I installed 100 apps and left my iPhone idle: it reached out to Russia


Your iPhone does not go to sleep with you – it buzzes with activity, accessing your data and sensors and beaming back and forth mostly with Apple, but sometimes also reaching out to servers in Russia. At least if you have the popular apps.

After testing my Android phone and finding it constantly connecting to servers in Russia or China without me ever touching it, I had to know if the iPhone would do differently. And it did.

In a factory-reset iPhone SE, I installed the top 100 apps from Germany (with a few substitutions for unavailable apps), opened them all at least once, and connected with newly created Apple or Google accounts where possible. Then I left the iPhone to lie idly, “forgetting” it for five consecutive days.

top-apps-germany

Meanwhile, I traced every outgoing connection the iPhone made to external servers. I used a private DNS service (NextDNS) for that.

Users, on average, have more than 80 apps installed on their devices and never use a quarter of them after the initial download, according to a report by Buildfire.

Even unused apps can raise some privacy and security issues as they are still able to access data and sensors and beam information over the internet.

More active than Android

In five idle days, the iPhone clocked an impressive number, 16,542 DNS queries. The number ranged from 2711 to 4178 per day, with an average of 3308 queries.

That’s 138 queries each hour, or a single query every 26 seconds.

Interestingly, every day, there was a consistent spike in activity around 3 p.m. GMT. During that single hour, the iPhone generated 757 to 1865 DNS queries.

dns-queries-timeline2

In total, the iPhone was 42% more active in browsing the web by itself compared to the Android phone, which sent 2323 queries in 24 hours.

However, the map of where those queries went was completely different.

A request to Russia once per day

Almost 60% of the time, the iPhone was pinging its Mama Apple across multiple servers deployed all over the world, leaving the rest of the queries for third-party services. Google’s share stood at 12%, followed by Microsoft‘s 4%.

gafam-apple

For comparison, on Android phones, Google’s share was a modest 24%, while queries to Apple servers were practically non-existent.

The activity of social network apps on the iPhone was turned down. Facebook was responsible for only 20 queries per day, compared to almost 200 on Android. On iPhone, TikTok generated only 36 DNS queries in total over the whole experiment, while on Android, TikTok’s number was closer to 800 queries per day.

But there was an exception – Snapchat. While it was dormant on Android, it was constantly active on iPhone, generating more than 100 queries each day.

Not a single time did the iPhone contact servers in China while idle, despite having numerous Chinese apps installed, such as Temu, TikTok, Wish, and Aliexpress. Those apps contacted servers in other countries. ByteDance even has a domain called byteoversea.net. The situation would quickly change if you open any of those apps.

However, the iPhone reached out to a server in Russia at least once a day, belonging to Alibaba (ae01.alicdn.com). There were six queries to this in five days, none of them at night.

Compared to the experiment with Android, the iPhone’s query numbers for unfriendly countries are low.

Part of the explanation could be the difference in the top 100 app lists. Not a single app on the Apple App Store could be considered as blatant adware. All the apps on the App Store represented big platforms behind them and were more useful than ad-powered flashlights, prank generators, or dubious PDF viewers on Google Play.

However, this may also be due to stricter Apple policies for developers in its closed ecosystem regarding privacy in general.

Geographically, most queries went to the US (679 in 24h), followed by Sweden (468), Germany (136), Ireland (96) and Poland (79).

ios-traffic-destination

What does this activity mean?

Usually, high network activity itself is suspicious, signaling malfunctioning apps or rogue background processes, which are sometimes malicious.

DNS logs alone cannot provide a complete picture of phone activities ­– they reveal what servers the phone contacts and how often, but not what is being sent. DNS is like a phone book for the internet – you ask DNS how to reach the website, and it provides the IP address.

IPhone’s DNS queries appear to be related to standard operations. Apple-related domains, such as apple.com, icloud.com, itunes.apple.com, and others, are used for various purposes, such as syncing, app updates, service checks, and more.

resolved-domains

The iPhone frequently contacted domains that have the letters “CDN” in their name. This suggests content delivery servers. CDNs are used for downloads or content streaming, for example, app updates, media files, and other resources. Often used by legitimate services, CDNs could potentially be exploited by a malicious app to deliver illegal or harmful content.

The most frequently contacted CDN, besides Apple’s, was from Akamai.

Google or Microsoft services are self-explanatory – Gmail, OneDrive, Teams, LinkedIn, and other apps often connect to servers for mail, syncing, etc.

Having a lot of apps also increased connections to Apple’s domains due to many push notifications – those are delivered through push.apple.com.

Some other frequently contacted domains were app-analytics-services.com, app-measurement.com, sentry.io, and similar. That suggests the device was monitoring applications, sending analytics or usage data to third-party services.

Telemetry and ad delivery networks may also be used by both legitimate and potentially unwanted programs (PUPs) or adware. Those servers can be used to track user behavior, target specific users, and display wanted or unwanted ads and other content.

DNS queries to the same domain often can result in different IP addresses to multiple servers in different locations. It depends on the users’ geographic location, which server is closest to them, network congestion, load balancing, server maintenance, and other reasons.

Battery usage patterns correspond to the most active apps

While the phone was left lying on the table, Snapchat, Gmail, and OneDrive were the most aggressive battery users, corresponding to 38%, 34%, and 11%, respectively. As revealed by the iPhone’s monitoring tool, on some days, Snapchat clocked more than an hour of background activity.

Each country has a different list of the top 100 apps on the App Store. The experiment was conducted in the middle of Europe, from Vilnius, Lithuania.

Cybernews researchers: the less traffic, the better

I asked the Cybernews research team what they thought about my iPhone and if I should be worried about all those connections. And there is no definite answer – it depends on how much you value your privacy over convenience.

“Without closely examining each data packet sent by the iPhone app, it’s impossible to tell what’s in it. It could contain anything from a crash report to your most private data. While Apple has a reputation for a tightly regulated ecosystem, nothing is completely safe. Users can only hope that Apple checks each app thoroughly for dangerous and invasive activities,” the researchers said.

The rule of thumb is that fewer apps mean fewer data collection and connections, reducing the points of failure.

“Malicious actors won’t need thousands of connections to dozens of servers to exfiltrate data or deliver malware. They can bypass DNS name resolution altogether to connect to a single server,” they said. “Also, it is common to host malicious payloads on services like Dropbox, Google Drive, etc. This way, when looking at DNS queries, you just see a normal connection to a normal service that you would expect to see in these logs.”

Any connections a phone makes to unfriendly countries are concerning due to the lax approach to privacy and data protection.

“If your data ends up on a server in Russia, there’s a risk that it may be accessed by authorities or even commercial organizations that are not bound to GDPR and similar data and privacy protection laws. No consent will be asked,” the Cybernews research team’s comment reads.

For some, even legitimate services may be dangerous in sensitive situations. Commercial spyware vendors usually exploit vulnerabilities in legitimate services to target political opponents, journalists, or activists.

“Some may not be comfortable even with their iPhone sending diagnostic data, location, or other telemetry to Cupertino, as that data may be requested by law enforcement. It’s up to the user to decide how much exposure they can tolerate,” the researchers concluded.


More from Cybernews:

I installed top 100 apps: my Android phone contacted Russia and China at night

Breaking 2FA authentication: demystifying your security

FCC slaps fines on wireless carriers for illegally selling location data

Google bans 2.3M apps and hundreds of thousands of accounts from its Play Store

UnitedHealth hackers exploited Citrix bug, CEO says

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked