MapKit in Apple iOS before 9.3.2, OS X before 10.11.5, and watchOS before 2.2.1 does not use HTTPS for shared links, which allows remote attackers to obtain sensitive information by sniffing the network for HTTP traffic.
Apple Security Advisory 2016-05-16-3 - watchOS 2.2.1 is now available and addresses information leakage, code execution, and various other vulnerabilities.