While a growing body of literature addresses how states increasingly aim to secure their digital domains and mitigate dependencies, less attention has been paid to how infrastructural and architectural configurations shape their ability to do so. This paper provides a novel approach to studying cyber security and digital dependencies, paying attention to how the everyday business decisions by private companies affect states’ ability to ensure security. Every mobile application relies on a multitude of microservices, many of which are provided by independent vendors and service providers operating through various infrastructural configurations across borders in an a-territorial global network. In this paper, we unpack such digital supply chains to examine the technical cross-border services, infrastructural configurations, and locations of various microservices on which popular mobile applications depend. We argue that these dependencies have differing effects on the resilience of digital technologies at the national level but that addressing these dependencies requires different and sometimes contradictory interventions. To study this phenomenon, we develop a methodology for exploring this phenomenon empirically by tracing and examining the dispersed and frequently implicit dependencies in some of the most widely used mobile applications. To analyse these dependencies, we record raw traffic streams at a point in time seen across various mobile applications. Subsequently locating these microservices geographically and to privately owned networks, our study maps dependencies in the case studies of Oslo, Barcelona, Paris, Zagreb, Mexico City, and Dublin.