Yes, you would still need some form of security around the connection to the server that provides you the pins to use. Of course this could be a pin itself or a hash calculated using a public/private key pair with the public key stored in the app. Personally, I think its a huge challenge to get this right.