SSL pinning

Sounds like your app will have an embedded certificate in it? are you using a CA signed certificate or self-signed? Certificate pinning basically means your app will contain the certificate embedded in that you will also host on your front end / perimeter F5 where the SSL negotiation is taking place. However any changes to your certificate will require application updates in order for SSL to continue to negotiate.

You can embed a host checker(domain level) in your app that makes sure the connection it makes using SSL to your F5 has a valid domain signed by a CA. for example your mobile app will validate that the SSL connection it makes have a valid CA signed domaon such as . Now when the app makes a connection as long as your F5 VS SSL profile has that cert named something.yourcompany.com and signed by the CA you specified in your app then the SSL connection will negotiated.

No, the F5 probably can't make your Android app pin.

You can use HPKP to pin certificates in browsers, but it is unlikely that mobile apps will honour these settings, since it requires client side state to be preserved between visits.

There should be no MITM with TLS unless the user or the device has added a trusted CA. But if you want to pin and many mobile apps do, you'll what to change the app.