Comment by walterbell
1 month ago
> On macOS, I can usually prevent Apple software from phoning home by using Little Snitch. Unfortunately, Apple doesn't allow anything like Little Snitch on iOS.
On Android, NetGuard uses a "local VPN" to firewall outgoing traffic. Could the same be done on iOS, or does Apple network traffic bypass VPNs? Lockdown mentions ads, but not Apple servers, https://lockdownprivacy.com/.
Apple does publish IP ranges for different services, so it's theoretically possible to block 17.0.0.0/8 and then open up connections just for notifications and security updates, https://support.apple.com/en-us/101555
An iOS "local VPN" could definitely block all traffic to Apple IP ranges. But it lacks the ability to associate traffic with the originating process/framework. Like if, for example, I wanted to only allow iMessage to talk to Apple but nothing else. This is what Little Snitch and other software gives you on macOS/Linux/etc.
But even blanket blocking of all Apple IP ranges probably wouldn't do anything here. As documented, your device sends noise injected image vectors to OHTTP relays and doesn't contact Apple directly. By definition those relays are operated by 3rd parties. So if you consider this type of data "phoning home" you'll need to find the IPs of all of OHTTP relays iOS uses. (or block the traffic that looks up the OHTTP relays).
Apple's "enterprise networking" guide lists 3rd-party CDNs as subdomains of apple.com, which usually resolve to akamai or cloudflare subdomains. This allows those dynamic IPs to be blocked via dnsmasq ipset rules. In theory, they could use similar subdomain resolution for the OHTTP relays.
Since iOS was derived from macOS, perhaps Apple could restore the link between network traffic and process.
It looks sensible assuming that Little Snitch has some high level manager agent inside Apple manipulating the company making these kind of sneaky attacks on customers' privacy that drives the sales of Little Snitch. On the end they will also make them to buy Liitle Snitch for lots of millions or billions for elimination so they can attack customers freely afterwards. Little Snitch hidden agents are smart!
I do not assume that Apple managers are that degenerate idiots pushing through trust eroding marginal idiocy like this.
Apple probably wouldn't allow such an app in their walled garden?
>On Android, NetGuard uses a "local VPN" to firewall outgoing traffic. Could the same be done on iOS, or does Apple network traffic bypass VPNs? Lockdown mentions ads, but not Apple servers, https://lockdownprivacy.com/.
Why is NetGuard more trustworthy than Apple?
NetGuard firewall doesn't run on iOS, so there's no point in comparing to Apple. For those on Android, NetGuard is open-source, https://github.com/M66B/NetGuard
On iOS, Lockdown firewall is open-source, https://github.com/confirmedcode/Lockdown-iOS