But isn't this exactly why certificate pinning is needed... Sure I can roll my own PKI and install the Root CA on the client devices, but they can still intercept their own traffic by installing their own trusted Root CA.
If the TLS client isn't a webbrowser, it doesn't have to use the list of trusted roots provided by the underlying system (be it OS or browser).
Certificate Pinning is the solution you'd look to if you have a clients that cannot securely ship with root certificates/cannot pick the root certificates they will use to validate a certificate when initiating a TLS connection.
Edit: I should add that I am not a mobile developer, so I don't actually know if the 'bring your own root CA' method is supported by the corresponding TLS libraries. But I know that this is possible 'in general'
I missed the parenthetical on your comment, my apologies. You're right: if you can monkey around with things enough to SSL-proxy the traffic, then rolling your own PKI will not help prevent that. What will help prevent that, yes, is pinning, but my argument above was that pinning to any single CA (or worse, any single leaf certificate) without a mechanism for replacement is what gets people into trouble. Selecting a small set of trusted CAs is a much stronger pattern, and would preserve the inability of clients to swap out their own certs or proxy their own traffic (although it may also break things—Google had to bend on that one a bit to allow for enterprise SSL decryption, e.g.).
Not entirely accurate. Your client software builds a TLS client with your sole private trusted root. Nobody can MITM with a self signed cert unless they can reverse your client (or system) enough to hook the TLS stack, which there are numerous tools out there to do which is also why (but also irrespective of the fact) IMHO the "zomg we must prevent the user from seeing _their_ traffic" is a totally bogus pursuit. However, if you're dead set on thwarting some subset of the script kiddies, then mTLS is your friend because it's a real solution to the "I want to authenticate my client (perhaps because only it should see the traffic)" problem.
Because you control the client software so you just make a TLS client that has only your root trust anchor. This is exactly the same as CA/pubkey pinning from a threat model perspective.
