Again I ask: Any specific examples from companies or organizations that implement HTTP(S) in their products stating device power as reason for non-implementation?
I imagine it to be a horrible miscarriage of trust to not use HTTPS. We made the decision early on that handling any personal data not over HTTPS was massively irresponsible - and this is pre-Snowden.
That said, if they have kernel-level hacks or can intercept and decode HTTPS (or sit and listen on say, any AWS server they want), what does HTTPS really matter against the NSA?
Still, totally irresponsible - battery life is a constant struggle, but not enough to even make us consider changing our API client code.
The problem is that HTTPS is very difficult to audit, we just have to trust that it is being done correctly.
How do you know that the apparently random stream of bits is actually properly encrypted and does not leak private data? It would be better to let the OS add the SSL layer and only let apps talk HTTP. This would give the user much more control.