Dead Domains, Living Data: A Privacy Risk Analysis of Domain Lifecycle in Android Apps
Authors: Gabriel Hortea (Universidad Carlos III de Madrid), Aniketh Girish (IMDEA Networks Institute), Narseo Vallina-Rodriguez (IMDEA Networks Institute), Juan Tapiador (Universidad Carlos III de Madrid)
Volume: 2026
Issue: 4
Pages: 114–130
DOI: https://doi.org/10.56553/popets-2026-0112
Abstract: Mobile applications transmit sensitive data and user identifiers to domain-based endpoints embedded in SDKs and third-party services. Unlike the web, where operators can update or remove third-party endpoints, apps are static binaries that remain installed for years and continue sending identifiers to endpoints whose domains may expire, change ownership, or become abandoned. This mismatch creates a privacy risk, since identifiers may flow to hijacked, unmaintained, or maliciously re-registered endpoints without users' knowledge or consent. This work presents a privacy risk analysis of domain endpoints in Android apps. We identify endpoints receiving sensitive identifiers through dynamic analysis of 11,131 apps and track the lifecycle of 3,420 associated domains around their expiration events. Our analysis reveals that 25.3% of domains are renewed after expiration, with 78.7% of these belonging to third-party services or SDKs embedded in apps whose install brackets total over 78 billion cumulative downloads, placing a potential user base of billions at risk. While the majority of these lapses are short and fall within registrar grace periods, we identify 218 domains with dangling CNAMEs susceptible to subdomain hijacking (34 of which received 91 valid TLS certificates during their expired period), and show that 17.0% of domains experience TLS issuance gaps where confidentiality is lost. We categorize high-risk endpoints into Advertising and Tracking vs Backend and Utility services, finding that vulnerable endpoints are embedded in over 4,000 apps. By correlating WHOIS, DNS, and TLS lifecycles with dynamically observed identifier flows, we expose how domain mismanagement translates into data flows and user privacy harm. Finally, we derive mitigation strategies to address these supply-chain risks.
Keywords: Privacy, Domains, Android SDKs, DNS, CNAME, TLS
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.