A good half of the internet is now encrypted. This means that third parties like your ISP can’t spy on your web browsing. However, certain things are not encrypted, including iTunes downloads and the App Store (via Wired).
[Five Eyes Countries Want to Avoid Public Encryption Debate]
Unencrypted iTunes Downloads
Researchers from privacy service Disconnect discovered a “feature” of App Store and iTunes downloads. Every download includes an Apple-generated code called a Destination Signaling Identifier. This is a unique device ID that only changes once in a while.
This means that—theoretically—this would let a third party like an ISP, a hacker, or even someone on a shared Wi-Fi network to see your app/movie/music downloads, updates, and more.
Disconnect submitted a bug report to Apple back in September about this issue. Apple replied that it’s not actually a bug, and confirmed that anyone with network analysis tools could observe and record the traffic.
The response points out that though the downloads themselves aren’t encrypted, other phases of the interaction to initiate and complete a download are, including a metadata transfer before the actual download. Apple also has a process in place to cryptographically confirm the validity and integrity of downloaded files. The company declined to comment further on its use of HTTP for downloads.
iOS researcher Will Strafach says it might serve a purpose. If downloads are sent over plaintext HTTP, system admins can create a way to cache big apps and files on their local network, enabling faster distribution. Another important note is that this is different than internet traffic within apps. Apple has required developers to use TLS in apps since 2016.