I am looking at different ways to implement SSL pinning in Android. In the case of public key pinning most of the guides tell us to hardcode public keys in the app. What will happen if an attacker finds the public key by reverse engineering the app APK. Will he be able to use it for any attacks?
TLDR: no. Because the public key (as the name suggests) is no secret.
In public key cryptography schemes (used during TLS handshake), the public key is intended to be shared openly. Quoting Wikipedia:
In a public-key encryption system, anyone with a public key can encrypt a message, yielding a ciphertext, but only those who know the corresponding private key can decrypt the ciphertext to obtain the original message.
In fact, during a TLS handshake, the server sends its certificate (which includes its public key) in plaintext to the client. The entire point of "pinning" is to hard-code this public key (which you as the developer and/or provider of the internet service know ahead of time) into your application, so that it can be directly compared against during said handshake.
The reason it's only a hardening advice rather than a mandatory step, is that the "normal method" of identity verification in TLS (i.e. traversing up the chain of CAs until you reach one of the root CAs) is generally considered safe enough. The kind of attack vector that public key pinning mitigates requires a lot of resources to pull off (e.g. by obtaining control of at least an intermediate CA), which is beyond the abilities of most threat actors.