The debate around privacy – and where Google stands – is kicking up on the eve of Apple’s upcoming September launch of iOS 9.
Why? Because though advertising revenue hardly tickles the bottom line at Apple, its decision to enable content blocking in iOS 9 affects how Google’s developers monetize.
Apple’s content-blocking feature allows developers to create extensions that block cookies, images and trackers. Apple also is implementing a security and encryption provision in iOS 9 called App Transport Security (ATS) that will require developers to use secure communication – known as TLS, or transport layer security, the successor to SSL – between their apps and web services.
In other words, it’s HTTPS for apps. If an app is developed using Apple’s latest toolkit, Xcode 7, non-HTTPS connections will be prevented by default. The requirement will only apply to new apps and apps that update to iOS 9.
AppLovin CTO and co-founder John Krystynak called Apple’s strategy a “war of attrition.”
“The leading, active apps will update and comply to get their apps out for iOS 9 in the next month or two,” Krystynak said. “The stragglers who update less frequently will come in eventually. And then there are some apps, a smaller percentage, that might never update and probably never intended to.”
HTTPS Everywhere … Kind Of
But why does Google care about an OS release in Apple’s world?
That’s because AdMob, Google’s mobile ads SDK, services developers across the entire ecosystem, Android and iOS alike. AdMob works with a long list of ad networks, all of which need to update their SDKs in order to serve securely and accommodate the iOS release.
ATS will be automatically enabled for all new apps developed for iOS 9 or for any existing apps being updated to run on iOS 9.
In an Aug. 26 blog post, Google provided developers using AdMob with what Google referred to as a “recommended short-term fix” in the form of a snippet of code that would essentially disable the ATS privacy feature by adding an exception to allow nonsecure content, aka ads.
Developers monetizing through AdMob who either aren’t ready for HTTPS – or aren’t confident that all of their third-party partners are ready – can add the exception so that there’s no disruption to the ad flow between AdMob and their apps.
Google, for its part, has vocally embraced the concept of HTTPS. Earlier this year, Neal Mohan, Google’s VP of display advertising products, and Jerry Dischler, VP of product management for AdWords, wrote in a blog post that by June 30 they expected “the vast majority” of mobile, video and desktop display ads served to the Google Display Network, AdMob and DoubleClick publishers to be encrypted.
But judging from Google’s Aug. 26 post, that doesn’t appear to be the case: “While Google remains committed to industrywide adoptions of HTTPS,” the company wrote, “there isn’t always full compliance on third-party ad networks and custom creative code served via our systems.”
A seeming shrug of the shoulders. It’s the other guys, not us.
That said, Apple itself has provided its developers with a tech note that explains how to enable exceptions, if necessary. In the dev notes for iOS 9, Apple encouraged all new apps to use HTTPS exclusively, while existing apps “should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible.”
Because when Apple says ASAP, it means it.
The user adoption rate for Apple iOS releases is generally far higher than Android, noted Robert Weber, CEO and co-founder of mobile games ad platform NativeX.
According to Apple, iOS 8, which was released in mid-September 2014, has since been installed on 86% of all iOS devices, while Google’s Android mobile OS, Lollipop, released in June 2014, has roughly 18% distribution. While Android, unlike Apple, is hampered by the fact that the carriers have control over the update certification process, iOS adoption is still remarkably high. Apple had 46% penetration with iOS 8 within the first week after its release.
“Adoption rate is generally high when Apple makes updates to its OS, so an update has the potential to have a virtually instant performance impact on whoever isn’t complying with the new changes,” Weber said.
And where users go, apps must follow.
Michael Katz, CEO and co-founder of mobile data automation platform mParticle, predicted that, “within a relatively short amount of time, the vast majority of apps will be running on iOS 9.”
“Apple is not going out and trying to hurt ad-supported businesses, though – they’re an important part of Apple’s ecosystem,” Katz said. “Especially after everything that happened with the NSA last year, everything needs to get locked down and this is a positive step toward protecting privacy and security.”
Apple Goes Big
Although Google has designated itself as a leader in the move toward wide adoption of HTTPS – in April 2014, for example, Google announced that it had started running tests around using HTTPS as a ranking signal for search – it’s a stance that fits more snugly into Apple’s ethos around privacy and tracking.
Take Apple CEO Tim Cook’s acceptance speech at the Electronic Privacy Information Center Champions of Freedom Awards dinner in June.
“I’m speaking to you from Silicon Valley, where some of the most prominent and successful companies have built their businesses by lulling their customers into complacency about their personal information,” Cook said. “They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong.”
Although not mentioned by name, Google was clearly one of the companies to which Cook was referring.
While it would be naive to say that Apple is positioning itself as a defender of privacy purely on moral grounds – ”Apple cares about shipping more iPhones, and if security is the main draw for their customers, that’s what they’ll focus us,” said Weber – Apple is arguably more convincing as a protector of privacy than Google.
As one commenter observed in businesslike tones on Hacker News, a Reddit-like site hosted by startup incubator Y Combinator: “Google’s intent is very straightforward: to disable TLS in the interest of their ad business. … You shouldn’t compromise app security in the interest of letting ad networks continue to serve unencrypted content to your users’ devices.”
