University of Massachusetts, Amherst & WhoisXML API: Domain Ownership Change Detection
About
In the project “Analysis of Embedded Resources in Android Applications,” Elvis Yeboah-Duako, research assistant at the University of Massachusetts, Amherst, evaluated the security risks of domains embedded in Android apps. When these domains expire and are re-registered by unrelated parties, apps may continue trusting them without verifying ownership. This creates a domain re-registration attack surface, where previously trusted endpoints can be controlled by new owners. To assess this risk, the researcher needed to retrieve and analyze historical WHOIS records to identify and characterize domain ownership changes over time.
Highlights
-
Traditional WHOIS queries only provide current registrant data, making it difficult to determine whether domains changed ownership after being embedded in Android apps.
-
WHOIS History API gave access to billions of historical domain records, significantly increasing data completeness and reliability.
-
The tool provided structured, time-stamped historical WHOIS records, enabling precise analysis of domain ownership changes.
How to Access Domain Ownership Changes over Time
Detecting the exposure that domains embedded in Android apps may pose requires visibility into historical domain ownership, which standard lookup tools do not provide.
Traditional WHOIS queries only return current registrant information, making it difficult to determine whether a domain has changed ownership after being hardcoded into an app
Accurate WHOIS History Data for Billions of Domains
Yeboah-Duako used WHOIS History API for its depth of historical domain data, which significantly increased the probability of retrieving more complete and reliable information. The records were then systematically analyzed to identify and characterize changes in domain ownership, which was central to evaluating and assessing the security risks embedded resources pose.
The implementation process was straightforward since accessing domain history records via the tool was relatively simple. The available documentation was clear and sufficiently detailed, which facilitated smooth integration.
“For my research on domain analysis, I needed historical context to improve the efficiency and accuracy of my findings. The WHOIS History API proved to be remarkably helpful. Particularly, the depth and quality of the domain registration history were indispensable for tracing patterns and identifying instances in my study where ownership changes were and could be used as attack vectors to compromise the privacy and security of unsuspecting users. It's an excellent tool with detailed API documentation.”
Improved Analysis of Embedded Domain Risks
Using historical WHOIS data, the researcher was able to analyze domain ownership changes in Android apps, improving both the accuracy and efficiency of the analysis.
Access to Well-Parsed, Dated Historical Domain Data
Aided by WHOIS History API, the researcher was able to access detailed historical WHOIS records, enabling precise longitudinal analysis of ownership changes pertaining to domains embedded in Android apps.
Reduced Preprocessing Time Prior to Integration
The well-structured historical WHOIS records the tool provided reduced the time spent on collection and preprocessing by approximately 60–70%. This was also possible since the historical records were readily accessible instead of being manually compiled from multiple sources.