[walterbell]

By minimizing apps on device, blocking all traffic to Apple 17.x, using Charles Proxy (and NetGuard on Android) to allowlist IP/port for the remaining apps at the router level, and then manually inspecting all other network activity from the device. Also the disappearance of said traffic after hard-reset.

Sometimes there were anomalies in app logs (iOS Settings - Analytics) or sysdiagnose logs. Sadly iOS 26 started deleting logs that have been used in the past to look for IOCs.

[acdha]

How did you determine that a connection was malicious? Modern apps are noisy with all of the telemetry and ad traffic, and that includes a fair amount of background activity. If all you’re seeing are connections to AWS, GCP, etc. it’s highly unlikely that it’s a compromise.

Similarly, when you talk about it going away after a reset that seems more like normal app activity stopping until you restart the app.

[walterbell]

Summary: https://news.ycombinator.com/item?id=46998191

[acdha]

That doesn’t have any details supporting the belief that this traffic was malicious or a sign of compromise. I’d easily believe that it’s picking up developer telemetry or ad networks but without some hard evidence this sounds like misinterpretation rather than a compromise.

[Melatonic]

Are you sure whatever you have configured in the MDM profile or one of these apps like Charles Proxy is not the source of the traffic?

Are you using a simple config profile on iOS to redirect DNS and if so how are you generating it ? Full MDM or what are you adding to the profile ?

[walterbell]

Traffic was monitored on a physical ethernet cable via USB ethernet adapter to iOS device.

Charles Proxy was only used to time-associate manual application launch with attempts to reach destination hostnames and ports, to allowlist those on the separate physical router. If there was an open question about an app being a potential source of unexpected packets, the app was offloaded (data stayed on device, but app cannot be started).

MDM was not used to redirect DNS, only toggling features off in Apple Configurator.

[universenz]

Surely you used several USB Ethernet adapters to rule them out as being the source as well right? Those types of dongles are well known for calling home.

[walterbell]

Good observation :) Multiple ethernet adapters: Apple original (ancient USB2 10/100), Tier 1 PC OEM, plus a few random ones. Some USB adapters emit more RF than others.

[Melatonic]

And your sure it wasn't some built in Apple service ? I believe they host a ton on GCP

[walterbell]

It excluded the published hostnames for services and CDNs (some of which resolved to GCP, Akamai, etc) published by Apple for sysadmins of enterprise networks, https://news.ycombinator.com/item?id=46994394. It's indeed possible that one of the unknown destination IPs could have been an undocumented Apple service, but some (e.g. OVH) seem unlikely.