Our team would like to update you of an important change regarding TLS certificate pinning support in our SDKs.
On June 30, 2025, Amplitude will officially decommission support for TLS certificate pinning on the client side.
While our SDKs have not supported pinning for several releases, we understand that a small subset of customers are still using legacy versions of our SDKs with pinning enabled. If you are one of these customers, we strongly encourage you to discontinue the use of pinning as soon as possible prior to June 30, 2025.
IMPORTANT: If you continue to rely on TLS certificate pinning after this date, then you will not be able to send data to Amplitude successfully.
We understand that this change may be disruptive and apologize for the inconvenience. There are a few reasons this change is necessary:
- Because the intermediate certificates being pinned in our legacy SDK versions are not managed by Amplitude, certificate authorities may at any time stop signing our new certificates if they include these outdated pinned intermediates.
- In order to maintain the highest security standards, we will be moving our TLS certificate management into AWS ACM. However, one consequence of this is that we will not be able to continue pinning the same intermediates as the chain of certificate authorities will be different for certificates issued by AWS.
If you need assistance with this change or have any concerns, our technical support team is here to help.
How do I know if I am impacted by this change?
The vast majority of customers should not be impacted by this change. This only impacts customers who have enabled TLS pinning provided by either our legacy Android or iOS SDKs, or those who do any manual certificate validations before sending data to Amplitude. If you are on our Android Kotlin SDK or iOS Swift SDKs, then you are not impacted as these SDKs do not support SSL pinning.
How do I know if I am using the legacy SDKs?
Create a chart in Amplitude and select “Any Event” as the event name. Then, group the data by Library. If you see libraries labeled as “amplitude-android/version” or “amplitude-ios/version”, you're using the legacy SDKs. In contrast, “amplitude-analytics-android/version” and “amplitude-swift/version” indicate that you're using the newer Kotlin and Swift SDKs. You can also reach out to your internal team responsible for your Amplitude implementation and confirm with them what version of the SDK you are on.
What should I do if I’m impacted?
If you have enabled TLS pinning in our Android SDK as described here, you can undo the change by using the AmplitudeClient class instead of the PinnedAmplitudeClient class. If you have enabled TLS pinning in our iOS SDK as described here, you can use the same procedure but set AMPLITUDE_SSL_PINNING=0. If you do manual certificate validations before sending data to Amplitude, we cannot advise how to undo this change since it is a fully custom implementation, but you will need to ensure that the manual certificate validations are removed.
We also highly recommend that you upgrade to our latest SDK versions as a best practice.
We look forward to continuing to serve you. Please do not hesitate to reach out with any questions.
The Amplitude Team
