News/PR

What can an iPhone do with 100 apps installed on it? Reach out to Russia.

3 Mins read

The Cybernews team installed the 100 top free apps in a factory-reset iPhone SE, opened them all at least once, connected with newly created Apple or Google accounts, and then left the phone connected to the internet for five days. To trace every outgoing connection the iPhone made to external servers, a private DNS service (NextDNS) was used.

Users, on average, have more than 80 apps installed on their devices and never use a quarter of them after the initial download, according to a report by Buildfire. Even unused apps can raise privacy and security issues as they can still access data, sensors, and beam information over the internet. According to the experiment by the Cybernews team, your iPhone does not go to sleep with you.

During the five days of the experiment, when the Cybernews team installed the 100 top free apps on iPhone, the iPhone clocked an impressive number, 16,542 DNS queries. The number ranged from 2711 to 4178 daily, averaging 3308 queries. That’s 138 queries each hour, or a single query every 26 seconds.

Geographically, most queries went to the US (679 in 24h), followed by Sweden (468), Germany (136), Ireland (96) and Poland (79).

iphone apps Traffic destination_Cybernews visual

A request to Russia once per day, Snapchat generates over 100 daily queries

Almost 60% of the time, the iPhone was pinging its Mama Apple across multiple servers deployed worldwide, leaving the rest of the queries for third-party services. Google’s share stood at 12%, followed by Microsoft‘s 4%.

DNS Queries

The activity of social network apps on the iPhone was turned down. Facebook was responsible for only 20 queries per day. On iPhone, TikTok generated only 36 DNS queries over the whole experiment.

But there was an exception – Snapchat. It was constantly active on the iPhone, generating over 100 daily queries.

Not a single time did the iPhone contact servers in China while idle, despite having numerous Chinese apps installed, such as Temu, TikTok, Wish, and Aliexpress. However, the iPhone reached out to a server in Russia at least once a day, belonging to Alibaba (ae01.alicdn.com). There were six queries to this in five days, none at night.

Any connections a phone makes to unfriendly countries are concerning due to the lax approach to privacy and data protection.

“If your data ends up on a server in Russia, there’s a risk that it may be accessed by authorities or even commercial organizations that are not bound to GDPR and similar data and privacy protection laws. No consent will be asked,” the Cybernews research team commented.

What does this activity mean?

Usually, high network activity itself is suspicious, signaling malfunctioning apps or rogue background processes, which are sometimes malicious.

DNS logs reveal what servers the phone contacts and how often, but not what is being sent. IPhone’s DNS queries appear to be related to standard operations. Apple-related domains, such as apple.com, icloud.com, itunes.apple.com, and others, are used for various purposes, such as syncing, app updates, service checks, and more.

“Malicious actors won’t need thousands of connections to dozens of servers to exfiltrate data or deliver malware. They can bypass DNS name resolution altogether to connect to a single server,” Cybernews researchers said. “Also, it is common to host malicious payloads on services like Dropbox, Google Drive, etc. This way, when looking at DNS queries, you just see a normal connection to a normal service that you would expect to see in these logs.”

The iPhone frequently contacted CDN domains that are used for downloads or content streaming, for example, app updates, media files, and other resources. The most frequently contacted CDN, besides Apple’s, was from Akamai.

Google or Microsoft services are self-explanatory – Gmail, OneDrive, Teams, LinkedIn, and other apps often connect to servers for mail, syncing, etc.

Having a lot of apps also increased connections to Apple’s domains due to many push notifications – those are delivered through push.apple.com.

Some other frequently contacted domains were app-analytics-services.com, app-measurement.com, sentry.io, and similar. That suggests the device monitored applications, sending analytics or usage data to third-party services.

Battery usage patterns correspond to the most active apps

While the phone was left lying on the table for five days, Snapchat, Gmail, and OneDrive were the most aggressive battery users, corresponding to 38%, 34%, and 11%, respectively. As revealed by the iPhone’s monitoring tool, on some days, Snapchat clocked more than an hour of background activity.

See the full experiment results here: I installed 100 apps and left my iPhone idle: it reached out to Russia | Cybernews

Read next: Data privacy risks in child-targeted Android apps worldwide – Incogni Research

Leave a Reply

Your email address will not be published. Required fields are marked *

+ 18 = 28