Your phone’s secret network activity: 10 times worse than DNS logs reveal


A single app can connect to dozens of websites while unused. An idle phone will make thousands of DNS queries per day. But the real situation is 10 times worse, one security expert explains.

If you install the Reddit app on your iPhone, start it once, and leave it without even logging in or interacting, it will connect to 30 different domains, according to research from Independent Advisor VPN.

Think of a domain as a website address on the Internet that allows access to services like facebook.com or google.com. DNS (Domain Name System) is used to translate these addresses from human-readable form into IP addresses.

Reddit was followed by QQ, the Chinese instant messaging software, which connected to 19 different domains. Among the mainstream social networks, Instagram and X (Twitter) both connected to 10 different domains, each without any user interaction.

Personal data leak checker

Check whether your online credentials have been compromised with an up-to-date personal data leak checker tool.

Check if your data has been compromised

Those numbers are very modest compared to those of an active user, whose apps can connect to hundreds of domains in just one week. Here’s what the App Privacy Report revealed to one user:

connections

These are only domain counts, and you need to dig deeper to find out how many times those domains were accessed. Exact numbers will vary depending on specific devices, installed apps, settings, and users.

Expert: the situation is 10x worse

Cybernews has already experimented with idle Android and iOS phones, each with 100 apps installed. When unused, the iPhone averaged 3308 DNS queries per day, compared to 2323 queries made by Android. Some requests, more often on Android, landed in high-risk countries such as Russia and China.

A device contacts the DNS server when it wants to access a particular domain. The DNS server is like the phone book of the Internet, resolving domain names (such as www.cybernews.com) to IP addresses.

“Although you got the DNS queries fact true, the actual tracking problem is 10 times or more bigger. Why? Because of DNS caching on a device, and the time to live (TTL) of those records on a device,” Daniel Trahtemberg, Vice President of Product at ReasonLabs, a cybersecurity firm, said to me after the reports.

He explains that the phone or any internet-connected device sends a DNS request only after the “time-to-live” or the previous request has expired.

“One DNS request may equal 5, 10, 20, or more actual API calls to the service endpoints,” Trahtemberg said.

For example, when you use an app for tracking routes or maps, it may contact a server every second, updating the location of the device. When it needs to resolve the domain name, it checks the local cache, and only a single actual DNS request will be made every 5 or 10 minutes, depending on the TTL of the specific domain.

The IP address revalidation time also depends on the DNS server, as Google, Cloudflare, or others may have different TTLs set for each domain.

Usually, DNS servers try to keep TTL under 300 seconds (5 minutes) to ensure the records are quickly updated in case of disaster recovery or other reasons. However, the time could be much longer. For example, the twitter.com domain revalidates the IP address every 22-30 minutes, depending on the DNS server, and there is no publicly documented maximum time for iOS.

Longer than one-hour TTLs are possible for stable backend operations, where IPs do not change as often.

So, if your phone makes more than 100 DNS queries each hour, it could access the corresponding servers thousands of times per hour.

But why would you care?

Neither the number of domains your phone accesses nor the frequency of those connections tell what is being sent back and forth.

The domains may not necessarily be tracking your data, but the likelihood increases with each service you use. An app may contact the domain to deliver content such as video or music streaming, social network feed or gameplay, access email, sync photos, and other data, or other.

However, you may notice that some apps connect to the same servers from Google or other companies. Each time the app connects to a server, it can potentially send your device telemetrics, including location, personal data about you, or usage patterns.

Many data brokers may use that data for behavior profiling, analytics, and advertising, and it may also be sold to third parties. Commercial spyware, such as Pegasus, used to track journalists, political dissidents, and others, could be delivered via ad networks or other legitimate infrastructure your apps rely on.

Here’s what Apple says in its App Privacy Report (APR) tool:

“The Most Contacted Domains section shows the domains contacted by all apps you use and by websites you visited in those apps. APR identifies domains that are contacted by multiple apps because these domains may be collecting data about you from those apps and combining the data to create a profile about you, including for advertising purposes.”

James Milin-Ashmore, VPN expert at Independent Advisor, recommends checking privacy settings on the services you use. Most platforms provide privacy controls, allowing users to choose who sees posts and personal information and what can be accessed by third parties.

“It's good practice to review and adjust these settings at least every three to six months or whenever you notice changes in the platform's privacy options or features,” he said.

However, relying on the options the companies provide will not be enough if you want to filter all unwanted traffic. Those who are cautious about their privacy may consider using tools such as ad blockers and privacy-focused DNS filtering services, limiting app number and background activity to the minimum, and adding a VPN connection to hide the location and IP address.

Those who might be targeted by sophisticated state-sponsored actors and mercenary spyware can choose to use features such as the iPhone’s “Lockdown Mode,” which is supposed to protect devices against extremely sophisticated cyber-attacks.