**Show HN: PrivaseeAI – iOS Threat Detection after My Carrier-Level Hack**
How a Terrifying 4 AM Attack Led Me to Build 9,879 Lines of Python Code — and Why I’m Giving It Away for Free
I still remember that fateful night on January 26th. It was 4:24 AM when my iPhone 16 Pro sprang to life, behaving erratically. My trusty ProtonVPN app had disconnected, reconnected, and disconnected again in a span of seven minutes, switching between four different VPN servers in the process. That's when I knew something was very wrong.
I checked the system logs, and what I saw made my blood run cold. The WireGuard connection had been established using TCP, which is a fallback protocol that should never be used by default. Someone was intercepting my UDP traffic at the carrier level. This wasn't just a bug; it was an attack.
I spent the next hour digging through logs, and every new discovery made me more paranoid. The ProtonVPN app was trying to get my location to optimize server selection, but someone was intercepting those API calls, counting them, and throttling them. They weren't just tracking my VPN usage; they were tracking my location queries.
As I continued to investigate, I found evidence of certificate refresh triggers and a VPN configuration routing traffic to `127.0.0.1` — localhost. It was clear that the attacker had set up a perfect man-in-the-middle (MITM) setup, masquerading as my legitimate ProtonVPN profile.
The worst part? This attack survived even after I wiped my phone with a factory reset two days earlier. Whoever was attacking me had persistence. They could reinstall their attack infrastructure even after I cleaned my device.
I wasn't naive to think that running security software would protect me. I had three tools: iMazing Spyware Detector, Lookout Mobile Security, and Norton Mobile Security. But none of them detected the attack. Why? Because they're looking for the wrong things:
- Periodic scans that only check once an hour or once a day
- Signature-based detection that looks for known malware signatures (this wasn't malware)
- No behavioral monitoring to watch how my VPN behaves, just if it's running
- Cloud-based processing that sends data to the cloud for analysis (which defeats the purpose of caring about privacy in the first place)
So I decided to build something better. In six weeks, I created PrivaseeAI.Security — an open-source iOS threat detection system that does what commercial tools don't:
- 9,879 lines of Python code
- 196 tests (every single one passing)
- 100% local processing (no cloud, ever)
The system consists of three monitors:
- VPN Integrity Monitor: watches for the exact attack that hit me, including UDP blocking, TCP vs. UDP usage, API rate limiting patterns, and server hopping frequency
- API Abuse Monitor: detects location queries being rate-limited, app making 100+ location requests per hour, and background activity at odd hours
- Carrier Compromise Detector: scans iOS backups for VPN profiles routing to localhost (MITM configs), DNS tampering, and profiles that persist across factory resets
These monitors run concurrently using Python's asyncio, aggregating threats, deduplicating, and filtering by severity before alerting. The system is designed to catch real attacks, not just theoretical ones.
I didn't build this on theory; every single detection rule comes from the January 26th attack logs. I tested it against my own attack: UDP blocking detected in 0.3 seconds, API rate limiting caught within 1 second, server hopping pattern recognized immediately, and all four attack vectors identified correctly.
But the real test was running it live on my iPhone 16 Pro for a week, monitoring 24/7. And that's when I knew this actually worked: it caught the attack on my phone even before I noticed it.
So why am I making it open source? Because if I was attacked, others are being attacked too — journalists in hostile countries, activists facing surveillance, executives with sensitive data, and everyday people who just want privacy. This tool doesn't spy on them (100% local processing), doesn't cost money (free and open source), actually works (battle-tested on real attacks), and can be audited (open source = full transparency).
PrivaseeAI.Security is Apache 2.0 licensed, free forever, with no strings attached. So what are you waiting for? Join the beta testing discussion, open an issue, or help review the detection logic.
Together, we can build better mobile security. For everyone.
**Related Tags:** #iOS #Security #Privacy #OpenSource #Python #Cybersecurity #MobileSecurity #VPN #Surveillance #InfoSec