Protection to Man-In-The-Middle attack in android client via SSL pinning

[Baqir Rizvi]

I want protect my android application from third party proxy app which inject its certificate to android trust store and intercept the communication between client and server. In my case user may act as an attacker. 

I want to achieve this by using SSL pinning but problem is google renew its certificate after some unspecified time. I want to control certificate renewal and expiry etc process by myself or at least it should be known to me priorly.

 i also visited below URL for custom domain etc.

https://console.cloud.google.com/appengine/settings/domains?project=loadtest-183106&authuser=0&serviceId=default

1. Do I really need to use custom domain for protection to Man-In-The-Middle attack(means purchasing new domain)
   
2. if 1 is Yes, then Do I require to buy SSL certificate for the purchased domain from trusted CA or self signed certificate would do my work?
3. if 1 is No, can we directly add my self signed certificate to app engine to make this work without purchasing my domain in real time.
4. Are the above steps are sufficient for this protection?

[Jordan (Cloud Platform Support)]

Since the 'appspot.com' domain is already signed by Google, you may be able to simply pin that public key; but there if no guarantee that Google will not change it without warning. Therefore using your own SSL certificate (self-signed should work, as the App Engine Managed SSL is actually a free LetsEncrypt cert), will ensure the key only changes when you manually make the change and should provide the protection you are looking for. 

As a side note, the older 'HPKP' way of pinning is now deprecated in favor of the safer 'Expect-CT' header. You can also use the 'secure: always' app.yaml configuration option to force all requests to use HTTPS.

- Since Google Groups is reserved for general product discussions, if you require further technical support for implementing SSL pinning it is recommended to post your detailed questions to Stack Exchange using the supported Cloud tags.