[bhhaskin]

They could require a root ssl cert to be installed and then just MITM all the traffic. And Org that wants to protect personal data might be willing to do something stupid like that.

[revelation]

For a properly engineered mobile app there are only downsides to using the public CA system (and thereby the devices CA store). So that would not work.

[equalunique]

True. This is not hard to deploy if they leverage a centralized management solution for PKI, such as MS Active Directory.