Visible to the public Can Android Applications Be Identified Using Only TCP/IP Headers of Their Launch Time Traffic?

TitleCan Android Applications Be Identified Using Only TCP/IP Headers of Their Launch Time Traffic?
Publication TypeConference Paper
Year of Publication2016
AuthorsAlan, Hasan Faik, Kaur, Jasleen
Conference NameProceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4270-4
KeywordsAndroid apps, anonymity, anonymity in wireless networks, composability, deep packet inspection, Human Behavior, Metrics, network traffic analysis, privacy, pubcrawl, Resiliency

The ability to identify mobile apps in network traffic has significant implications in many domains, including traffic management, malware detection, and maintaining user privacy. App identification methods in the literature typically use deep packet inspection (DPI) and analyze HTTP headers to extract app fingerprints. However, these methods cannot be used if HTTP traffic is encrypted. We investigate whether Android apps can be identified from their launch-time network traffic using only TCP/IP headers. We first capture network traffic of 86,109 app launches by repeatedly running 1,595 apps on 4 distinct Android devices. We then use supervised learning methods used previously in the web page identification literature, to identify the apps that generated the traffic. We find that: (i) popular Android apps can be identified with 88% accuracy, by using the packet sizes of the first 64 packets they generate, when the learning methods are trained and tested on the data collected from same device; (ii) when the data from an unseen device (but similar operating system/vendor) is used for testing, the apps can be identified with 67% accuracy; (iii) the app identification accuracy does not drop significantly even if the training data are stale by several days, and (iv) the accuracy does drop quite significantly if the operating system/vendor is very different. We discuss the implications of our findings as well as open issues.

Citation Keyalan_can_2016