Security and Apps: don’t let domains be your weakest link!

By registering an obscure name that Samsung used solely as part of a smartphone app, a researcher demonstrates once again that domains matter… even when we do not see them! 

Two weeks ago, Apple started its annual developer conference with a funny video showing global chaos following the accidental unplugging of a server from where all the smartphone applications we rely on were supposedly operating. By a strange coincidence, its rival Samsung showed that reality could be worse than fiction: no unplugged server here, just a domain name that had expired!

For the last ten years, smartphones have extensively relied on applications installed on the devices. They are able to perform a variety of functions, including downloading content from third parties to enrich the user’s experience. Although these apps are usually independent from web sites and presented in specific stores inside the phone, they still rely on the Internet to access data and be kept up-to-date by connecting to servers. While it would be theoretically possible for the software developers to hard code the IP addresses of the relevant servers (i.e. is the address for in the app’s code, domain names are much more flexible since the developer can change the IP address they point to remotely, with no need to edit the code or update the app. Of course, this requires the domain name to be kept up to date, properly resolving… And renewed every year.

Services come and go, domains should stay

The specific case revolves around the S Suggest app. Launched by Samsung in 2013 in its Galaxy S III phone. By design, the app used to the domain name to fetch a list of specifically curated applications and offer them to the user inside a specific store-like app. This feature was first applauded before being abandoned by the phone maker in 2014.  The problem is that the Korean company sold 30 M of the devices in the first 5 months of 2013, with the total number rumored to be 70 M two years later. That means that a lot of devices capable of using the defunct service are still out there and evidently some connection are still being made to the service. João Gouveia – the Chief Technology Officer at Anubis Labs who has discovered that the name was available for registration and registered it for research purposes – told the press that the domain received 620 million connections, from around 2.1 million unique devices, in only 24 hours!

The traffic statistics alone are damning for Samsung. Even though the phone maker is disputing the researcher’s claim, saying that “although the domain was taken over, control of the domain does not allow you to install malicious apps, it does not allow you to take control of users’ phones”, letting a domain that still generates that much traffic expire is a significant issue.

Domains Inside

It is not the first time that an allegedly innocent, and non user facing, domain has strong ramifications: in the recent WannaCry story for example, the malware code was checking whether a specific domain was accessible on the Internet as part of its malfeasant operation. Apple is also known to use domains inside its own applications, such as the and domains. Even though AFNIC’s whois  tells us that the latter is only supposed to expire in March 2018, this example raises the question of entrusting a critical function of a device used by millions to a chain of command full of third parties. The Registry (for .com, .news or .re), the Registrar, and the internal domain management team who – if it exists – often sits very far away from the engineers in charge of the specific application using the domain.

TLDs to the rescue?

Incidentally, one way of alleviating the issue could be using dotBrand domains: the .Samsung Top Level Domain was only delegated in December 2014 but one could hope that future apps would use a domain controlled internally (e.g. SSugest.Samsung) to exercise better control of what is registered and why. Of course, Samsung currently has only registered six domains in its TLD while Apple, who also operates its own extension, is still using rather than news.Apple, but one can hope! Similarly, while the plans for Google’s .app TLD are still unknown, perhaps this incident could act as a wake up call and trigger specific policies (i.e. default automatic renewal, authentication requests…) for a Registry whose domains will probably be mostly used inside an app, without the user’s knowledge?

New TLD or not, this story stresses the need for clear and concrete Internet naming policies and the importance of adequate monitoring of the portfolio and the traffic it generates. SafeBrands can help companies get a holistic view of their domains and their usage, to avoid such disaster. After all, even though a domain name may be hidden to the user or the relevant service discontinued, a domain name should never be abandoned lightly.