Certificate pinning is suicide in an environment where certificates expire in max 47 days. You'll have to rebuild and push your app at least that often and probably sync your devops with your certificate management.
Only if you pin a CA/Browser Forum-approved certificate. But you don't have to do that.
You can instead pin a self-signed or private CA-signed certificate, and then it can have the maximum lifetime you're comfortable with and that the software supports. A related option is to ship your app with a copy of your private CA certificate(s) and configure the HTTPS client to trust those in addition to, or instead of, the system-provided CAs.
I'm not sure how viable these approaches are on more locked-down platforms (like smartphones) and, even if they are viable today, whether they will remain viable in the future. It's also only good for full apps; anything that uses the system browser has to stick with the system CAs.
