Analyzing Android Encrypted Network Traffic to Identify User Actions

  • Mobile devices can be maliciously exploited to violate the privacy of people. In most attack scenarios, the adversary takes the local or remote control of the mobile device, by leveraging a vulnerability of the system, hence sending back the collected information to some remote web service. In this paper, we consider a different adversary, who does not interact actively with the mobile device, but he is able to eavesdrop the network traffic of the device from the network side (e.g., controlling a Wi-Fi access point). The fact that the network traffic is often encrypted makes the attack even more challenging.

    In this paper, we investigate to what extent such an external attacker can identify the specific actions that a user is performing on her mobile apps. We design a system that achieves this goal using advanced machine learning techniques. We built a complete implementation of this system, and we also run a thorough set of experiments, which show that our attack can achieve accuracy and precision higher than 95%, for most of the considered actions. We compared our solution with the three state-of-the-art algorithms, and confirming that our system outperforms all these direct competitors.

    Link to the dataset (CSV) 5.7 MB.
    Format: For each row, there is a network flow (array of packets' sizes) related to a time interval after performing a specific user action (in the label). Since this data has been collected in 2013-2014, it is possible that some app may have changed its communication pattern.

    Please, support our work citing us:
    M. Conti, L.V. Mancini, R. Spolaor, N.V. Verde, Analyzing android encrypted network traffic to identify user actions, IEEE Transactions on Information Forensics and Security 11 (1), 114-125, 2017


  • * Prof. Mauro Conti, University of Padua
    * Luigi V. Mancini, Sapienza University of Rome
    * Riccardo Spolaor, University of Padua
    * Nino V. Verde, Sapienza University of Rome