Researcher reveals Bright Data iOS SDK turns consumer devices into AI web-scraping nodes
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON (June 6, 2026) — A security researcher has reverse-engineered software embedded in consumer applications by Bright Data, revealing a mechanism that converts smart TVs and mobile phones into exit nodes for web-scraping traffic serving the artificial intelligence industry.
The discovery, published Friday by Buchodi, an independent researcher, details how the company's iOS Software Development Kit (SDK) operates within third-party apps. Buchodi stated the SDK allows Bright Data to route internet traffic through users' home connections, effectively turning personal devices into part of a residential proxy network. The traffic is then used to scrape websites, a practice heavily marketed to AI developers requiring large datasets.
Bright Data, a provider of proxy services, has long marketed its residential network as a way to bypass geo-restrictions and access data without triggering anti-bot defenses. The company's services are widely used by AI firms to gather training data. However, the specific implementation of the iOS SDK described by Buchodi suggests a more direct integration into consumer apps than previously disclosed.
The investigation identified affected devices in various regions, including Uzbekistan and Oman. The researcher noted that the SDK was found embedded in applications that users downloaded from official app stores. Once installed, the software allegedly utilizes the device's bandwidth and IP address to facilitate web requests for Bright Data's clients.
Include Security, a cybersecurity firm, reviewed the findings and confirmed the technical details of the SDK's operation. The firm stated that the mechanism allows Bright Data to leverage consumer infrastructure without explicit, meaningful consent for the specific purpose of web-scraping.
Bright Data has not immediately commented on the specific findings regarding the iOS SDK implementation. The company has previously defended its residential proxy network, stating that users agree to terms of service that permit the use of their bandwidth. Critics argue that these terms are often buried in lengthy agreements and do not constitute informed consent for the specific use of devices as exit nodes for commercial scraping.
The revelation comes as scrutiny increases over how AI companies source data and the infrastructure they utilize. The use of residential proxies allows companies to mask their automated traffic as human browsing, making it difficult for websites to block scraping attempts. This practice has raised concerns among privacy advocates and website owners regarding unauthorized data collection and network abuse.
The scope of the SDK's deployment remains unclear. Buchodi's analysis focused on specific instances, but the number of affected applications and the volume of traffic routed through consumer devices have not been quantified. It is also unknown whether other mobile operating systems or smart TV platforms utilize similar integration methods.
Regulators in several countries are beginning to examine the implications of residential proxy networks. The involvement of consumer devices in commercial data scraping operations could trigger investigations into data privacy laws and unauthorized use of network resources. As the AI industry continues to expand its data requirements, the methods used to access that information are under increasing public and legal scrutiny.