Here’s what works for me on iOS and Android.
Yes, use credentials on all server connects.
In config.xml under the platform android section add the following ( I’m pretty sure this defaults to false and thus could be removed entirely, but I know having it works. 
):
<preference name="AndroidInsecureFileModeEnabled" value="false" />
For both ios and android sections, include a hostname preference:
<preference name="hostname" value="domain.com" />
For ios only add scheme:
<preference name="scheme" value="app" />
I think that is all that is relevant in config.xml.
Now on the server project you need to enter the following in the CORS property:
app://domain.com
If you are like me, I have multiple domains pointing to this, so I manually edit the config.json with an array of domains:
"cors": {
"origin": [
"app://domain.com",
"app://domain2.com",
"app://domain3.com"
]
},
I’m using Cordova platforms ios 6.2.0 and Android 11.0.0 and targeting android sdk 32