[Gregordinary]

If the app is hard coded it shouldn't trust another cert. Note though that browsers, like Chrome, ignore cert pinning if the cert chains up to a locally trusted CA. So the answer is more "It Depends".

> Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor. A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites. “Data loss prevention” appliances, firewalls, content filters, and malware can use this feature to defeat the protections of key pinning.

http://www.chromium.org/Home/chromium-security/security-faq#...

EDIT: Spaced on the fact this is a phone app. While Chrome on Windows ignores certificate pins, I'm unsure if this also applies to Android / iOS root stores as well.

[dzhiurgis]

So what DOES pinning protect against? Certs generated by state actors with access to CA’s?

[frankchn]

That, and (more commonly) CAs mis-issuing certificates to malicious actors due to bugs or weak internal controls.

[jevinskie]

You can enforce certificate pinning in your own native app. You can even go as far as not trusting the hookable (on a JBen device) system libraries and link in your own OpenSSL or something similar.

[lol768]

I was under the impression Chrome was dropping HPKP support (it was deprecated in 2017), so I imagine this would be across all products - desktop and mobile.

[Leace]

Chrome is dropping support for dynamic HPKP pins (pins that sites can add via headers) but not for static pins (Google domains etc.)

Source: https://bugs.chromium.org/p/chromium/issues/detail?id=779166

> OK, we're looking at removing dynamic PKP in M69. Static PKP will remain until further notice (we have no active plans to remove it right now).