I want to track down which part of an app contacts a given domain listed in its App Privacy Report.
Following the instructions given here I am able to capture a packet trace, but traffic to the domain in question is encrypted using QUIC.
Is there a way to insert e.g. mitmproxy into the capture process in order to get hold of the SSLKEYLOGFILE so that I can decrypt the traffic?
What platform are you on?
Oh, and are you using QUIC via HTTP/3? Or explicitly?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
What platform are you on?
iOS unfortunately
Oh, and are you using QUIC via HTTP/3? Or explicitly?
I'm not sure; let me check
It seems to be QUIC explicitly. And it's not us using it but some dependency we include - and yes, I am aware of https://developer.apple.com/documentation/Xcode/verifying-the-origin-of-your-xcframeworks :)
I also have been perusing the logs, but to no avail (Bundle Name and ID redacted):
default 2026-03-06 08:10:29.582324 +0100 mDNSResponder dnssd_server [R421] getaddrinfo start -- flags: 0xC000D000, ifindex: 0, protocols: 0, hostname: google.com, options: 0x8 {use-failover}, client pid: 545 (com.apple.WebKi), delegator pid: 463 (<CFBundleName>)
default 2026-03-06 08:10:29.583518 +0100 mDNSResponder resolver [Q65194] Received acceptable 44-byte response from 192.168.179.1 over UDP via en0/13 -- id: 0x533C (21308), flags: 0x8180 (R/Query, RD, RA, NoError), counts: 1/1/0/0, google.com. IN A?, 285 IN A 172.217.17.206
default 2026-03-06 08:19:53.020864 +0100 com.apple.WebKit.Networking connection [C1 83F90D07-2D61-4158-A073-C82071955008 google.com:443 quic-connection, bundle id: <CFBundleIdentifier>, url: https://google.com/, definite, attribution: developer, context: com.apple.CFNetwork.NSURLSession.{FC11B685-7D67-4806-80B1-6E2559DC8AA4}{(null)}{Y}{3}{0x20e0344a0} (sensitive), proc: 1F873F6E-9E6F-3D35-A95D-C72E62C50C26, effective proc: 888D3A38-707B-33BC-944C-0143FC68835D, delegated upid: 0, pid: 814, attribution context: google.com] start
info 2026-03-06 08:19:53.024946 +0100 com.apple.WebKit.Networking connection nw_endpoint_resolver_handle_alternative [C1.1.1 google.com:443 in_progress resolver (satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi, LQM: good)] Discovered alternative google.com:443 using tcp
info 2026-03-06 08:19:53.024960 +0100 com.apple.WebKit.Networking connection nw_endpoint_resolver_handle_alternative [C1.1.1 google.com:443 in_progress resolver (satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi, LQM: good)] Discovered alternative google.com:443 using quic
info 2026-03-06 08:19:53.024986 +0100 com.apple.WebKit.Networking connection nw_endpoint_transform_receive_report_block_invoke [C1.1 google.com:443 in_progress transform (satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi, LQM: good)] updated endpoint alternatives allow quic, restarting
default 2026-03-06 08:19:53.029119 +0100 com.apple.WebKit.Networking quic quic_conn_initialize_inner [C1.1.2.1:2] [-987721dfe9544d2a] created QUIC connection (spin bit enabled)
info 2026-03-06 08:19:53.100833 +0100 com.apple.WebKit.Networking quic quic_conn_process_inbound [C1.1.2.1:2] [-f87721dfe9544d2a] unable to parse packet (decryption keys may not be ready)
If it’s a QUIC connection and the logs has a com.apple.WebKit.Networking subsystem, it’s almost certainly HTTP/3. Have you tried the HTTP Traffic instrument? See Analyzing HTTP traffic with Instruments.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"