Is SSL/TLS enough to keep our users passwords safe, even in case of a MitM attack where the bad person would fake being the server and send out fake CAs etc? Is this even possible?
Since the app is downloaded from Google Play / App Store I wonder if it would add another layer of security if I were to bundle a public key to encrypt sensitive data like passwords and then decrypt them on server before using them?
Do you have any recommendations on any good white paper or similar that goes through best practices like these?
EDIT: Is this why CA's have certificates installed in the browsers, so that the certificates are checked at their servers first? That would mean that my suggestion above would do no good and that I can consider us safe?
To answer my own question, this is why clients implement Trusted Root Certification Authorities to verify certificates.
My conclusion is that this is definitely not something I have to worry about.