had a unusual situation during one of our app deployment. iOS version worked well but android version of app did not work. After some troubleshooting, we found that app makes call to api. Api web server was missing certificate chain. we tried api call on iOS8 iphone with safari and it works without any warning while on android, it gave certificate warning. I understand the problem but would like to know why it worked on iOS? Does iOS has any bug in SSL verification at OS level?

The behavior you saw is due to a functionality called AIA chasing that is implemented by some browsers and user agents (including Safari on iOS). A certificate can have a value for the Authority Information Access extension that can be used by browsers or underlying frameworks to build the complete certificate chain by fetching intermediates if they are not supplied by the server.

Android does not do AIA chasing which is why you saw the error when calling the API from the Android app. I haven't been able to find out why this isn't built into Android.

The correct way to address this is to make sure the web server provides the necessary intermediate certificates to connecting clients.