Key Takeaways
- Bright Data’s iOS SDK turns consumer devices—including always‑on smart TVs—into residential exit nodes that relay web‑scraping traffic for AI‑focused customers.
- The SDK contacts Bright Data servers with minimal verification, then receives scraping jobs that travel through the user’s home IP, bypassing VPNs and often evading standard app‑monitoring tools.
- Consent screens in partner apps (e.g., the Roku “Petflix” app) understate the SDK’s capabilities, allowing up to 200 GB/month (or far more in some regions) of background traffic.
- Bright Data’s residential proxy network—claimed to exceed 400 million IPs—leverages this SDK‑sourced pool, echoing the earlier Hola/Luminati model but now driven by demand for AI data harvesting.
- Network‑level blocking of specific domains (proxyjs.brdtnet.com, proxyjs.luminatinet.com, proxyjs.bright-sdk.com, clientsdk.bright-sdk.com, clientsdk.brdtnet.com) stops the relay behavior without affecting Bright Data’s paid services.
- Organizations should audit installed apps for the SDK, monitor background traffic on mobile connections, and keep blocklists updated as the SDK may evolve its connection methods.
Overview of the Reverse‑Engineering Findings
Include Security and independent researcher Buchodi reverse‑engineered the iOS SDK that Bright Data bundles into a variety of free consumer apps. Their analysis shows that once the SDK is initialized, it establishes a peer‑to‑peer channel with Bright Data’s backend that carries scraping instructions. The channel lacks the typical authentication and encryption safeguards found in legitimate services, making it comparable to the weak controls seen in many malware families. This technical deep‑dive confirms that the SDK can turn any device running the host app into an exit node for Bright Data’s residential proxy network, regardless of whether the device is a smartphone, tablet, or smart TV.
How the SDK Operates Inside the Peer Tunnel
When the host application launches, the SDK contacts one of Bright Data’s command‑and‑control servers, which responds with a set of instructions without performing strong identity verification. From that point, the server can command the device to fetch arbitrary web pages using the device’s own residential internet connection. The researcher noted that the traffic carrying these jobs follows no standard security protocol; there is no mutual TLS, token‑based auth, or rate‑limiting that would normally protect such a channel. Consequently, the device becomes a willing conduit for scraping workloads that originate elsewhere but appear to come from the user’s home IP address.
VPN Bypass and Stealth Characteristics on iOS
On iPhones, the researcher discovered that the SDK’s scraping traffic deliberately evades a configured VPN. The packets route outside the VPN tunnel, meaning that even users who rely on a VPN for privacy cannot prevent their bandwidth from being consumed by Bright Data’s jobs. Moreover, much of the SDK’s activity remains invisible to the typical monitoring tools security teams employ—such as network profilers or mobile‑device‑management (MDM) consoles—because the SDK uses background execution privileges and low‑level networking APIs that blend with ordinary app traffic. As long as the device’s battery is not critically low, the relay can continue while the user watches video, makes a call, or interacts with the screen.
The Consent Gap Between Promise and Reality
The opt‑in screens presented to users in partner apps often mischaracterize what the SDK actually permits. In the Roku‑based app Petflix, for example, the consent dialog claimed the device would be used “only occasionally.” Yet the settings fetched by the SDK allow up to 200 GB of traffic per month, with substantially higher caps in certain countries (e.g., Uzbekistan and Oman) where the device may operate until the battery drains. The SDK can also aggregate multiple devices owned by the same person—phone, tablet, and computer—if they run apps that embed the same SDK, treating them as a single user for traffic‑allocation purposes. This disparity between the disclosed scope and the actual technical capabilities raises serious questions about the meaningfulness of the consent mechanism.
Bright Data’s Partner Ecosystem and Smart‑TV Reach
Bright Data publishes a public list of its app partners, which includes companies that develop smart‑TV applications such as PlayWorks Digital, CloudTV, and Longvision. Being on this list merely indicates a historical business relationship; it does not guarantee that a given partner’s current app still contains the SDK. Each app must be inspected individually to confirm the presence of the tracking code. Nevertheless, the company’s public platform support statements and prior reporting suggest that the SDK has been integrated into smart‑TV SDKs for platforms like Samsung’s Tizen and LG’s webOS, making always‑on televisions an especially attractive exit node due to their constant power, high‑speed broadband, and typically unmetered usage.
Historical Context: From Hola/Luminati to AI‑Driven Demand
The underlying model is not novel; it traces back to Hola VPN, whose free‑user bandwidth was sold through the Luminati proxy service at roughly $20 per gigabyte in 2015. Bright Data, the rebranded successor to Luminati, continues the same practice but now targets a different market: AI companies that need vast amounts of web‑scraped data to train large language models and other machine‑learning systems. Modern anti‑bot defenses from Cloudflare, DataDome, and similar providers block scraping attempts originating from datacenter IP ranges, pushing scrapers toward residential proxies that appear as legitimate home traffic. Consequently, the demand for Bright Data’s residential proxy network has surged, fueling the large‑scale deployment of its SDK across consumer devices.
Detection and Mitigation at the Network Level
Fortunately, the SDK’s reliance on a predictable set of domains makes it relatively easy to block. Researchers identified the primary hostnames used for SDK communication:
- proxyjs.brdtnet.com
- proxyjs.luminatinet.com
- proxyjs.bright-sdk.com
- clientsdk.bright-sdk.com
- clientsdk.brdtnet.com
Implementing a DNS‑level block via tools such as Pi‑hole, NextDNS, or a router‑based firewall prevents the device from establishing the peer channel, thereby stopping it from functioning as an exit node. Importantly, this blockade does not interfere with Bright Data’s paid proxy offerings, which operate on separate infrastructure and domain names. For corporate environments that manage mobile devices, inventory scans can flag apps known to embed the SDK; however, because the traffic can bypass office Wi‑Fi on cellular connections, network‑only blocks are insufficient on their own—continuous monitoring and updated blocklists are essential.
Recommendations for Users and Organizations
Individuals should review the apps installed on their phones, tablets, and smart TVs, looking for any that appear on Bright Data’s partner list or that request vague background‑data permissions. Disabling background refresh for suspicious apps or uninstalling them eliminates the risk of inadvertent bandwidth sharing. Network administrators can adopt the aforementioned DNS blacklists and consider deploying deep‑packet inspection or behavioral analytics to spot the characteristic low‑authentication scraping traffic, especially on cellular links where traditional Wi‑Fi controls fall short. Finally, staying abreast of SDK updates is crucial; Bright Data may alter its connection endpoints to evade static blocks, so subscription to threat‑intelligence feeds that track changes to the proxyjs and clientsdk domains will help maintain effective defenses over time.