Self-signed certificates on iOS

https://cordova.apache.org/docs/en/8.x/guide/appdev/security/index.html mentions that

The reason is that accepting self-signed certificates bypasses the certificate chain validation, which allows any server certificate to be considered valid by the device.

Does this mean that as soon as an iOS device trusts any self-signed certificate any SSL traffic (from any app) is insecure?
If yes, what’s the recommended way by Apple how to handle this (I believe I can’t prevent a user from trusting a self-signed certificate for any reason). Can I somehow check if any such certificate is trusted (in this example I use Cordova).
Or does this mean only for a connection where a self-singed certificate is applied no SSL validation is executed?

Solution

When using Cordova on iOS, if you want to use self signed certificates you have to add this code to your app.

@implementation NSURLRequest(DataController) + (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host { return YES; } @end

So that's probably what this means

The reason is that accepting self-signed certificates bypasses the certificate chain validation, which allows any server certificate to be considered valid by the device.

Unlike Android, this is an all or nothing, once you add that all the validations are skipped.

Adding that only affects your app, not other apps, but it affects all the connections your WebView does. So it makes your app highly insecure as people could easily do man in the middle attacks.