How to Audit What Data Your Apps Are Sending

Every app you run sends data somewhere. Some of it you expect — API calls, authentication tokens, analytics. Some of it you don’t — telemetry, fingerprinting, credentials cached in plaintext. Auditing your outbound traffic isn’t paranoia; it’s due diligence before deploying third-party code, onboarding a new SaaS tool, or diagnosing why an app is slow.

:::note[TL;DR]

Linux per-process: nethogs and ss -tp for quick checks; strace and tcpdump for deep inspection
macOS desktop: Little Snitch or Proxyman to see traffic by app
HTTPS inspection: mitmproxy or Charles Proxy as a local MITM proxy
Mobile: Charles Proxy or mitmproxy over WiFi with certificate installed
CI/CD audit: run with --network=none and see what breaks :::

Prerequisites

Basic terminal comfort
For HTTPS inspection: ability to install a CA certificate on the device being audited
For mobile auditing: device on the same WiFi network as your computer

How do you see which processes are making network connections on Linux?

Quick overview of active connections with process names:

ss -tp
# TCP connections with process names (requires sudo for other users' processes)
sudo ss -tp

Example output:

State    Recv-Q  Send-Q  Local Address:Port    Peer Address:Port   Process
ESTAB    0       0       192.168.1.5:54322     142.250.80.46:443   users:(("chrome",pid=1234,fd=31))
ESTAB    0       0       192.168.1.5:44100     52.86.1.22:443      users:(("node",pid=5678,fd=18))

This tells you exactly which process is talking to which IP and port.

Watch bandwidth per process in real time:

sudo apt install nethogs -y
sudo nethogs

nethogs shows upload and download rates per process, updated in real time. Sort by pressing m to toggle between KB/s, total KB, and total bytes.

DNS queries (what hostnames is the app resolving?):

sudo apt install dnsmasq -y
# Or use tcpdump to watch DNS
sudo tcpdump -i any -n port 53

Every DNS query shows the hostname an app is trying to reach before it even connects. This catches data exfiltration to unfamiliar domains.

How do you use tcpdump for deep packet inspection?

tcpdump is the foundational tool for network traffic capture on Linux.

# All traffic on the main interface
sudo tcpdump -i eth0

# Only traffic to/from a specific IP
sudo tcpdump -i eth0 host 142.250.80.46

# Only HTTP traffic (port 80)
sudo tcpdump -i eth0 port 80 -A
# -A prints ASCII payload — useful for unencrypted traffic

# Save to file for analysis in Wireshark
sudo tcpdump -i eth0 -w capture.pcap

# Traffic from a specific port range
sudo tcpdump -i any portrange 80-443

For HTTPS traffic, tcpdump shows connection metadata (IPs, ports, timing) but not the payload — it’s encrypted. You need a MITM proxy to see HTTPS content.

How do you inspect HTTPS traffic with mitmproxy?

mitmproxy acts as a local proxy. Your app connects to it; mitmproxy decrypts the request, forwards it to the real server, decrypts the response, and shows you everything. It does this by generating a self-signed CA certificate that you install as trusted on the audited device.

Install mitmproxy:

pip install mitmproxy
# or
sudo apt install mitmproxy

Start the interactive TUI:

mitmproxy
# Proxy runs on port 8080 by default

Or start the web UI:

mitmweb
# Web UI at http://127.0.0.1:8081

Point your app at the proxy:

# For curl
curl --proxy http://127.0.0.1:8080 https://example.com

# For wget
https_proxy=http://127.0.0.1:8080 wget https://example.com

# For a Node.js process
HTTPS_PROXY=http://127.0.0.1:8080 node app.js

Install the mitmproxy CA certificate so HTTPS apps trust the proxy:

Browse to http://mitm.it while the proxy is running
Download and install the certificate for your OS

Or install manually from ~/.mitmproxy/mitmproxy-ca-cert.pem.

Once the certificate is trusted, mitmproxy shows you decrypted HTTPS request and response bodies — headers, JSON payloads, file uploads, everything.

How do you audit apps on macOS?

macOS doesn’t have a built-in per-process network monitor. Two tools fill this gap:

Little Snitch (paid, $69 one-time) — shows all outbound connections by app as they happen, lets you allow/deny them with a firewall rule. Useful for auditing what an app does over its lifetime. If you want to know every domain a MacOS app calls home to, Little Snitch with the network monitor view is the clearest answer.

Proxyman (free tier available) — MITM proxy with a native macOS UI. More polished than mitmproxy for macOS desktop auditing. You install the Proxyman CA certificate in Keychain, then every HTTPS request from every app is visible in the Proxyman window.

# Command-line alternative: see connections per process
sudo lsof -i -P -n | grep ESTABLISHED

lsof shows all open files including network sockets with the process name and PID.

How do you audit traffic from mobile apps?

Mobile apps — especially third-party ones — often send significantly more data than their privacy policies admit. Auditing mobile traffic requires a MITM proxy on your computer and configuring the phone to use it.

Setup on Android:

Start mitmproxy or Charles Proxy on your computer
Note your computer’s IP on the local network
On Android: Settings → WiFi → long-press your network → Modify network → Advanced → Proxy → Manual → enter your computer’s IP and port 8080
Browse to http://mitm.it on the phone and install the certificate
Trust the certificate: Settings → Security → Install from storage → select the downloaded cert

Setup on iOS:

Same proxy config in Settings → WiFi → HTTP Proxy → Manual
Browse to http://mitm.it and install the profile
Crucially: Settings → General → About → Certificate Trust Settings → toggle the mitmproxy certificate to trusted

Without the certificate trust toggle in iOS, the proxy certificate is installed but HTTPS traffic still shows as errors.

What you’ll find: Most social media apps, many ad SDKs, and some analytics libraries send device identifiers, location data, contact list snippets, and behavioral telemetry with every session. Seeing it in plaintext is often surprising.

How do you audit a Docker container’s outbound traffic?

Check what a running container is connecting to:

# Get container PID
CONTAINER_PID=$(docker inspect --format '{{.State.Pid}}' mycontainer)

# See its network connections
sudo nsenter -t $CONTAINER_PID -n ss -tp

Run a container with no network access and see what breaks:

docker run --network=none myimage

If your container errors because it can’t reach an unexpected external service, that’s information. Many base images have telemetry or update-check code that silently dials home.

Capture all traffic from a container:

# Find the container's veth interface
docker inspect mycontainer | jq '.[0].NetworkSettings.Networks | to_entries[0].value.EndpointID'

# Capture on docker0 bridge
sudo tcpdump -i docker0 -n

How do you run a quick audit without specialized tools?

For a fast check on what a process is doing:

# strace — see all syscalls including network calls
# Connect() calls show exactly what IPs/hostnames a process is connecting to
sudo strace -e trace=network -p <PID> 2>&1 | grep connect

# Or trace a command from start
sudo strace -e trace=network curl https://example.com 2>&1 | grep connect

Check for unexpected listeners on your system:

# What is listening on all interfaces (not just localhost)?
sudo ss -tlnp | grep -v '127.0.0.1\|::1'

Any service listening on 0.0.0.0 is reachable from the network, not just from localhost.

Summary

ss -tp and nethogs give you per-process network visibility on Linux with no setup
tcpdump captures raw traffic; mitmproxy decrypts HTTPS by acting as a trusted local CA
macOS: Proxyman or Little Snitch for per-app visibility without command-line friction
Mobile: mitmproxy or Charles Proxy as a WiFi proxy with CA certificate installed on the device
Docker: --network=none to see what breaks; nsenter + ss to inspect a running container’s connections

FAQ

Will installing a mitmproxy certificate break certificate pinning?

Yes, intentionally. Apps that use certificate pinning (most mobile banking apps, some enterprise apps) hardcode which CA or leaf certificate to trust and reject anything else — including your mitmproxy certificate. You’ll see a TLS handshake error instead of the request. Working around certificate pinning in Android APKs is possible but requires patching the app, which is outside the scope of a routine audit and may violate terms of service.

Is it legal to audit traffic from apps on my own device?

Auditing traffic on devices and networks you own is generally fine. Auditing traffic from others’ devices, intercepting traffic on shared networks, or bypassing protections on apps you don’t have authorization to test can violate computer fraud laws, terms of service, and wiretapping statutes depending on jurisdiction. Stick to devices and apps you own or have explicit authorization to audit.

How do I know I’m seeing all the traffic and not missing something?

You’re not guaranteed to see everything. Apps can use non-HTTP protocols that bypass HTTP proxies (QUIC/HTTP3 over UDP, for example). Some apps have multiple network paths. For comprehensive capture, use tcpdump on the network interface level rather than an application-level proxy — it captures everything regardless of protocol.