Are self-signed SSL certs really inapplicable with Phonegap client apps?

Question

The question addresses two fields: SSL certificates in general and Phonegap/Cordova related capabilities.

At first let me briefly describe our case: we're creating a simple system consisting of a mobile app written in Phonegap (a client) and a HTTP(S) server with a RESTful API. Some confidential data should be transfered back and forth. The client should be authenticated with two-legged OAuth as well.

The system is closed, i.e. we're not planning to expand it to more than that single desktop app, it's about to be configured once and work continuously.

From some reasons, however, we can't put these things in a closed network to use just pure HTTP.

So, I guess, HTTPS is the only way.

Now, the problem:

1. The Phonegap's Security Guide states that there is no point in using HTTPS if it uses self-signed certificate as opposed to one issued by a CA.

2. On the other hand, Clint Harris explains in his answer that self-signed certs are perfectly valid, if we distribute them on our own.

3. One additional problem is that Phonegap won't allow you to perform such AJAX calls to the RESTful API via HTTPS - the only way is to enable the debug mode or simply hack it.

That's why we're totally confused.

After all, which approach - 1 or 2 - is valid/applicable in our closed-system case and how can we solve the last (3) problem? Also, any additional explanation would be appreciated.

Answer 1

• self-signed certificate are valid from a security point on view only if you implement certificate pinning

• in cordova you don't have the ability to implement certificate pinning because android don't give you access to.

In conclusion, the easier and safer way is to use certificate already trusted by the system.