Self sign SSL certificate for my mobile app?

For your particular use case, a self signed cert would be fine.

As you control the app, you do not have to use certificates recognized by browsers, which is the key point of a certificated by a trusted CA.

Functionally, there is no difference in security. See: Does Self-signed certificate differ from CA from a security point of view?

You can get a SSL cert for something like $10. Not getting one creates far more hassle than that money is worth.

You can write code to securely verify the self-signed SSL certificate in your app, but the potential for making mistakes is greater than zero, and therefore not really worth it.

Security of the system is dependent on client implementation. All a certificate inherently does is provide an "agreed encrypted communication protocol". How secure the communication is in actuality is whether or not there is someone playing "man in the middle".

So how do you verify that the certificate received is the same certificate that the source wants you to use? That's either through a 3rd party verifier (which is what comes with payment to a CA) or through the client who (from a previously hard coded implementation) already whats what the cert should look like.

gluck!