https://developer.android.com/privacy-and-security/security-config
Network security config allows to pin certs for specific domains (see Pin certificates section on page above), so MITM harder to perform successfully.

It is possible to make pinning to CA certificates (and this is exactly what I had done in PR changes):

Certificate pinning is done by providing a set of certificates by hash of the public key (SubjectPublicKeyInfo of the X.509 certificate). A certificate chain is then valid only if the certificate chain contains at least one of the pinned public keys.

But after expiration date pinning is not performed (this is one of the reasons to keep updates enabled for many apps):

Additionally, it is possible to set an expiration time for pins after which pinning is not performed. This helps prevent connectivity issues in apps which have not been updated. However, setting an expiration time on pins may enable attackers to bypass your pinned certificates

Cert pinning was added for next domains: f-droid.org, guardianproject.info, apt.izzysoft.de, app.futo.org, molly.im, app.simplex.chat, briarproject.org, microg.org, cdn.kde.org . There are plans to add pinning for some others (IronFox and Brave repos)

Changes are tested. This is how I tested them:

• 2 different devices, 2 different networks
• apllication works with added certificate pinning - connection to repositories hosted on domains above work fine, as well as obtaining from them
• apllication works with incorrectly added certificate pinning - connection to repositories hosted on domains above does not work, so this is confirms the fact the changes have effect on app functionality

It is possible to obtain certificate pubkey hashes in two ways I know:

• using https://www.ssllabs.com/ssltest (after end of test "Pin SHA256" value for eachc cert in chain is displayed, just take CAs intermediate one and that's it)
• using bash and openssl:

openssl x509 -in /path/to/intermidiate-ca-cert.pem -pubkey -noout | \
openssl pkey -pubin -outform DER | \
openssl dgst -sha256 -binary | \
openssl base64

The faster these changes are in the release version the better for users :)