I have been running Charles Proxy locally for quite some time now. I began using it to reverse engineer the APIs behind some mobile applications and continued to use it to map out the APIs I'm depending on each day. I regularly turn on Charles Proxy and export the listing of any HTTP calls made while I'm working, every five minutes. These files get moved up into the cloud using Dropbox, where I have a regular CRON job processing each call made — profiling the domain, and details of the request and response for later review.
This process has shed some light on the application architecture of many of the tools and services I depend on. It's fascinating to see the number of pings home the average application will make when on, or running in the background. In addition to running Charles Proxy and understanding how these applications are communicating with their mothership, from within my home, I downloaded Little Flocker — providing me a peek at another layer of application architecture, and how they interact with my laptop.
Little Flocker tells me each time an application is writing or accessing a file, turning on my audio, video, and other items. After a day of running, I have been given another glimpse at the architecture of the apps I'm depending on. One example of suspicious application architecture is from Citrix. I haven't been on a call using the app in at least four days, and usually, I just uninstall the app after use, but it was interesting to see it trying to write files on a regular basis, even though I don't have the application open. Why do they need to do this? It looks like it is looking for any updates, but not sure why it needs to when I'm not running.
I wish applications would provide a list of the remove calls their applications make to the home base. I've talked with several platform providers about how they view this layer of their apps, and their thoughts about pulling back the curtain, and being more transparent about the APIs behind their apps — they usually aren't very interested in having these conversations with end-users and often see this activity as their proprietary secret sauce. The part that interests me is the fact that these client interactions, API calls, and data transmitted are happening here in my home on my laptop. I know that tech company see this as us users operating on their platforms, but in reality, they are entering our homes and making calls home to the platform using our Internet.
Sure, we all agree to terms of service that make all of this legally irrelevant — they have their asses covered. It still doesn't change that many desktop, web, and mobile application developers are exploiting the access they have in our lives. With the bad behavior we've seen from technology companies, government entities, and hackers in recent years, I feel like this level of access isn't sustainable or healthy. Especially when apps are either poorly architected, or are done so with a lack of respect for the end-user environment. This is my laptop, in my home, engaging in a personal or business relationship with your company, please be respectful of me, my space, and my privacy.