Abstract
Over the last decade, mobile devices and mobile applications have become pervasive in their usage. Although many privacy risks associated with mobile applications have been investigated, prior work mainly focuses on the collection of user information by application developers and advertisers. Inspired by the Snowden revelations, we study the ways mobile applications enable mass surveillance by sending unique identifiers over unencrypted connections. Applying passive network fingerprinting, we show how a passive network adversary can improve his ability to target mobile users’ traffic.
Our results are based on a large-scale automated study of mobile application network traffic. The framework we developed for this study downloads and runs mobile applications, captures their network traffic and automatically detects identifiers that are sent in the clear. Our findings show that a global adversary can link 57% of a user’s unencrypted mobile traffic. Evaluating two countermeasures available to privacy aware mobile users, we find their effectiveness to be very limited against identifier leakage.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
The source code of the framework, as well as the collected data will be made available to researchers upon request.
- 3.
We chose 20 since this was the maximum number of apps that can be installed on an Android emulator at once, which we used in the preliminary stages of the study.
References
APK Downloader [Latest] Download Directly — Chrome Extension v3 (Evozi Official). http://apps.evozi.com/apk-downloader/
Cross Reference: /external/kernel-headers/original/asm-arm/param.h. http://androidxref.com/4.1.2/xref/external/kernel-headers/original/asm-arm/param.h#18
dpkt 1.8.6.2: Python Package Index. https://pypi.python.org/pypi/dpkt
dtmilano/AndroidViewClient. https://github.com/dtmilano/AndroidViewClient/
dumpcap - The Wireshark Network Analyzer 1.12.2. https://www.wireshark.org/docs/man-pages/dumpcap.html
GCHQ taps fibre-optic cables for secret access to world’s communications. http://www.theguardian.com/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa
Nmap Network Scanning - Remote OS Detection - Usage and Examples. http://nmap.org/book/osdetect-usage.html
NSA Prism program taps in to user data of Apple, Google and others. http://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data
Smartphones: So many apps, so much time. http://www.nielsen.com/us/en/insights/news/2014/smartphones-so-many-apps-so-much-time.html
SystemClock — Android Developers. http://developer.android.com/reference/android/os/SystemClock.html
Identifying App Installations — Android Developers Blog (2011). http://android-developers.blogspot.be/2011/03/identifying-app-installations.html
‘Tor Stinks’ presentation (2013). http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document
About Adblock Plus for Android (2015). https://adblockplus.org/android-about
Disconnect Malvertising for Android (2015). https://disconnect.me/mobile/disconnect-malvertising/sideload
Manpage of TCPDUMP (2015). http://www.tcpdump.org/tcpdump_man.html
Mobile apps doubleheader: BADASS Angry Birds (2015). http://www.spiegel.de/media/media-35670.pdf
Selenium - Web Browser Automation (2015). http://docs.seleniumhq.org/
UI/Application Exerciser Monkey — Android Developers (2015). http://developer.android.com/tools/help/monkey.html
Acar, G., Eubank, C., Englehardt, S.: The web never forgets: persistent tracking mechanisms in the wild. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014)
Balakrishnan, M.: Where’s that phone? Geolocating IP addresses on 3G networks. In: Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement Conference, pp. 294–300 (2009)
Bellovin, S.M.: A technique for counting NATted hosts. In: Proceedings of the second ACM SIGCOMM Workshop on Internet Measurement - IMW 2002, p. 267 (2002)
Black, P.E.: Ratcliff/Obershelp pattern recognition, December 2004. https://xlinux.nist.gov/dads//HTML/ratcliffObershelp.html
Bursztein, E.: Time has something to tell us about network address translation. In: Proceedings of NordSec (2007)
Dai, S., Tongaonkar, A., Wang, X., Nucci, A., Song, D.: NetworkProfiler: towards automatic fingerprinting of Android apps. In: 2013 Proceedings IEEE INFOCOM, pp. 809–817, April 2013
Enck, W., Cox, L.P., Gilbert, P., Mcdaniel, P.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: OSDI 2010 Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (2010)
Englehardt, S., Reisman, D., Eubank, C., Zimmerman, P., Mayer, J., Narayanan, A., Felten, E.W.: Cookies that give you away: the surveillance implications of web tracking. In: Proceedings of the 24th International Conference on World Wide Web, pp. 289–299 (2015)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, p. 627 (2011)
Grace, M., Zhou, W., Jiang, X., Sadeghi, A.: Unsafe exposure analysis of mobile in-app advertisements. In: Proceedings of the fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks 067(Section 2) (2012)
Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: Retrofitting Android to protect data from imperious applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 639–652. ACM (2011)
Jacobson, V., Braden, R., Borman, D., Satyanarayanan, M., Kistler, J., Mummert, L., Ebling, M.: RFC 1323: TCP extensions for high performance (1992)
Kohno, T., Broido, A., Claffy, K.C.: Remote physical device fingerprinting. IEEE Trans. Dependable Secure Comput. 2(2), 93–108 (2005)
Marlinspike, M.: New tricks for defeating SSL in practice. BlackHat DC, February 2009
Murdoch, S.J.: Hot or not: revealing hidden services by their clock skew. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 27–36. ACM (2006)
Soltani, A., Peterson, A., Gellman, B.: NSA uses Google cookies to pinpoint targets for hacking (2013). https://www.washingtonpost.com/news/the-switch/wp/2013/12/10/nsa-uses-google-cookies-to-pinpoint-targets-for-hacking/
Stevens, R., Gibler, C., Crussell, J.: Investigating user privacy in android ad libraries. In: IEEE Mobile Security Technologies (MoST) (2012)
Suarez-Tangil, G., Conti, M., Tapiador, J.E., Peris-Lopez, P.: Detecting targeted smartphone malware with behavior-triggering stochastic models. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 183–201. Springer, Cham (2014). doi:10.1007/978-3-319-11203-9_11
Tekeoglu, A., Altiparmak, N., Tosun, A.: Approximating the number of active nodes behind a NAT device. In: 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN), pp. 1–7. IEEE (2011)
Tongaonkar, A., Dai, S., Nucci, A., Song, D.: Understanding mobile app usage patterns using in-app advertisements. In: Roughan, M., Chang, R. (eds.) PAM 2013. LNCS, vol. 7799, pp. 63–72. Springer, Heidelberg (2013). doi:10.1007/978-3-642-36516-4_7
Vanrykel, E.: Passive network attacks on mobile applications. Master’s thesis, Katholieke Universiteit Leuven (2015)
Vanrykel, E., Acar, G., Herrmann, M., Diaz, C.: Exploiting Unencrypted Mobile Application Traffic for Surveillance (Technical report) (2016). https://securewww.esat.kuleuven.be/cosic/publications/article-2602.pdf
Weinstein, D.: Leaking Android hardware serial number to unprivileged apps (2013). http://insitusec.blogspot.be/2013/01/leaking-android-hardware-serial-number.html
Wicherski, G., Weingarten, F., Meyer, U.: IP agnostic real-time traffic filtering and host identification using TCP timestamps. In: 2013 IEEE 38th Conference on Local Computer Networks (LCN), pp. 647–654. IEEE (2013)
Xia, N., Song, H.H., Liao, Y., Iliofotou, M.: Mosaic: quantifying privacy leakage in mobile networks. In: SIGCOMM 2013, Proceedings of the ACM SIGCOMM 2013 Conference on SIGCOMM (ii), pp. 279–290 (2013)
Zander, S., Murdoch, S.J.: An improved clock-skew measurement technique for revealing hidden services. In: USENIX Security Symposium, pp. 211–226 (2008)
Acknowledgment
We would like to thank Steve Englehardt, Yves Tavernier and anonymous reviewers for their helpful and constructive feedback. This work was supported by the Flemish Government FWO G.0360.11N Location Privacy, FWO G.068611N Data mining and by the European Commission through H2020-DS-2014-653497 PANORAMIX and H2020-ICT-2014-644371 WITDOM.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 International Financial Cryptography Association
About this paper
Cite this paper
Vanrykel, E., Acar, G., Herrmann, M., Diaz, C. (2017). Leaky Birds: Exploiting Mobile Application Traffic for Surveillance. In: Grossklags, J., Preneel, B. (eds) Financial Cryptography and Data Security. FC 2016. Lecture Notes in Computer Science(), vol 9603. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-54970-4_22
Download citation
DOI: https://doi.org/10.1007/978-3-662-54970-4_22
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-54969-8
Online ISBN: 978-3-662-54970-4
eBook Packages: Computer ScienceComputer Science (R0)