In a corporate context, mobile apps exist that require a user to enter the server address to connect to a specific instance of this vendor’s application.
The vendor sells software that it’s customers deploy on premise (or on a private cloud). The end user download the vendor’s generic mobile app from an app store and connect to their own backend.
Now I read in several sources (for example: here) that for mobile apps, certificate pinning should be implemented.
For an app that makes use of a preconfigured back end, I understand certificate pinning is relatively easy to implement and does enhance the encryption situation somewhat by mitigating the risk of fake certificates installed on the device, CA issues etc.
But for a vendor that has thousands of customers that could deploy their own instance of the software, I feel it is practically impossible to collect the certificates of their customers and to bundle in certificates or public keys (hashes). Certificate pinning is an enhancement, lacking this defensive measure is not necessarily a vulnerability.
Should the vendor in this context make the effort to implement certificate pinning with all certificate management terror that will bring? Are there any ways to pin that are feasible? Are there any alternatives to pinning that can be considered in this context?