, becomes visible and detectable. Apple even requires certificates to be logged for iOS to trust them by default. For an app developer, Certificate Transparency is both something your server certificates must comply with and a tool for spotting attacks on your domain. Here is what it is and why it matters for your app.
Short answer
Certificate Transparency (CT) is a system of public, append-only logs that record TLS certificates as they are issued, so misissued or fraudulent certificates for a domain can be detected. Per Apple's policy, iOS requires publicly trusted certificates to be CT-qualified, presenting evidence they were logged, to be trusted by default, so your server certificates must be CT-compliant or the app will not trust them. Modern public certificate authorities handle this automatically. Beyond compliance, CT is a detection tool: by monitoring the logs for your domains, you can spot if anyone obtains a certificate for your domain, which could indicate an attempt to intercept your app's connections. CT detects misissuance; it complements, but does not replace, TLS and certificate validation.
What you should know
- CT logs record issued certificates: in public, append-only logs.
- It makes misissuance detectable: certificates for your domain become visible.
- iOS requires CT-qualified certificates: or it will not trust them by default.
- Modern CAs comply automatically: your certificates are logged for you.
- Monitor the logs: to detect certificates issued for your domain.
What is Certificate Transparency?
It is an open framework for logging and monitoring the TLS certificates that certificate authorities issue. The problem it solves is that, historically, a certificate authority could issue a certificate for any domain and no one would necessarily know, so a misissued or fraudulently obtained certificate for your domain could be used to impersonate your server without your awareness. CT addresses this by having certificates recorded in public, append-only logs: when a certificate is issued, it is submitted to these logs, which produce signed evidence of inclusion, and because the logs are public, anyone can examine which certificates exist for a given domain. This turns certificate issuance from something opaque into something observable, so misissuance can be caught. CT does not stop a certificate from being issued, it makes the issuance visible after the fact, which is what enables detection and accountability across the certificate system.
Why does it matter for mobile apps?
For two reasons: trust requirements and attack detection. The table summarizes.
| Aspect | What it means for your app |
|---|---|
| iOS trust requirement | Certificates must be CT-qualified or not trusted by default |
| CA behavior | Modern public CAs log certificates automatically |
| Detection of misissuance | Monitoring logs reveals certificates for your domain |
| Relationship to pinning | CT detects; pinning restricts trust; they complement |
| Limit | CT is detection after issuance, not prevention |
The first reason is practical: because iOS requires publicly trusted certificates to be CT-qualified to be trusted by default, your server's certificate has to comply, or your app's connections to it will fail the default trust check. In practice modern public certificate authorities log certificates automatically, so a certificate from a current public CA is already compliant, but it is something to be aware of, especially if you use an unusual issuance path. The second reason is defensive: because the logs are public, you can monitor them for your domains and be alerted if a certificate is issued that you did not request, which could be an early sign of an attempt to intercept your app's traffic, letting you respond before it is used.
How do you use CT for your app?
Make sure your certificates comply, and monitor the logs for your domains. On the compliance side, use a reputable public certificate authority for your server certificates, since current public CAs submit certificates to CT logs as a matter of course, which keeps your certificates CT-qualified and trusted by iOS by default; if you operate any non-standard certificate issuance, confirm it produces CT-qualified certificates. On the detection side, use a Certificate Transparency monitoring service, or your CA's monitoring features, to watch the public logs for certificates issued for your domains, so that an unexpected certificate, one you did not request, triggers an alert and you can investigate a possible attempt to impersonate your server. Treat CT monitoring as part of your broader posture alongside TLS and, where you use it, certificate pinning: TLS and validation secure the connection, pinning restricts which certificates your app trusts, and CT monitoring tells you when a certificate exists that should not. The principle is to keep your certificates CT-compliant for trust and watch the logs for misissuance as an early-warning signal.
What to watch out for
The first trap is assuming CT is only a server or browser concern, when iOS's default trust depends on CT-qualified certificates, so your app is affected. The second is treating CT as prevention; it detects misissuance after the fact, so it complements rather than replaces TLS, validation, and pinning. The third is not monitoring the logs at all, missing the early-warning benefit. CT applies to your server's certificates and PKI, while a pre-submission scan such as PTKD.com (https://ptkd.com), which reads the compiled app against OWASP MASVS, assesses how your app handles TLS and trust on the client side, the connection-security surface CT supports.
What to take away
- Certificate Transparency is a system of public, append-only logs that record issued TLS certificates, making misissued or fraudulent certificates for a domain detectable.
- It matters for mobile apps because iOS requires CT-qualified certificates to trust them by default, and because monitoring the logs detects certificates issued for your domain.
- Use a reputable public CA so your certificates are logged automatically and CT-qualified, and monitor the logs for your domains as an early-warning signal for misissuance.
- CT detects rather than prevents, complementing TLS and pinning; use a pre-submission scan such as PTKD.com to assess your app's client-side TLS and trust handling.
