I was checking my Pi-Hole and noticed a lone spike of 700+ requests coming from my phone (Android 16) this morning. Upon checking the logs, it's all bogus domains corresponding to package names of apps I have previously installed via the Play Store, but never on this phone.
Going further back in the query log, I realized it also includes the package name of an app I developed years ago but never published on the store, nor on this phone. There's also a whole bunch of my browsing history apparently, domains I haven't visited in years - from the age of some of them I'm pretty sure it's Chrome history, as I only used Firefox sync for a brief period and my local history is <1y.
What the actual fuck? This is a Nothing Phone 3a, updated to Android 16 just a couple of days ago.
But why would they do that from an end user's device instead of their servers? And what about the unresolvable package names?
I'm leaning more towards a bug than exfiltration at this point, but it is still a somewhat serious leak. The contents of proton pass are end to end encrypted and thus supposed to be confidential, while this has caused my whole vault to be leaked to public DNS servers via unencrypted UDP. If it was intentional, it's terrible design. Maybe some intern thought to have the client grab favicons.
That's precisely why they can't do the scan from their servers. They don't know the domains - they're decrypted only on your device.
I feel like this is a tad dramatic. Surely, your vault contains more data, probably more sensitive, than just domain names.