SSL Certificate ensures that the information which your user enters on their browser safe from hackers.
SSL Certificate ensures that the information which your user enters on their browser, like username and passwords, is encrypted before being transferred to the server. This information is then decrypted on the server and used. This ensures that no hacking can be done during the time your user clicks the button and till the server gives response.
Whenever you open your bank's website, you see a lock icon or a green bar next to the browser's address bar like https://www.icicibank.com. This means that the company has taken steps to ensure that the information you share with them over internet is not readable to anyone else. This increases your trust and confidence in the company and you are happy to feel that whatever you type will not be leaking.
So how does it work? Well it is all maths. But in simpler terms, when you type abc, it gets converted into @#34211 and is sent to the server where the server converts it self into abc. Then the server does it work and resends the output xyz as 0123). Then the browser converts it into xyz and shows you the result.
Why do I need to have SSL on my website/api? The straightforward reason is that Apple has disabled the apps from sending data over non https websites. This means that when you call any command on your server from your iOS app, Apple will reject it and not let the call go through. Your users will see nothing and the whole thing fails in the background. This was done by Apple to ensure more security to the users. In case of Android, there is no restriction but there are so many viruses and malware apps on the play store, that they can listen to your user's data and read all data which is not transferred over https. Then the virus writer can try to gain access to your server and in turn your user can sue you because the data leaked.
Is it expensive to deply SSL? No, of course not. Many server companies are deploying SSL these days for free but those are good for browser based websites or apps and not mobile apps as older Android versions don't support that new SSL company. If you need to support Android less than 6, like Android 4.2, you would need to buy a new SSL certificate from an established company. I can get it cheap for you for around Rs. 1,000/- per year.
Feel free to ask questions from me. If you have a requirement for mobile app development, I might be able to serve you.