It shows encrypted streams that neither you or I can decipher. By default, either will spend its day scraping your surroundings (wifi and bluetooth) and report it back home, unless you opt-out (which both allow). Both are equally evil in my book.
Can’t you root both of those to setup a proxy to decrypt and see for yourself? If it’s encrypted, how can you tell that’s what it's doing to say with such certainty there?
On Android the certificate pinning makes it very hard even with root. On iPhone where the owner of the phone (Apple) actively fights against your ability to gain root, I can't imagine it's easier, but if it is I'd appreciate being corrected.
mitproxy lets you one tap install a config profile that does it. You know like you sometimes need to do in Korea or Kazakhstan... It's routine.
But I don't get you. You complained that droid makes it hard and apple makes it impossible. But it would be better for average user security if they could not do it (aka "did not own the device" in anti-apple propaganda), right?
The parent is right, though. Both Google and Apple send encrypted telemetry that you cannot MITM or decrypt a-la HTTPS or TLS. The average iPhone and average Android phone lights up like a Christmas tree in Wireshark - some of it can be reverse-engineered with TLS or DNS abuse, some of it is RSA encrypted against the hardware root-of-trust.
Apple's mea-culpa is that unlike Android they do not ship an Open Source OS ROM for developers to modify. Google's telemetry can be entirely neutralized by removing Google Play services and using Android without Google software. iPhones don't have that escape hatch, leading to a pretty literal limitation of how you "own" your phone and the software on it. On top of that, iOS has a permissions architecture Apple designed to give the user second-class control over the network. You cannot MITM Apple services - they will go around whatever user-land profile you think you've set. On top of that, there are modem emissions that you're never going to catch with a MDM profile hack and certificate pinning. You have fully drank the kool-aid if you think an empty aircrack-ng screen means "you won" against the multitrillion dollar company and coalition of government regulatory bodies.
> But I don't get you. You complained that droid makes it hard and apple makes it impossible.
I didn't complain about anything, I just stated the facts, with a possible exception regarding the snark about how Apple "owns" the device, although I do think that's a defensible position since they have higher access to it than it's "owner". I do think it's shitty though that they don't provide a way (even with some hoops) for the "owner" of the device to get the highest level of access to it, but that wasn't in the comment.
> But it would be better for average user security if they could not do it (aka "did not own the device" in anti-apple propaganda), right?
Why would that be better? I highly doubt it would make any difference at all to the average user. I doubt it even impacts the majority of power users.
The people who are impacted by these restrictions are the technical users who want to capture and inspect their own device's traffic, usually on their own network. Conveniently, these are also the researchers who might publish blog posts and articles about what kind of data and surveillance the device is sending home about the user, without their knowledge.
I can't even tell whether it's sarcasm… All those services are closed-source, exchanging over binary protocols, of which there is no public description/documentation, and no stability guarantee.
You overdramatize, they mostly just push json around. mitmproxy is your friend. And since you only need to see for yourself once who cares about stability.
I share your attitude towards inspecting your devices’ traffic being an inaliable right, but AFAICT this hasn’t been the case for a while now.
I believe on Android MITMing even most third party applications (that make zero-to-no effort to prevent this) requires a rooted phone or an emulator running and older Android (8) without Google Play Services and doing a little bit of RE (for instance using some Frida user scripts to patch the apk to circumvent the certificate pinning). I reckon MITMing the actual traffic Google itself can collect would require a lot more RE and network wizardry than I’m even aware of (feel free to link some reading though). Here’s a recent walkthrough I saw in the wild: https://youtu.be/c4wS9n7yilA?si=xAfwCyWIzdrvOiHc
For Apple devices afaict since rooting was…ahem rooted out, no viable amateur-DIY methods for monitoring your devices traffic exist.
I know everything is open source if you’re good enough at assembly but at some point it’s gone from something a tinkerer can do to something you need significant talent and in-depth knowledge to do.
I’d love to read any write-ups or guides to the contrary though.