But how to do this through an "app", and know that the other end is secure? An easy way to do that might be to reference a different server name.
And now, there's a patent on that.
Patent 7,945,654 describes this behavior, with the added twist of non-standard "top-level domain names":
A secure domain name service for a computer network is disclosed that includes a portal connected to a computer network, such as the Internet, and a domain name database connected to the computer network through the portal. The portal authenticates a query for a secure computer network address, and the domain name database stores secure computer network addresses for the computer network. Each secure computer network address is based on a non-standard top-level domain name, such as .scom, .sorg, .snet, .snet, .sedu, .smil and .sint.