When pinning a certificate using TLS Pinning, the application is forced to validate the server certificate, while in mTLS mTLS double validation takes place, both of the client certificate and of the server.
- Do not store client secrets and certificates directly in the application package;
- Use password manager, such as keystore for android devices and keychain for IOS.
-> reference
https://www.cloudflare.com/pt-br/learning/access-management/what-is-mutual-tls/