[radicaldreamer]

There’s no hard evidence that you’ve put forward that you’ve been breached.

Not understanding every bit of traffic from your device with hundreds of services and dozens of apps running is not evidence of a breach.

Have you found unsigned/unauthorized software? Have you traced traffic to a known malware collection endpoint? Have you recovered artifacts from malware?

Strong claims require strong evidence imo and this isn’t it.

[walterbell]

As mentioned elsewhere in this thread, traffic from each iOS app was traced via Charles Proxy, the endpoints allowlisted for normal behavior, and finally the app was offloaded so it could not generate any traffic from the device. Over time, this provided a baseline of known outbound traffic from the device, e.g. after provisioning a new device with a small number of trusted apps.

Apple traffic was isolated separately, https://news.ycombinator.com/item?id=46994394

Traffic outside that baseline could then be reviewed closely.