Assuming you aren’t certificate pinning, if someone gets access to the device unlocked for a moment, they can add their own cert to the device trust and you’re dead. This is a big deal if you’re building a kiosk type of thing but not so much if it’s a phone app.
The better approach is to assume your app will get MITMed and reduce how much damage the attacker can do.
@aphextron are you aphex from ytmnd?
aphextron is that you alex come post at rubycalaber we havent heard from you in a while
yoyo aphextron its your brother was wondering where you been for last 4 year come talk to me email me or somethin ttheredpenn@gmail.com
yo aphextron is that you from ytnd? remeber us come post on the forum we miss you man searched your name and found you here, not sure why they keep deleting my message but its your long lost bro, come to ruby calaber forumnd post, im there, cANT POST number here, glad i found you!
Assuming that TLS will not be broken in transit is a common and reasonable assumption. The easiest way to break TLS is at the endpoints.
Implementation errors in your code, cert mis-issuance, errors in the underlying TLS implementation (certificate parsing and validation errors are quite common) and device compromise are all things to think about.
It might be useful to think about what is your responsibility versus the device vendor's responsibility versus the user's responsibility.