The Dark Side(-Channel) of Mobile Devices: A Survey on Network Traffic Analysis

In recent years, mobile devices (e.g., smartphones and tablets) have met an increasing commercial success and have become a fundamental element of the everyday life for billions of people all around the world. Mobile devices are used not only for traditional communication activities (e.g., voice calls and messages) but also for more advanced tasks made possible by an enormous amount of multi-purpose applications (e.g., finance, gaming, and shopping). As a result, those devices generate a significant network traffic (a consistent part of the overall Internet traffic). For this reason, the research community has been investigating security and privacy issues that are related to the network traffic generated by mobile devices, which could be analyzed to obtain information useful for a variety of goals (ranging from fine-grained user profiling to device security and network optimization). In this paper, we review the works that contributed to the state of the art of network traffic analysis targeting mobile devices. In particular, we present a systematic classification of the works in the literature according to three criteria: 1) the goal of the analysis; 2) the point where the network traffic is captured; and 3) the targeted mobile platforms. In this survey, we consider points of capturing such as Wi-Fi access points, software simulation, and inside real mobile devices or emulators. For the surveyed works, we review and compare analysis techniques, validation methods, and achieved results. We also discuss possible countermeasures, challenges, and possible directions for future research on mobile traffic analysis and other emerging domains (e.g., Internet of Things). We believe our survey will be a reference work for researchers and practitioners in this research field.

[1]  Clayton Shepard,et al.  LiveLab: measuring wireless networks and smartphone users in the field , 2011, SIGMETRICS Perform. Evaluation Rev..

[2]  W. H. Robinson,et al.  Using Network Traffic to Remotely Identify the Type of Applications Executing on Mobile Devices , 2013 .

[3]  Alan Bundy,et al.  Dynamic Time Warping , 1984 .

[4]  María-del-Mar Gallardo,et al.  Performance Analysis of Spotify® for Android with Model-Based Testing , 2017, Mob. Inf. Syst..

[5]  Qi Zhang,et al.  Eavesdropping on Fine-Grained User Activities Within Smartphone Apps Over Encrypted Network Traffic , 2016, WOOT.

[6]  Marco Fiore,et al.  Large-Scale Mobile Traffic Analysis: A Survey , 2016, IEEE Communications Surveys & Tutorials.

[7]  Thomas Engel,et al.  Website fingerprinting in onion routing based anonymization networks , 2011, WPES.

[8]  Kensuke Fukuda,et al.  Enhancing the Performance of Mobile Traffic Identification with Communication Patterns , 2015, 2015 IEEE 39th Annual Computer Software and Applications Conference.

[9]  Arnaud Legout,et al.  ReCon: Revealing and Controlling PII Leaks in Mobile Network Traffic , 2015, MobiSys.

[10]  Nino Vincenzo Verde,et al.  No NAT'd User Left Behind: Fingerprinting Users behind NAT from NetFlow Records Alone , 2014, 2014 IEEE 34th International Conference on Distributed Computing Systems.

[11]  Walid Dabbous,et al.  Network characteristics of video streaming traffic , 2011, CoNEXT '11.

[12]  Mi-Jung Choi,et al.  Applicaion-level traffic analysis of smartphone users using embedded agents , 2012, 2012 14th Asia-Pacific Network Operations and Management Symposium (APNOMS).

[13]  Hyoungshick Kim,et al.  Encryption is Not Enough: Inferring User Activities on KakaoTalk with Traffic Analysis , 2015, WISA.

[14]  Ali Feizollah,et al.  Evaluation of machine learning classifiers for mobile malware detection , 2014, Soft Computing.

[15]  Ralph Morelli,et al.  Mobile Operating Systems , 2014, Computing Handbook, 3rd ed..

[16]  A. B. M. Musa,et al.  Tracking unmodified smartphones using wi-fi monitors , 2012, SenSys '12.

[17]  Lada A. Adamic,et al.  Friends and neighbors on the Web , 2003, Soc. Networks.

[18]  Bo Yang,et al.  A First Look at Android Malware Traffic in First Few Minutes , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[19]  Marco Mellia,et al.  YouTube everywhere: impact of device and infrastructure synergies on user experience , 2011, IMC '11.

[20]  Geoffrey M. Voelker,et al.  Usage Patterns in an Urban WiFi Network , 2010, IEEE/ACM Transactions on Networking.

[21]  Aditya Akella,et al.  A Comparative Study of Handheld and Non-handheld Traffic in Campus Wi-Fi Networks , 2011, PAM.

[22]  Ashutosh Sabharwal,et al.  Interactive app traffic: An action-based model and data-driven analysis , 2016, 2016 14th International Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks (WiOpt).

[23]  Kensuke Fukuda,et al.  Combining Communication Patterns & Traffic Patterns to Enhance Mobile Traffic Identification Performance , 2016, Journal of Information Processing.

[24]  Deborah Estrin,et al.  A first look at traffic on smartphones , 2010, IMC '10.

[25]  Stefan Mangard,et al.  Exploiting Data-Usage Statistics for Website Fingerprinting Attacks on Android , 2016, WISEC.

[26]  Nino Vincenzo Verde,et al.  Analyzing Android Encrypted Network Traffic to Identify User Actions , 2016, IEEE Transactions on Information Forensics and Security.

[27]  Urs Hengartner,et al.  PrivacyGuard: A VPN-based Platform to Detect Information Leakage on Android Devices , 2015, SPSM@CCS.

[28]  M. Kendall Statistical Methods for Research Workers , 1937, Nature.

[29]  Jasleen Kaur,et al.  Can Android Applications Be Identified Using Only TCP/IP Headers of Their Launch Time Traffic? , 2016, WISEC.

[30]  Hui Xiong,et al.  Service Usage Classification with Encrypted Internet Traffic in Mobile Messaging Apps , 2016, IEEE Transactions on Mobile Computing.

[31]  Brian Neil Levine,et al.  Inferring the source of encrypted HTTP connections , 2006, CCS '06.

[32]  Hannes Federrath,et al.  Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier , 2009, CCSW '09.

[33]  Minas Gjoka,et al.  AntMonitor: A System for Monitoring from Mobile Devices , 2015, C2BD@SIGCOMM.

[34]  Lior Rokach,et al.  Mobile malware detection through analysis of deviations in application network behavior , 2014, Comput. Secur..

[35]  Anja Feldmann,et al.  A First Look at Mobile Hand-Held Device Traffic , 2010, PAM.

[36]  Anshul Arora,et al.  Malware Detection Using Network Traffic Analysis in Android Based Mobile Devices , 2014, 2014 Eighth International Conference on Next Generation Mobile Apps, Services and Technologies.

[37]  Alessandro Epasto,et al.  Signals from the crowd: uncovering social relationships through smartphone probes , 2013, Internet Measurement Conference.

[38]  Kensuke Fukuda,et al.  Tracking the Evolution and Diversity in Network Usage of Smartphones , 2015, Internet Measurement Conference.

[39]  Tao Wang,et al.  A Systematic Approach to Developing and Evaluating Website Fingerprinting Defenses , 2014, CCS.

[40]  Albert B. Jeng,et al.  Android Malware Detection via a Latent Network Behavior Analysis , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[41]  Michalis Faloutsos,et al.  Characterizing the behavior of handheld devices and its implications , 2017, Comput. Networks.

[42]  Mauro Conti,et al.  AppScanner: Automatic Fingerprinting of Smartphone Apps from Encrypted Network Traffic , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[43]  Wenbo He,et al.  I know what you did on your smartphone: Inferring app usage over encrypted data traffic , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[44]  Hitesh Gupta,et al.  Mobile Operating Systems , 2012 .

[45]  Klaus Wehrle,et al.  Website Fingerprinting at Internet Scale , 2016, NDSS.

[46]  Mauro Conti,et al.  Robust Smartphone App Identification via Encrypted Network Traffic Analysis , 2017, IEEE Transactions on Information Forensics and Security.

[47]  Charles V. Wright,et al.  Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis , 2009, NDSS.

[48]  Xiang Cai,et al.  Glove: A Bespoke Website Fingerprinting Defense , 2014, WPES.

[49]  Wei You,et al.  Mass Discovery of Android Traffic Imprints through Instantiated Partial Execution , 2017, CCS.

[50]  Tao Wang,et al.  Walkie-Talkie: An Efficient Defense Against Passive Website Fingerprinting Attacks , 2017, USENIX Security Symposium.

[51]  G. Dunteman Principal Components Analysis , 1989 .

[52]  Riccardo Bettati,et al.  Smartphone reconnaissance: Operating system identification , 2016, 2016 13th IEEE Annual Consumer Communications & Networking Conference (CCNC).

[53]  Tapio Soikkeli,et al.  Session level network usage patterns of mobile handsets , 2015, 2015 13th International Conference on Telecommunications (ConTEL).

[54]  Ryan Stevens,et al.  MAdFraud: investigating ad fraud in android applications , 2014, MobiSys.

[55]  Mauro Conti,et al.  DELTA: Data Extraction and Logging Tool for Android , 2018, IEEE Transactions on Mobile Computing.

[56]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[57]  Fuhui Long,et al.  Feature selection based on mutual information criteria of max-dependency, max-relevance, and min-redundancy , 2003, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[58]  Md. Shohrab Hossain,et al.  Malware detection in Android by network traffic analysis , 2015, 2015 International Conference on Networking Systems and Security (NSysS).

[59]  Steven Myers,et al.  Mobile location tracking in metro areas: malnets and others , 2010, CCS '10.

[60]  Yongzheng Zhang,et al.  Detecting Information Theft Based on Mobile Network Flows for Android Users , 2017, 2017 International Conference on Networking, Architecture, and Storage (NAS).

[61]  Yanick Fratantonio,et al.  ANDRUBIS -- 1,000,000 Apps Later: A View on Current Android Malware Behaviors , 2014, 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS).

[62]  Michalis Faloutsos,et al.  ProfileDroid: multi-layer profiling of android applications , 2012, Mobicom '12.

[63]  Prasant Mohapatra,et al.  Predicting user traits from a snapshot of apps installed on a smartphone , 2014, MOCO.

[64]  Yong Liao,et al.  SAMPLES: Self Adaptive Mining of Persistent LExical Snippets for Classifying Mobile Application Traffic , 2015, MobiCom.

[65]  R. Real,et al.  The Probabilistic Basis of Jaccard's Index of Similarity , 1996 .

[66]  Tao Jin,et al.  Application-awareness in SDN , 2013, SIGCOMM.

[67]  Hiroki Kuzuno,et al.  Signature generation for sensitive information leakage in android applications , 2013, 2013 IEEE 29th International Conference on Data Engineering Workshops (ICDEW).

[68]  Kunwadee Sripanidkulchai,et al.  An analysis of mobile application network behavior , 2016, AINTEC.

[69]  Claudia Díaz,et al.  Leaky Birds: Exploiting Mobile Application Traffic for Surveillance , 2016, Financial Cryptography.

[70]  Bing Wang,et al.  Network performance of smart mobile handhelds in a university campus WiFi network , 2012, Internet Measurement Conference.

[71]  Bo Yang,et al.  TrafficAV: An effective and explainable detection of mobile malware behavior using network traffic , 2016, 2016 IEEE/ACM 24th International Symposium on Quality of Service (IWQoS).

[72]  Anshul Arora,et al.  Minimizing Network Traffic Features for Android Mobile Malware Detection , 2017, ICDCN.

[73]  Yuval Elovici,et al.  “Andromaly”: a behavioral malware detection framework for android devices , 2012, Journal of Intelligent Information Systems.

[74]  Myung-Sup Kim,et al.  A study on Smart-phone traffic analysis , 2011, 2011 13th Asia-Pacific Network Operations and Management Symposium.

[75]  James D. Hamilton Time Series Analysis , 1994 .

[76]  Arnaud Legout,et al.  Using the Middle to Meddle with Mobile , 2013 .

[77]  Scott E. Coull,et al.  Traffic Analysis of Encrypted Messaging Services: Apple iMessage and Beyond , 2014, CCRV.

[78]  Meinard Müller,et al.  Information retrieval for music and motion , 2007 .

[79]  Lili Qiu,et al.  OS Fingerprinting and Tethering Detection in Mobile Networks , 2014, Internet Measurement Conference.

[80]  Dawn Xiaodong Song,et al.  Understanding Mobile App Usage Patterns Using In-App Advertisements , 2013, PAM.

[81]  M. Chuah,et al.  Smartphone Dual Defense Protection Framework: Detecting Malicious Applications in Android Markets , 2012, 2012 8th International Conference on Mobile Ad-hoc and Sensor Networks (MSN).

[82]  Hao Chen,et al.  Investigating User Privacy in Android Ad Libraries , 2012 .

[83]  Qiang Xu,et al.  Identifying diverse usage behaviors of smartphone apps , 2011, IMC '11.

[84]  S. K. Baghel,et al.  An investigation into traffic analysis for diverse data applications on smartphones , 2012, 2012 National Conference on Communications (NCC).

[85]  William H. Robinson,et al.  Using network traffic to verify mobile device forensic artifacts , 2017, 2017 14th IEEE Annual Consumer Communications & Networking Conference (CCNC).

[86]  Thomas Ristenpart,et al.  Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail , 2012, 2012 IEEE Symposium on Security and Privacy.

[87]  Gudmund R. Iversen,et al.  Analysis of Variance , 2011, International Encyclopedia of Statistical Science.

[88]  Christopher Krügel,et al.  Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis , 2017, NDSS.