What are api.smoot.apple.com and other hosts my iPhone is secretly talking to?

Looking through some log files today I found something strange :

TCP_MISS/200 4931 CONNECT api.smoot.apple.com:443 - HIER_DIRECT/17.252.11.253 -
TCP_MISS/200 4656 CONNECT api.smoot.apple.com:443 - HIER_DIRECT/17.252.11.253 -
TCP_MISS/200 4656 CONNECT api.smoot.apple.com:443 - HIER_DIRECT/17.252.11.253 -
TCP_MISS/200 4931 CONNECT api.smoot.apple.com:443 - HIER_DIRECT/17.252.11.253 -
TCP_MISS/200 4629 CONNECT api.smoot.apple.com:443 - HIER_DIRECT/17.252.11.253 -
TCP_MISS/200 4656 CONNECT api.smoot.apple.com:443 - HIER_DIRECT/17.252.11.250 -
TCP_MISS/200 4930 CONNECT api.smoot.apple.com:443 - HIER_DIRECT/17.252.11.250 -
TCP_MISS/200 4656 CONNECT api.smoot.apple.com:443 - HIER_DIRECT/17.252.11.250 -
TCP_MISS/200 4931 CONNECT api.smoot.apple.com:443 - HIER_DIRECT/17.252.11.250 -
TCP_MISS/200 4656 CONNECT api.smoot.apple.com:443 - HIER_DIRECT/17.252.11.248 -
TCP_MISS/200 5206 CONNECT api.smoot.apple.com:443 - HIER_DIRECT/17.252.11.248 -
TCP_MISS/200 6959 CONNECT bookkeeper.itunes.apple.com:443 - HIER_DIRECT/23.217.226.217 -
TCP_MISS/200 6959 CONNECT bookkeeper.itunes.apple.com:443 - HIER_DIRECT/23.217.226.217 -
TCP_MISS/200 1041 CONNECT bookkeeper.itunes.apple.com:443 - HIER_DIRECT/23.217.226.217 -
TCP_MISS/200 6959 CONNECT bookkeeper.itunes.apple.com:443 - HIER_DIRECT/23.217.226.217 -
TCP_MISS/200 1057 CONNECT bookkeeper.itunes.apple.com:443 - HIER_DIRECT/23.217.226.217 -
TCP_MISS/200 22836 CONNECT init.itunes.apple.com:443 - HIER_DIRECT/23.217.226.217 -
TCP_MISS/200 22868 CONNECT init.itunes.apple.com:443 - HIER_DIRECT/23.217.226.217 -
TCP_MISS/200 5155 CONNECT xp.apple.com:443 - HIER_DIRECT/17.154.66.107 -
TCP_MISS/200 5155 CONNECT xp.apple.com:443 - HIER_DIRECT/17.154.66.107 -

Apparently api.smoot.apple.com is used for Spotlight search suggestions in Yosemite, except during the timeframe the log was taken I didn't even pull down on my home screen to open the search, and the spotlight suggestions are disabled in the phone's search settings - for the other hosts they are linked to iTunes but no info on what they do exactly...

I did some testing and it seems like every time I unlock my phone after a bit of inactivity, or shortly after I lock it again a request to that host is fired and gets a response with an average size of 5kb...

All these URLs were called when the device was idle, freshly unlocked and on the home screen with no apps in background.

Can anyone shed some light on this ?


Regarding api.smoot.apple.com, from Hacker News. Note this is regarding Yosemite, but I would imagine it similarly applies to Mobile Safari on iOS, especially since the hostname is the same (emphasis mine):

There are two "Spotlight Suggestions":

  • "Spotlight Suggestions" in Safari
  • "Spotlight Suggestions" in Spotlight

Both query the same servers, both use the same name, and both return the same information.

A reasonable person might believe that, having followed Apple's instructions for disabling "Spotlight Suggestions" (the Spotlight kind), they'd disabled "Spotlight Suggestions" (the Safari kind) -- especially if you didn't actually see any suggestions appear in Safari (I didn't!).

Mark Rowe, Safari developer at Apple: "That’s probably a fair complaint." https://twitter.com/bdash/status/524005838743035904

...

The network query posted here is actually a search metrics POST, not a live search query, and it's used as metrics for local and remote search performance.


I think this is just Apple's remote keylogger service. I imagine iOS devices behave the same as OS X. On OS X, every single keypress is sent to api.smoot.apple.com along very accurate longitude and latitude and device information.

It might be a little fuzzy, but you can see in the screen capture below that with each keypress there is a GET request that carries this information to Apple. At the immediate instant that you start searching your computer, typing characters, each character you type is sent to Apple. On the final request the full string is sent. Besides the keylogging, you can also see that your exact location as you type is sent.

On your local network, you can try and block this. I doubt that you can regain any privacy if you're using a mobile device.

local machine medical records

Update: October 14, 2016 I check on this problem ever so often. As of this date and macOS Sierra version 10.12, it is still transmitting abundant data via GET HTTP requests on each keystroke, including precise latitude and longitude, live, for local machine searches. I do wish there was full disclosure so that all users were made fully aware of how invasive this feature can be and clear options for either disabling it or even better, making it so that data is only sent when explicitly chosen to send. While it might be a minor inconvenience if a user opted to do so, it would be just great if we could click a button or hit tab to perform a search via the web vs our local machines.

local document credit card numbers


api.smoot.apple.com is another norm in the industry. It does quite a few things like most vendor api's do. Its used to assist users and make their lives easier by providing suggestions, advertisements, and whatever the vendor deems appropriate.

However, no vendor is a saint and Apple is no different; its a business. If that includes using your network to transmit your data to them in aggregate or by keystroke, then they have no reason not to put themselves in the pipeline to collect and use what they deem appropriate.

It is the same with Google. In Chrome's settings, you can disable everything, but you can not prevent it from communicating with its API. I tested a few months ago and Chrome would not render a single webpage i put in the address bar if i blocked the google api. If I have turned all those settings off, what is being sent to Google? So, Chrome has already forced itself into user's data pipeline. It is by definition a trojan, but lets not start name-calling. The industry trend started many years ago.

Intel WiDi...I really need to connect to the Intel api every time I launch WiDi on my PC...really Intel? I could not opt-out of the auto-updater?

Microsoft Windows 10...just try to stop it from changing itself to facilitate "security" or collection of data regarding your desktop environment. You agreed to allow it when you installed Windows.

In fairness to app vendors, it is the norm and users allow it because they want the functionality. A legitimate app wont install unless users agree to whatever permissions the app says it needs. No one bothers to look at all that because, hey, I need a flashlight app right now; who cares if it requires permissions to read my text messages and read my SD card...in order for me to install it...so I can use my camera flash like a flashlight right now. Most apps are up front with their permission requirements...most users just don't care; make what i want happen right now.

And just to clarify, Michael Prescott's post above about "while searching"...do you think your phone keyboard, which is used for text messages and every other app on your phone does not communicate with an api? (Android or Apple device immaterial)

In order to trend a user and correlate patterns vendors can use, vendors need to uniquely track users for targeted marketing before they depersonalize it...conveniently, a user's OS (apple or windows) has an advertisement id enabled automatically...