I installed a root CA on my iPhone and intercepted my own traffic on my firewall using Squid. Here’s a look at what your favourite apps call behind your back.
Official Apple apps
Phone app
It made calls to my mail server (presumably to fetch contacts).
Mail (with two on-prem Exchange accounts)
Called my Exchange servers only.
Camera
No traffic.
(Apple) Maps
Lots of calls to https://gspe19-ssl.ls.apple.com/asset/v3/material/
App Store
Detected TLS inspection, so it’s using pinned certs. ‘Something went wrong’.
Social networks
LinkedIn primarily uses GraphQL for most API calls, and there is a tracking endpoint frequently called at https://www.linkedin.com/li/track
. I also found a “whoami” style endpoint at https://www.linkedin.com/mob/sso/you
. A media CDN at media.licdn.com
appears to be doing authentication correctly.
When I turned off DNS-based ad blocking, a little bit more is called, such as https://gsp10-ssl.apple.com/hvr/trc
which seems to be an Apple tracking server. I also saw calls to api.mapbox.com
.
X/Twitter
Nothing too weird. Seems to be mostly the same stuff you’d see on desktop:
https://video.twimg.com
https://abs.twimg.com
https://pbs.twimg.com
http://connectivitycheck.gstatic.com
(this one is Google’s network)
Weird one – it doesn’t seem to make calls to hostnames, instead calling a few IPs on port 443 on ASN 32934 (FACEBOOK).
Generally was very quiet. Some calls to Facebook, such as whatsapp-cdn-shv-01-lhr6.fbcdn.net
.
Signal
Some calls to AWS.
Security / sysadmin apps
Authy
It made calls to the following endpoints:
https://kinesis.us-east-1.amazonaws.com/
https://api.authy.com/
- a few other IPs
RD client (Microsoft RDP)
No unexpected traffic.
Terminus
No unexpected traffic.
Self-hosting community favourites
Bitwarden (self-hosted server)
I saw no calls to the Internet 🙂
Nextcloud
Nothing at all hitting the Internet.
Mastodon (not logged in)
No traffic.
Media
Spotify
Very noisy. Some common calls:
https://audio-ak-spotify-com.akamaized.net/
https://canvaz.scdn.co/
https://firebaseinstallations.googleapis.com/
https://i.scdn.co/
https://api-adservices.apple.com/api/v1/
Travel
Airbnb
- A few calls to their API
https://www.airbnb.com/tracking
(presumably analytics)https://firebaseinstallations.googleapis.com/v1/projects/airbnb-38fb0
https://a0.muscache.com/im/pictures/
Google Maps
As expected, a major offender:
https://mobilemaps.googleapis.com/maps/vt/proto
https://play.googleapis.com/log/batch
https://scone-pa.googleapis.com/v1/survey/trigger
https://oauthaccountmanager.googleapis.com/v1/issuetoken
https://www.googleapis.com/userlocation/v1
https://gz0.googleusercontent.com/
https://www.gstatic.com/identity
https://fonts.gstatic.com/s/roboto/
https://accountsettingsmobile-pa.googleapis.com
Tesla
Generally called its own stuff, but also DataDog and Google.
https://owner-api.teslamotors.com/api/1
https://signaling.vn.teslamotors.com/v1/mobile
https://browser-intake-datadoghq.com/api/v2/rum
https://www.googleapis.com/experimentsandconfigs/v1
Uber
Hard to know – all calls went to CloudFront.
Requests…
If you’d like me to decrypt another app, contact me and I’ll update this post. If you’re a developer and think I got something wrong here, let me know and I’ll take a look.