Cert pinning makes sure your app is communicating with the correct server. Without Cert pinning I can set up an intercepting proxy to see all of the traffic flowing in and out of your app.
Pinning the cert makes sure I cannot do this as the app will only accept communications from the server the offers the correct pinned certificate.
then enabling ATS is enough for security
You can never have 'enough for security' but this part is contextual based on what your app is doing. If the endpoints and data your app processes is sensitive you should defiantly be cert pinning. I would argue you should always do it anyway as it is easy to do.
If my server below TLS 1.2 protocol, then SSL pinning is the best way to avoid insecure connections
This will cause problem with ATS, your server should really be supporting TLS 1.2 it is pretty ubiquitous now. You also need to make sure the cert is using at east SHA256 fingerprint with either a 2048 bit or greater RSA key, or a 256bit or greater Elliptic-Curve (ECC) key and you need to support one of these cyphers:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
This may look scare but in reality the above is pretty standard.
NOTE:
both of them are often referred to as SSL
You are correct but this is a bad habit. They might do the same thing but they do it in a different way. SSL is SSL and TLS is TLS, they are different.
NOTE 2:
If you do use cert pinning consider using public key pinning or CA cert pinning.
