[leftcenterright]

I guess the point is about MiTM which you have not really answered, MiTM requires the man in the middle to present a webpage / api to the user over https with a valid certificate so that the browser or the android app would make connections to it. They just don't accept all tls certificates as valid, only the ones signed by CAs trusted by the device. It is the same for android. I guess you are confusing certificate pinning with standard TLS. Certificate pinning is an additional measure and prevents against compromised CAs etc. Standard TLS itself is sufficient to prevent MITM over https.

> MitM on android works very well if you just use an app without a browser view.

Do you have any examples showing this? Popular http clients like okhttp on mobile devices do perform TLS validation based on trusted CAs stored on the device. You would have to go out of your way to make them trust self-signed certificates to perform MITM or compromise a CA to issue you a certificate to allow MITM.