The push to encrypt traffic throughout the web has resulted in safer and more secure browsing across millions of sites. But not everywhere uses the so-called Transport Layer Security that keeps HTTPS-enabled sites safe from prying eyes. Including, it turns out, Apple’s iTunes and iOS App Store infrastructure, which runs its downloads over unencrypted connections.

Typically you can tell when a website uses HTTPS encryption by the little green padlock on the left side of the URL bar. But not every web portal comes with that sort of visual indicator, which is what led researchers from the privacy products firm Disconnect to iTunes and the App Store.

Every time you download an app or an update from the App Store, or a movie, television show, or song from iTunes, it travels over HTTP without TLS. That makes it at least theoretically easier for your Internet Service Provider, a nation-state-hacker, or even just someone on a shared Wi-Fi network to observe all of those interactions. Each unencrypted download also includes an Apple-generated code called a Destination Signaling Identifier, a unique device ID generated by iCloud that changes only periodically. The researchers worry that attackers could use the DSIDs to track someone’s media habits, or the apps they use.

“Once you leave the browser, there’s no insight into what’s over TLS and what’s not,” says Disconnect CTO Patrick Jackson, a former NSA researcher. “There’s so much you can learn about someone based on when they’re downloading an app, what media they’re into. With those habits they’ve already given up a lot about who they are.”

Disconnect researchers submitted a bug report about the behavior to Apple in September, outlining their concerns and noting that anyone can confirm the observations with a network analysis tool that records traffic. Apple replied that the situation isn't a bug, and that downloads over HTTP are "expected." The response points out that though the downloads themselves aren't encrypted, other phases of the interaction to initiate and complete a download are, including a metadata transfer before the actual download. Apple also has a process in place to cryptographically confirm the validity and integrity of downloaded files. The company declined to comment further on its use of HTTP for downloads.

"There’s so much you can learn about someone based on when they’re downloading an app." Patrick Jackson, Disconnect

It's important to remember that all of this is distinct from internet traffic within the apps themselves, which is generally encrypted. Since 2016, Apple has required its developers to use TLS in the apps they submit to the App Store, althoguh noncompliant entries have been known to slip in. Apple was also a bit slow to implement TLS for iTunes in general, and expanded its use in 2013 after researchers raised concerns.

Though it's initially surprising that a company as purportedly pro-privacy as Apple might not offer total HTTPS adoption on its backend, iOS researcher Will Strafach says he thinks the setup serves a specific purpose. By sending the downloads themselves over plaintext HTTP instead of an encrypted connection, system administrators, especially in large enterprise environments, can create a sort of way station to cache large apps and files on their local network for faster distribution. That means they won't eat up bandwidth if the app, update, or other file is being downloaded over and over again onto numerous devices. If the connection were encrypted between Apple's servers and the devices, that stopover wouldn't be possible.

"It seems non-standard and odd at first, but I don't think there is a security threat here since integrity checks still occur," Strafach says. He agrees that there are always potential downsides to sending data unencrypted, but notes that an attacker who wants to track what a target is downloading might still be able to do it even with TLS encryption, based on an app's size.

For its part, the Google Play Store seems to have found a way around this caching mechanism, which is not totally surprising since Google specifically staked out its support for ubiquitous HTTPS years ago. A Google spokesperson told WIRED that all Play data and files are transferred via complete HTTPS with an integrity check. Disconnect confirms that it didn't see any HTTP-only traffic coming from Google Play.