An Empirical Study of Backend Infrastructure in Leading Pakistani Mobile Apps

Authors: Sana Habib (Arizona State University/Washington and Lee University), Mohammad Taha Khan (Carnegie Mellon University), Jedidiah R. Crandall (Arizona State University)

Year: 2026
Issue: 2
Pages: 21–36

Download PDF

Abstract: Once user data leaves mobile devices, its fate becomes largely opaque within government and telecom ecosystems. In this work, we study the backend infrastructure of seven Pakistani government and telecom apps to examine how server-side systems shape post-device data exposure. We introduce a classification of high-risk domains based on ownership, jurisdictional signals, security posture, and functional role, enabling a systematic characterization of the backend infrastructures associated with our app corpus and the sensitive data they handle beyond the device boundary. We analyze these apps using static and dynamic analysis, HTTPS interception, multi-resolver DNS resolution, and a geolocation ensemble comprising five independent services — MaxMind, IPinfo, ip-api, DBIP, and BGPView/RIPE — with CDN-aware attribution, alongside WHOIS/BGP-based infrastructure mapping. Across approximately 172 observed domains, we identify four active first- party endpoints handling highly sensitive data, including identity credentials, location information, and communication metadata. Three of these endpoints rely on domestic infrastructure associated with local administrative entities based on ASN and registry-level signals. The remaining endpoint is served through U.S.-based CDN infrastructure despite being organizationally associated with Pakistan. We further observe backend designs that consolidate sensitive data flows into a small number of endpoints, with limited disclosure of data retention and deletion policies in app store listings and privacy documentation. These findings indicate that device-centric security analyses can underestimate exposure, as backend infrastructure placement and jurisdictional context play an important role in shaping data governance and visibility.

Copyright in FOCI articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.