To avoid man in the middle attack in Android app, how efficient is the Public Key pinning method? Since anyone can easily get the public key of any domain, is it actually secure to implement it?
We were already using network_security_config for certificate pinning. But since the SSL certificate private keys gets changed every year during renewal, it is becoming quite hard to force update in user devices. And we came across Dynamic SSL pinning with Public key.
Certificate pinning is a good way to prevent man-in-the-middle attacks.
Getting the public key is useless as you can not use it in a HTTPS handshake without knowing the private key. That is the key concept of asymmetric cryptography.
That the yearly HTTPS certificate renewal is a problem for implementing leaf certificate pinning is true. Therefore mostly not the server/leaf certificate is pinned but the intermediate or root CA certificate. These certs don't change often and is the issuing CA follows their rules and e.g. check if the requester is really authorized this is still secure enough.