Yes, iOS does talk a lot to the Apple servers, and apple makes heavy use of Akamai for CDN purposes.
If you set your iOS device to auto-update overnight, that will typically happen between 3am and 5am. They even tell you that when they set the schedule.
"something" going on? like, the manufacturer of a device who provides cloud services with that device is speaking to their servers to provide services that the customer wants? Very alarming.
I understand iCloud, iTunes, and all other apple services need to communicate with their servers.
My point is to question why do they need more than 1000 hosts for their endpoints? It only look suspicious in my eyes.
Why is it suspicious? I don't see your reasoning here. Having a diverse range of DNS names requested doesn't seem to me to be an indicator of suspiciousness.
On earlier releases of iOS that had a public jailbreak released, I spent quite some time using HttPeek (https://github.com/Yonsm/HttPeek) to examine what various OS processes were sending, and found nothing untoward.
I'd be surprised if this had changed for the worse in more recent iOS releases.
1) Every service most likely has many, many different servers providing it. These may have different hostnames. Particularly consider that Apple uses a lot of cloud services.
2) All the services you list in fact consist of many smaller services. iTunes alone is a storefront, a CDN, a payment processing service, a DRM system, a syndication service, an account management service, a media library synchronisation service, a streaming media service, and so on. iCloud is a blanket name for a large collection of big services which themselves may consist of many smaller services.
3) That isn’t even the full set of services.
In light of these considerations, 1000 hostnames should not be unexpected. That might even be a surprisingly small figure.
One area where Apple uses a large amount of domain names on purpose is for their captive portal detection. Supposedly they do this on purpose so that captive portals can't try to hard-code a list of domains in order to white-list/fool it.
iOS offers a slideover view that gets dismissed once absence of captive portal is detected. That way you can’t redirect people forcibly to your website after auth is done in a way that persists.
But if you force people to use a browser rather than auto disappearing modal view, the bounce rate is much lower once you force them to visit your website after captive portal login.
I've developed some very large globe-spanning systems that are probably a single-digit % complexity as the Apple ecosystem and we touch hundreds of endpoints. Doesn't seem suspicious to me at all.
Try to temporarily log out of iCloud and iTunes Store and disable push notifications. I think that could reduce a lot of the traffic. And then gradually start turning things on one by one.
In your logs why don’t you also log whether each device is connected to power and what preferences each user has set on a per app basis for push notifications, background data fetch, background downloads (distinct from background data fetch), as well as their do not disturb settings and timeframe, whether they are on a cell network or wifi, whether the wifi is exposing a networked backed by a cell network, the current battery level at each time, whether the device is changing location, whether the user is moving the device, whether the screen is locked, whether any app is in the foreground, whether any currently installed apps have code that gets invoked when geographic regions change, whether they have any code that is invoked when specific locations are visited, whether they have code that gets invoked when non-specific locations are arrived at or departed from, whether the user has recently changed networks, whether the user has recently plugged or unplugged the power, etc., etc., etc...
Don’t have all this data? Then maybe don’t jump to premature conclusions about what your network activity is telling you.
Since you're blocking some DNS requests, do you think a portion of the usage might be retries? If one DNS request could turn into querying all the addresses in your list, I could see an amplification attack happening, and then that happening also on a retry. Look for patterns in querying the individual names?
> However I am pretty sure Apple does some DNS tunneling.
That seems very reasonable. It would be better than hardcoding IP addresses and safer than straight DNS for management things. Maybe their implementation of that doesn't have a very long TTL?
I have been logging, redirecting and blocking these queries for these domains and more for years.
It is one of our biggest complaints about the "new" Apple.
There is no option for the user to disable the nonstop phoning home. iOS is a BSD-like OS configured so that the user does not fully control it (e.g. can't stop someone else's software from incessantly trying to phone home). The user cannot fully configure it (e.g., can't access HOSTS file). Only Apple can (they get root and they do not even own the device). Important settings are placed off limits to the owners of these devices. This is no fun.
Turn on an iOS device and it will keep trying to connect to Apple servers; it will not stop. An incredible tracking device if those servers keep logs, irrespective of Apple's reasoning. Not to mention lots of unnecessary network chatter on the home network.
Clarification: After many years of desensitization to this practice since the first iPhone, it is neither "a secret" nor "scandalous", but it is still disappointing. Moreover, I am not advocating any other mobile OS simply by making a comment about iOS. In fact, none of the "smartphones" being sold today are satisfactory to me as portable computers when compared with the control I get using an open source OS with i386, amd64 or even a development board.
>iOS is a BSD-like OS configured so that the user does not fully control it
Oh come on. You act like this is some malicious or unexpected new behavior when this is how Apple has behaved for at least 15 years now. And if the BSD guys didn't want their software used in that fashion, they'd change their license. But since BSD wrote their own license that allows for that, they explicitly approve of it.
Don't act like you're scandalized about discovering the big secret that Apple won't let you fully control your iPhone in 2017.
How do you know when the parent poster knew what? Must all Apple users know the entire history of Apple device DNS usage? Where is the universally known documentation on such usage?
I'm not talking about DNS usage because neither were they. They were talking about being able to fully control their iOS device, which has never been the case, even dating back to the original iPod.
There is pretty universal documentation on that called "every sentence ever uttered about iOS since ever".
> You act like this is some malicious or unexpected new behavior
No, I'm pretty GP "acts like"
> After many years of desensitization to this practice since the first iPhone, it is neither "a secret" nor "scandalous"
I've never really understood the absurd (but common!) argument that a repugnant state of affairs isn't worth discussion if it isn't new. Usually, the heckler even agrees with the person they're heckling! What's the goal? Sabotage of a cause one agrees with merely to redeem hipster / cynic points? I don't get it.
It's disappointing that GP felt the need to preemptively address this possibility in their post, but it's downright silly that parent didn't even let this fact stop them. So it goes.
I think it's fair to note that they edited that part in after I wrote my comment using that exact same wording, but failed to mention they edited it. It's not that their wording didn't stop me from replying, its that their wording did not exist when I replied.
It's a scummy argument tactic, which you've proven is highly effective.
A fair complaint, but you didn't address my main argument -- that novelty shouldn't be a precondition for discussing repugnant situations. Diversion is also a scummy argument tactic.
Seriously? Diversion? You just spent 100 words ripping me apart for a completely valid argument that you misunderstood, and you have the gall to say I'm only pointing that out as a diversion. Seriously. Take a look at yourself right now.
This was their original comment without their subsequent edits:
>I have been logging, redirecting and blocking these queries for these domains and more for years.
>It is one of our biggest complaints about the "new" Apple.
There is no option for the user to disable the nonstop phoning home. iOS is a BSD-like OS configured so that the user does not fully control it. The user cannot fully configure it. This is no fun.
>Turn on an iOS device and it will keep trying to connect to Apple servers; it will not stop. An incredible tracking device if those servers keep logs.
It's a far whinier post, with the biggest complaint being that the BSD license allows companies to lock their software down, as intended. Not every piece of software needs to be fully controllable by the end user. I wouldn't call it "repugnant".
As opposed to "we are open Android" but everything that most people define as Android includes closed source Google Play Services and proprietary drivers?
The comment you are responding to explicitly says no alternatives are good and disclaimed any idea that they were telling people to use something different. They shouldn't have had to make that disclaimer, but apparently it didn't even work.
This part of the comment did not exist when I replied....
Clarification: After many years of desensitization to this practice since the first iPhone, it is neither "a secret" nor "scandalous", but it is still disappointing. Moreover, I am not advocating any other mobile OS simply by making a comment about iOS. In fact, none of the "smartphones" being sold today are satisfactory to me as portable computers when compared with the control I get using an open source OS with i386, amd64 or even a development board.
I want to mention that I think it's incredibly disingenuous to edit your comment to argue against my reply without mentioning that you've edited what I was arguing against. It's even more so when you use the exact same wording I did, making it look like I'm arguing something that was explicitly stated in your post, when it wasn't there at the time I wrote my reply.
I am seriously disappointed in this level of discourse. If you want anyone to take you seriously, you'll stop pulling shit like that in the future.
I'm not sure why you seem to have a personal vendetta against me, unless you're an alt of feelin_googley. If you want to argue, I think we can keep it to the one chain we already have going, yeah?
What exactly makes this "alarming"? I could understand "large" or maybe even "unexpected", but if this is background noise, I'm not sure "alarming" really fits here unless we're sure this is bad behavior.
I'm still amazed that computers are so terrible at telling reliable time without connecting to a network constantly. I've seen computers with a fully-functional CMOS battery lose 5 minutes a month without a network connection. Mind blowing.
I would say its place is more in a computer engineering or an "applied computer science" discipline. Similarly, a chemistry student doesn't especially need to learn about how to plan a safe and cost-effective end industrial synthesis process, which would fall squarely in the domain of chemical engineering.
It turns out that if you really want a device that can keep accurate time over a long period you must pay a significant amount of money. You would need a temperature compensated crystal (TCXO) or ovenized crystal oscillator (OCXO). Both of these would cost tens to hundreds of dollars, which is orders of magnitude more than hardware makers are willing to spend. Not to mention these kinds of accurate oscillators tend to be power hungry.
But that is missing the main point of the network time checks. Even if computers were perfect at telling time you still need to check network time for security reasons, especially if local users can change the device time. There are crypto attacks that rely on changing the time, and checking that the time matches another somewhat reliable source helps make those attacks harder to pull off.
Some mobile networks do a decent job of providing the time, some do a poor job, and some don't provide time at all (saw this when I was overseas). I would accept the time from the mobile network as a starting point, but prefer to get it from IP networks I trust, or from global positioning.
Yes it’s a cloud connected device, it is going to connect to the cloud. I don’t see why you are surprised.
If you think there is an issue, instead of breathlessly declaring you’ve discovered a disturbing pattern in a system you couldn’t possibly have an informed perspective on, the correct way to handle it is to file a radar at https://bugreport.apple.com/ then come back here tell us your radar number so we can dupe it and add any of our own data that might help with the (perceived, in this case, I would say) issue.
keyvalueservice: old iCloud sync service, still used with text shortcuts sync
fmf: Find My Friends
fmip: Find My iPhone
All in all just looks normal, there's a lot of features in iOS/macOS/iTunes etc etc and they all have their own respective hostnames, possibly many for old school random-hostname-based load balancing, etc. Seems pretty normal that your users would be downloading apps (or the phone downloading updates automatically), playing Apple Music, updating iOS, etc. Spammy, but not that big a deal. I'd imagine rather similar from Android by filtering to Google, Samsung, etc hosts.
Well the author sort of neglected to state whether the device was charging at the time, which makes a difference. No doubt it wasn’t always charging but it would be fair to clarify when it was. The OS has some activities like checking for updates that it is more likely to do if tethered to power.
Also some of the activity can be related to measures that actually save power. For example, before attempting to do a heavy download of data provided by apps that implement background data downloading, it makes sense to first check the quality of the network connection.
I’d suggest everyone just chill and realize there can be good reasons for things, not just bad reasons. And consider the possibility that Apple is not stupid when it comes to power management.
What exactly is 'alarming' about a cloud device trying to connect to its cloud services? DNS/UDP is the cheapest way of communicating for the device, and, if the DNS servers are not mad and the RR timers are set correctly, also for the name server.
64 comments
[ 2.9 ms ] story [ 25.7 ms ] threadIf you set your iOS device to auto-update overnight, that will typically happen between 3am and 5am. They even tell you that when they set the schedule.
I am getting a huge database of these logs because of my users. Maybe someone can help me investigate because there is definitely something going on.
Here is a preview: https://stan.sh/images/log-example.png
https://stan.sh/images/ios_domains.csv
On earlier releases of iOS that had a public jailbreak released, I spent quite some time using HttPeek (https://github.com/Yonsm/HttPeek) to examine what various OS processes were sending, and found nothing untoward.
I'd be surprised if this had changed for the worse in more recent iOS releases.
2) All the services you list in fact consist of many smaller services. iTunes alone is a storefront, a CDN, a payment processing service, a DRM system, a syndication service, an account management service, a media library synchronisation service, a streaming media service, and so on. iCloud is a blanket name for a large collection of big services which themselves may consist of many smaller services.
3) That isn’t even the full set of services.
In light of these considerations, 1000 hostnames should not be unexpected. That might even be a surprisingly small figure.
But if you force people to use a browser rather than auto disappearing modal view, the bounce rate is much lower once you force them to visit your website after captive portal login.
Apple server: No. Same Nonce. Cryptographic signature.
If different response: Captive portal. If no response: No internet.
I've developed some very large globe-spanning systems that are probably a single-digit % complexity as the Apple ecosystem and we touch hundreds of endpoints. Doesn't seem suspicious to me at all.
Don’t have all this data? Then maybe don’t jump to premature conclusions about what your network activity is telling you.
Also, some iOS specific requests happen when there is no other DNS activity at all.
That seems very reasonable. It would be better than hardcoding IP addresses and safer than straight DNS for management things. Maybe their implementation of that doesn't have a very long TTL?
It is one of our biggest complaints about the "new" Apple.
There is no option for the user to disable the nonstop phoning home. iOS is a BSD-like OS configured so that the user does not fully control it (e.g. can't stop someone else's software from incessantly trying to phone home). The user cannot fully configure it (e.g., can't access HOSTS file). Only Apple can (they get root and they do not even own the device). Important settings are placed off limits to the owners of these devices. This is no fun.
Turn on an iOS device and it will keep trying to connect to Apple servers; it will not stop. An incredible tracking device if those servers keep logs, irrespective of Apple's reasoning. Not to mention lots of unnecessary network chatter on the home network.
Clarification: After many years of desensitization to this practice since the first iPhone, it is neither "a secret" nor "scandalous", but it is still disappointing. Moreover, I am not advocating any other mobile OS simply by making a comment about iOS. In fact, none of the "smartphones" being sold today are satisfactory to me as portable computers when compared with the control I get using an open source OS with i386, amd64 or even a development board.
I really feel a dissonance between Apple's marketing position with privacy and the behavior of their devices in the background.
Oh come on. You act like this is some malicious or unexpected new behavior when this is how Apple has behaved for at least 15 years now. And if the BSD guys didn't want their software used in that fashion, they'd change their license. But since BSD wrote their own license that allows for that, they explicitly approve of it.
Don't act like you're scandalized about discovering the big secret that Apple won't let you fully control your iPhone in 2017.
There is pretty universal documentation on that called "every sentence ever uttered about iOS since ever".
No, I'm pretty GP "acts like"
> After many years of desensitization to this practice since the first iPhone, it is neither "a secret" nor "scandalous"
I've never really understood the absurd (but common!) argument that a repugnant state of affairs isn't worth discussion if it isn't new. Usually, the heckler even agrees with the person they're heckling! What's the goal? Sabotage of a cause one agrees with merely to redeem hipster / cynic points? I don't get it.
It's disappointing that GP felt the need to preemptively address this possibility in their post, but it's downright silly that parent didn't even let this fact stop them. So it goes.
It's a scummy argument tactic, which you've proven is highly effective.
This was their original comment without their subsequent edits:
>I have been logging, redirecting and blocking these queries for these domains and more for years.
>It is one of our biggest complaints about the "new" Apple. There is no option for the user to disable the nonstop phoning home. iOS is a BSD-like OS configured so that the user does not fully control it. The user cannot fully configure it. This is no fun.
>Turn on an iOS device and it will keep trying to connect to Apple servers; it will not stop. An incredible tracking device if those servers keep logs.
It's a far whinier post, with the biggest complaint being that the BSD license allows companies to lock their software down, as intended. Not every piece of software needs to be fully controllable by the end user. I wouldn't call it "repugnant".
Clarification: After many years of desensitization to this practice since the first iPhone, it is neither "a secret" nor "scandalous", but it is still disappointing. Moreover, I am not advocating any other mobile OS simply by making a comment about iOS. In fact, none of the "smartphones" being sold today are satisfactory to me as portable computers when compared with the control I get using an open source OS with i386, amd64 or even a development board.
I am seriously disappointed in this level of discourse. If you want anyone to take you seriously, you'll stop pulling shit like that in the future.
Shame on you.
> Don't act like you're scandalized about discovering the big secret that Apple won't let you fully control your iPhone in 2017.
Since you had to ask, please contact your nearest care facility to investigate a dementia diagnosis.
https://news.ycombinator.com/newsguidelines.html
A good quality quartz crystal is accurate to about 15 seconds a month. Even the cheap ones can manage 30 seconds a month.
Here is a quick CSV export of all the concerned hosts (subdomain + domain) I could pick from my database.
https://stan.sh/images/ios_domains.csv
I really want the story behind pancake.g.aaplimg.com
If you think there is an issue, instead of breathlessly declaring you’ve discovered a disturbing pattern in a system you couldn’t possibly have an informed perspective on, the correct way to handle it is to file a radar at https://bugreport.apple.com/ then come back here tell us your radar number so we can dupe it and add any of our own data that might help with the (perceived, in this case, I would say) issue.
mesu, su: software update
pancake: looks like home sharing? https://stackoverflow.com/questions/26900625/what-is-pancake...
phobos, mzstatic: App/iTunes store, possibly also Apple Music
apptrailers: App Store app demo videos?
streamingaudio: Apple Music?
iphonesubmissions, radarsubmissions: crash report upload
guzzoni: Siri
appldwnld: firmware downloads
gs: firmware signature generator/verifier
albert: device activation
ckdatabase, ckdevice: CloudKit, like iCloud 2.0
keyvalueservice: old iCloud sync service, still used with text shortcuts sync
fmf: Find My Friends
fmip: Find My iPhone
All in all just looks normal, there's a lot of features in iOS/macOS/iTunes etc etc and they all have their own respective hostnames, possibly many for old school random-hostname-based load balancing, etc. Seems pretty normal that your users would be downloading apps (or the phone downloading updates automatically), playing Apple Music, updating iOS, etc. Spammy, but not that big a deal. I'd imagine rather similar from Android by filtering to Google, Samsung, etc hosts.
Also some of the activity can be related to measures that actually save power. For example, before attempting to do a heavy download of data provided by apps that implement background data downloading, it makes sense to first check the quality of the network connection.
I’d suggest everyone just chill and realize there can be good reasons for things, not just bad reasons. And consider the possibility that Apple is not stupid when it comes to power management.