Tristan Emrich writes on Google’s ad developer blog:
To ensure ads continue to serve on iOS9 devices for developers transitioning to HTTPS, the recommended short term fix is to add an exception that allows HTTP requests to succeed and non-secure content to load successfully.
Publishers can add an exception to their Info.plist to allow any insecure connection.
So in a year where malware-laden ads are becoming increasingly frequent, Google’s response is not to convert their ad network to HTTPS, but rather to tell developers to reduce the security of their apps. Google has had years to make changes on their end, so this is both dangerous and outdated advice.