IOS and Android Trusted Certificate Authorities for https communication

I can test with a self-signed certificate by manually installing the certificate on the Apple/android device. Obviously this is not how I want to publish my app, so let's say I need to buy a certificate that both Android and Apple trust by default.

The first question is: is my assumption above correct?

no.

You can also run the application in production using the certificate. Since you already know what the server's certificate is, embed it in your application. In this use case, there is no reason to go to a commercial CA or use a CA Zoo.

Note : In this particular use case, there is one trusted distribution channel (App Store and Google Play). So you can do things like leverage the server 's prior knowledge and embed the certificate without worrying about being tampered with. If the app is not distributed through a trusted channel, then you will need additional security controls. Or if you don't know the server in advance , you can't use this method.

I'm pretty sure both parties should trust verisign certificates, but they are very expensive! The cheapest Verisign I could find was $599/year (for one server).

no.

Use StartCom 's certificate . They offer free class 1 certificates (domain validated, no wildcards). Most mobile and desktop browsers trust them. They will charge you a revocation fee if required.

CACert also offers free certificates, but I've never used them. Also, I don't know how often their CA is installed in mobile and desktop browsers.

Finally, there's a free newcomer called Let's Encrypt . I know nothing about them. I don't even know how often (or rarely) their CA certificates are trusted.

Likewise, those expensive dollar Extended Validation (EV) certificates aren't worth the money. They don't add additional security controls, so from a security perspective they are as useful (or useless) as Domain Validation (DV) certificates. The only thing they have to do is restore CA profit levels eroded by the "race to the bottom" .

The second question is: is there a list of other permissions that both Android and Apple trust by default?

Be careful when asking for a list of things or likes etc. This is out of place for Stack Overflow.

socket = io.connect(connectionUrl,
{
   secure : true,
   port : 443,
   reconnection : true,
   reconnectionDelay : 1000,
   reconnectionDelayMax : 5000,
   timeout : 20000
});

You will need to do more here. In particular, you will need to provide the server's certificate or the CA that authenticated the server. My PhoneGap book doesn't detail how to change or pin the certificate. But that's what you need to do.

If PhoneGap doesn't let you add a certificate (shame on the certificate - file a bug report), then you have to use the browser security model and CA Zoo. In the browser security model, any trust anchor or CA can claim to certify (even falsely) your commerce site. In this case, use StartCom or CACert.

The browser security model and CA Zoo crashed more than expected. For example, in the past two years, the following are the CAs that failed (and the CAs we know): Diginotar, Trustwave, TurkTrust, Indian National Information Center (NIC), French Ministry of Finance. See CACert's Risk/History for a brief history of its failures . (You should do everything possible to avoid the browser security model.)