我想有我的Andr​​oid / iOS应用和我的Internet访问后端服务之间的安全通信，所以我调查HTTPS / SSL。

如果我创建自签名的证书，然后把客户证书中的应用程序，并导致后端服务要求的是的客户端证书，这是真正安全的

下面就是为什么我问。看来，客户端证书可能被黑客通过询问.apk文件。该客户端证书只是一个字符串常量，对不对？这意味着任何人都可以使用客户端证书来访问我的后端。 与.apk文件（和iOS等价物）足以不透明prevent不被发现的客户端证书

该证书是安全的，因为设备本身，没有任何安全。分发与应用程序的认证只是意味着任何人谁拥有应用程序的关键，所以也没有任何向您提供的任何担保。我想你需要一些安装后的注册步骤。

I'd like to have secure communication between my Android/iOS app and my Internet-accessible backend service, so I'm investigating HTTPS/SSL.

If I create self-signed certificates, then put a client certificate in the app and cause the backend service to require that client certificate, is this truly secure?

Here's why I'm asking. It seems that the client certificate could be "hacked" by interrogating the .apk. The client certificate is just a string constant, right? That means anyone could use the client certificate to access my backend. Is the .apk (and iOS equivalent) sufficiently opaque to prevent the client certificate from being discovered?

The certificate is as safe as the device itself, no safer. Distributing the certificate with the application just means that anyone who has the application has the key, so it doesn't provide you any security whatsoever. I think you need some kind of post-install registration step.