Websites have https and so much has been done in the browsers to ensure that users know that the sites they are visiting are safe and secure. But there is nothing to ensure this for mobile apps.

Visual cues on Websites

1. Lock Symbol

The lock symbol for HTTPS

The lock symbol at the top helps people know whether the communication between the browser and server is encrypted or not.

2. Extended Validation Certificates

Organisation name displayed due to Extended Certificate

Extended certificates helps the common man see the organisation name clearly in big green text so that they are sure that this website is what it claims to be. (It helps when domain names are illegible or misspelled and are difficult to distinguish from a fake one)

3. Browsers Warning when not to trust a HTTPS

Browsers warning about the certificate not being valid

You get warnings from the browser when non trusted https is detected. You can safely abort further browsing. How cool is that!

Visual cues on Mobile Apps

Yet mobile apps have no way to know if the communication is being carried over https.

iOS guideline do not even mention having https as a good practice, let alone enforcing it while reviewing the submitted apps. (edit : Apple has announced that it will force ATS by the end of this year.)

Google playstore does mention to have HTTPS when dealing with personal data and sensitive information but there are countless android apps which deal with personal data over http. How about that!

So, clearly the world of apps is ignored when it comes to https visual cue. Would you be okay to transact with your credit card on an app which doesn’t have https for all the URLs. I hope not. And when more than half of the world is using apps, don’t you think something concrete should be done about it?

Examination of API calls by some Apps

So, after couple of hours of work, the state of some of the apps are as shown in the below image:

WebMD iOS app is not at all secure. Whatever you browse can be snooped on. Another app ShopClues (its an Indian E-commerce website to be bought by Alibaba for ~$1B) is also not secure at all —all http API calls.

Lyft, Uber, Instacart, Doordash (iOS apps)— all use https everywhere. Strava and Myfitnesspal had used couple of http urls and hence not marked completely green.

It would take a lot more time to evaluate all the apps on appstore/playstore like this. Instead if there could be a way in iPhone or Android devices to know if my browsing is safe or not then that would be much better and the best solution. I hope that people be aware of the repercussions of not having browser-like safety in mobile apps through this article and the developer community find some way to get HTTPS to mobile apps in a way that is transparent to users.

List of few more built-in Magics in Browsers:

Mixed Content — if some contents are loaded over http and some are over https then the browser also gives you a Warning!

Browsers have a preloaded list of websites embedded in them which will always have https, called HSTS preload list.

You can also add a header for letting the browser know that you always want your website to load over https —

Strict-Transport-Security: max-age=31536000.

There is a way to prevent the cookies to be sent in HTTP calls, you can set the Secure flag in the cookie.

Thanks for reading. Please feel free to discuss anything in the comments or mail me at manish@fallible.co