And so apple's definition of "secure", is that it is not enough to be under a TLS session (FF+Chrome work ok with my app) but also to be under a TLS session initiated with a "proper" SSL certificate. Not my petty self-signed one. Thanks.

Not quite...

You can use a self signed cert all you want.... But you need to add it on the iphone as a 'profile'.

In particular you should create a self signed CA, then sign the server cert with the CA, then add the CA to the iphone as a profile.

Certificates can be created for IP addresses as well, just check the cert is for IP:1.2.3.4 and not DNS:1.2.3.4, many people get this wrong and wonder why it doesn't work.

Its better to use a host name, run a DNS server and set the iphone to use that DNS server to the resolve the host name.

So it is possible to do full TLS with a verified CA in safari in a dev enivroment.

I'm just thinking about what might happen in a private Safari session (Shift + ⌘ + N). Will the cookie be accepted?

«The Crux of the Biscuit is the Apostrophe»

As per what you linked 'where "secure" is defined by the user agent'. In this case apple have decided that even though TLS is established - its not a secure channel - because the identity of the server was never verified.

I am actually surprised other browsers still send the cookie.... I don't think they will continue to do this long term. It would make users who are being manned in the middle, and skip the warnings, vulnerable.