Use iOS App Privacy Report to build MintFlow domain and IP routing rules
Learn how to turn iOS App Privacy Report network activity into MintFlow domain sets and CIDR sets for app routing, split tunneling, and custom traffic policy.
MintFlow NetStack can route traffic by CIDR, CIDR set, domain set, proxy, VPN, direct path, drop, or reject. The hard part is often not the route itself. The hard part is discovering which domains a specific iOS app actually uses.
Note: MintFlow’s app routing and domain-based split routing require a subscription or a Pro feature unlock. This guide assumes that app routing is enabled before you build domain sets and routing rules.
Apple’s App Privacy Report is useful for that discovery step. When enabled, it shows app network activity, website network activity, and the domains contacted most frequently. Apple also provides an official Network Activity example on its App Privacy Report support page, which is enough to confirm that the report exposes the kind of domain list advanced MintFlow users need.
This guide shows how to use that report as input for MintFlow domain sets and IP sets. In MintFlow profile syntax, IP sets are represented as CIDR sets.
From report to route
The practical workflow is:
- Turn on App Privacy Report.
- Use the app in a controlled way.
- Copy the domains from App Network Activity.
- Classify the domains by purpose.
- Build MintFlow domain sets and optional CIDR sets.
- Validate the result with MintFlow’s DNS cache viewer and routing behavior.
Turn on App Privacy Report
On iPhone or iPad, open Settings -> Privacy & Security -> App Privacy Report, then turn it on. Apple notes that the report only starts gathering information after it is enabled, and that the report data is encrypted and stored on the device.
Use the target app normally for a while. For a media app, test login, feed loading, search, playback, downloads, and push-notification entry points. For a finance app, test login, quote refresh, chart loading, document download, and any embedded web pages. The goal is to cover the app behavior you actually want to route.
After enough activity, open the app entry under App Network Activity. The important sections are:
| Report signal | What it can tell you | MintFlow use |
|---|---|---|
| Domains contacted directly by app | Core API, login, sync, media, telemetry, crash reporting | Usually becomes a domain set |
| Domains contacted by other content | Embedded article, video, ad, or in-app web content | Review before treating it as app-core traffic |
| Most contacted domains | High-volume domains across apps | Useful for spotting shared CDN or tracking infrastructure |
| Website network activity | Domains loaded by websites inside apps | Useful when routing web content separately |
Apple states that App Privacy Report covers the past 7 days of app activity. It does not include browser-app private browsing sessions, so use a normal session when you need browser traffic in the sample.
Classify before routing
Do not paste every domain into one large route. A better MintFlow profile usually separates domains by purpose:
- Core service domains: APIs, account, sync, chat, media playlist, or payment endpoints.
- CDN domains: static assets, images, video segments, edge cache, or download servers.
- Telemetry domains: metrics, crash reports, diagnostics, and analytics.
- Ads and tracking domains: ad delivery, attribution, cross-app tracking, or marketing pixels.
- Embedded content domains: domains loaded because the app opened a website, article, or video from another service.
This matters because different groups often deserve different actions. You may route core and CDN domains through a proxy, keep telemetry direct, reject ads, and leave unknown domains to DNS fallback.
Be conservative with parent domains. If the report shows api.example-video.com and cdn.example-video.com, adding example-video.com may be reasonable only when you are confident the whole parent domain belongs to the same app purpose. If a domain belongs to a large cloud, CDN, ad network, or shared platform, keep it precise.
Example MintFlow profile snippet
The domains and IP ranges below use documentation examples. Replace them with domains from your own App Privacy Report and with CIDR ranges you have verified separately.
[domain-sets]
video-core=api.example-video.com,auth.example-video.com,stream.example-video.com
video-cdn=cdn.example-video.net,img.example-video.net
video-telemetry=metrics.example-video.com,events.example-video.com
video-ads=ads.example.net,track.example.net
[cidr-sets]
video-fixed-ips=203.0.113.24/32,198.51.100.0/24
[routing]
DOMAIN-SET,video-core,L4PROXY,media-proxy
DOMAIN-SET,video-cdn,L4PROXY,media-proxy
DOMAIN-SET,video-telemetry,DIRECT
DOMAIN-SET,video-ads,REJECT
CIDR-SET,video-fixed-ips,L4PROXY,media-proxy
DNS-FALLBACK,DIRECT
DEFAULT,DIRECT
In this example:
video-coreandvideo-cdngo through the selected proxy.video-telemetrystays direct.video-adsis rejected.video-fixed-ipsis optional and should only contain IP ranges you trust.DNS-FALLBACK,DIRECTkeeps domains outside your sets from accidentally following the proxy DNS path.DEFAULT,DIRECTkeeps packet traffic outside explicit rules direct.
About IP sets
App Privacy Report is primarily a domain discovery tool. It is not a complete IP ownership database. Many apps use CDNs, cloud providers, and rotating edge addresses. Turning every resolved address into a CIDR rule can break unrelated apps or over-route shared infrastructure.
Use CIDR sets when one of these is true:
- The app vendor publishes stable IP ranges.
- You control the server or service.
- You have verified the address range across time, networks, and regions.
- The app uses literal IP connections that cannot be covered by domain routing.
For most public apps, start with domain sets first. Add CIDR sets only after the DNS cache and real route behavior show a gap.
Validate in MintFlow
After editing the profile, restart the MintFlow VPN so the live tunnel uses the compiled route state from the current profile.
Then validate in small steps:
- Start with the core domain set only.
- Open the target app and perform one task.
- Check MintFlow’s DNS cache viewer for new domains.
- Compare the new domains with App Privacy Report.
- Add CDN, telemetry, or ad domains only after you understand their purpose.
- Keep DNS fallback and default routing explicit.
This iteration is slower than importing a public list, but it produces a route set that matches your account, region, app version, and actual usage.
Common mistakes
Avoid these shortcuts:
- Treating Most Contacted Domains as a complete list for one app.
- Routing every domain contacted by embedded web content as if it belongs to the app.
- Using broad CDN parent domains that affect many unrelated apps.
- Building large CIDR sets from one DNS sample.
- Forgetting that the report is a rolling 7-day view, not a permanent rule database.
Why this pairs well with MintFlow
MintFlow’s app routing model is built around explicit policy: domain sets, CIDR sets, DNS fallback, default route, and selected targets such as proxy, VPN, direct, drop, or reject. App Privacy Report supplies a practical observation layer on top of iOS itself. Together, they let advanced users build app-specific routing without guessing from stale public lists.
References: