The idea is to give you extra insight into when and why your apps are interacting with these domains. The problem, though, is that even with that distinction, most people wouldn’t recognize whether the domains and IP addresses that show up on this list are trustworthy in the first place. When the Facebook app contacts “web.facebook.com,” you know you’re probably OK, but you might not recognize “bidder.criteo.com” or “video.primis.tech” on the same list.
“The data I’m seeing so far is all just what website domains apps are communicating with, which is of somewhat limited value for the average consumer who wouldn’t know what domains to be concerned about,” says Thomas Reed, director of Mac and mobile platforms at the security firm Malwarebytes. “I personally will be interested to see if any of my apps are communicating with sketchy domains.”
The content delivery and digital advertising ecosystems are a dense maze of platforms that silently facilitate a lot of app services behind the scenes. That anonymity to the end user is part of the point; you probably don’t know which vendors and service providers your favorite restaurant uses either. But this means that it could be challenging to vet every domain you see listed in the App Privacy Report. You can use your instincts, though, like if you see an app you thought was made in the US connecting to lots of foreign domains.
The next section lists “Website Network Activity,” which does the same thing but for sites loaded through in-app browsers, or mobile browsers like Safari and Chrome. For example, if you visit “wired.com” the report will show you which domains it contacted, like “fastly.net” and “googlesyndication.com.” You also get a breakdown of which apps loaded these sites. You might expect to see “wired.com” in your Safari browsing history, for example, but probably not in your period tracker, unless you remember opening an article link through your cycle tracker’s in-app browser.
The last section tracks the most contacted domains across all your apps and the websites they loaded.
“Guess what connects to lots of domains? Social, shopping, search—pretty predictable,” says Maximilian Zinkus, a cryptographer at Johns Hopkins University. “But I guess if you see anything aside from those types of domains, it’s potentially interesting. Similarly, the most contacted domains for me, and probably many, is a list containing content delivery networks and Google fonts and analytics. Again pretty predictable, so if you see a weird domain on that list, it could be a signal of a spyware app or rogue browser extension.”
Zinkus notes that the report includes a “share” function so you can export the data for more analysis if you so choose. He emphasizes that for the average user, the data and sensor breakdown at the top of the report is probably the easiest and most important to keep an eye on.
“If an app is unexpectedly tracking location, microphone, or other sensors, that’s a huge red flag,” he says. “I would recommend uninstalling and even filing a report with Apple through the App Store if an app really seems to have unexplained access.”
If you’re worried about the security and privacy of apps in general and want to reduce your exposure, the most foolproof option is simply to delete as many as possible.
“My personal report is pretty boring,” Zinkus says, “as I don’t install a ton of apps.”
More Great WIRED Stories