gsas.apple.com: Transmitting handset identifiers (IMEI, the SIM serial number etc.)

[OrkoGrayskull]

Which domain(s) should be blocked?

gsas.apple.com

Why should these domain(s) be blocked?

When the iPhone is left idle, roughly every 2-3 days it sends data to gsas.apple.com/grandslam:

POST https://gsas.apple.com/grandslam/GsService2/postdata
Headers
User-Agent: akd/1.0 CFNetwork/1128.0.1 Darwin/19.6.0
X-Apple-I-UrlSwitch-Info: MDAxMDI5LTA...GF0YQ== //
x-apple-adsid base64 encoded
X-Apple-HB-Token: MDAxMDI5LTA1LTk...5XN3dnPT0= //
x-apple-adsid base64 encoded
X-Mme-Device-Id: 7c2694081d...71412dc5bc5 //UDID
X-Apple-I-MD-RINFO: 17106176
X-Apple-I-SRL-NO: C8PVCB1HJC67 //Handset hardware serial
number
X-Apple-I-MD-M: 5ekJNohU...YjL2Z //Anisette machineID11
X-Apple-I-MD: AAAABQAA...AAAAw==
POST body
<...>
<key>iccid</key>
<string>8935311180135555145</string> // SIM
Integrated Circuit Card Identifier
<key>imei</key>
<string>356765081821496</string> //Handset IMEI
<...> <key>number</key>
<string>+35389...97590</string> //
Handset phone number
<...> <key>pn</key>
<string>+35389...97590</string>
<...> <key>ptkn</key>
<string>7534B939D....6E2750CB0FD0</string>
<...> <key>sn</key>
<string>C8PVCB1HJC67</string> //Handset hardware
serial number
<...>

It can be seen that this message sends (and links together) many handset identifiers including: the handset hardware serial number, the handset UDID, the IMEI, the SIM serial number, the handset phone number, the Apple advertising ID plus the X-Apple-I-MD-M security token/anisette machine identifier.

Source: https://www.scss.tcd.ie/doug.leith/apple_google.pdf (site 7).

Privacy

• [X] I confirm that the report does not contain any private information.

[hagezi]

The domain may related to the Global Service Exchange - https://gsx2.apple.com/:

Global Service Exchange is an online tool provided by Apple for authorized service providers to manage repair requests, track repair statuses, order parts, and access various service resources. Access to GSAS is restricted to authorized Apple service providers and technicians.

gsas.apple.com - CNAME gsas.idms-apple.com.akadns.net redirects to ma-gsa-hb-prod.apple.com (no A-Record)

The calls appear daily in my logs for all Apple devices.

[OrkoGrayskull]

FYI: Maybe more domains can be blocked: https://www.kuketz-blog.de/ios-17-von-einem-iphone-kontaktierte-domains/

[hagezi]

Difficult to find out what the domain is actually used for and how it is triggered.

gsas.apple.com domain is associated with the Apple ID application https://www.netify.ai/resources/domains/gsas.apple.com

[hagezi]

This is what AI says:

The domain gsas.apple.com is used by Apple Inc. for services related to device activation and authentication. Specifically, GSAS stands for "Global Service Activation System." It is involved in processes such as:

• Device Activation: When you set up a new Apple device, gsas.apple.com helps to activate it by verifying the device's eligibility and configuration.
• Authentication: It handles authentication requests to ensure that devices are correctly associated with user accounts and Apple services.
• Verification: The system verifies the device's serial number, checks for any activation lock, and confirms that the device is not reported as lost or stolen.

This system is integral to ensuring that Apple devices are securely activated and authenticated, providing a seamless and secure experience for users.

[hagezi]

@OrkoGrayskull I asked an acquaintance who is responsible for managed Apple devices in a company and he more or less confirmed what the AI said. So it's not a good idea to block it.

[celenityy]

To further corroborate this, Apple's official docs claim gsa.apple.com is used for Apple ID Authentication.

gsa.apple.com also CNAMEs to gsa.idms-apple.com.akadns.net.

So it's likely that gsas.apple.com provides similar functionality to gsa.apple.com & is related here. Probably not safe to block.