Abstract
In recent years, mobile devices (e.g., smartphones and tablets) have met an increasing commercial success and have become a fundamental element of the everyday life for billions of people all around the world. Mobile devices are used not only for traditional communication activities (e.g., voice calls and messages) but also for more advanced tasks made possible by an enormous amount of multi-purpose applications (e.g., finance, gaming, and shopping). As a result, those devices generate a significant network traffic (a consistent part of the overall Internet traffic). For this reason, the research community has been investigating security and privacy issues that are related to the network traffic generated by mobile devices, which could be analyzed to obtain information useful for a variety of goals (ranging from fine-grained user profiling to device security and network optimization). In this paper, we review the works that contributed to the state of the art of network traffic analysis targeting mobile devices. In particular, we present a systematic classification of the works in the literature according to three criteria: 1) the goal of the analysis; 2) the point where the network traffic is captured; and 3) the targeted mobile platforms. In this survey, we consider points of capturing such as Wi-Fi access points, software simulation, and inside real mobile devices or emulators. For the surveyed works, we review and compare analysis techniques, validation methods, and achieved results. We also discuss possible countermeasures, challenges, and possible directions for future research on mobile traffic analysis and other emerging domains (e.g., Internet of Things). We believe our survey will be a reference work for researchers and practitioners in this research field.
- [1] Statista. (Nov. 2016). Smartphone User Penetration As Percentage of Total Global Population From 2014 to 2020. Accessed: Mar. 15, 2018. [Online]. Available: https://www.statista.com/statistics/203734/globalsmartphone-penetration-per-capita-since-2005/Google Scholar
- [2] Statista. (Jun. 2016). Tablet User Penetration Worldwide As Share of Population From 2014 to 2020. Accessed: Mar. 15, 2018. [Online]. Available: https://www.statista.com/statistics/219909/globaltablet-penetration-forecast/Google Scholar
- [3] , “Large-scale mobile traffic analysis: A survey,” IEEE Commun. Surveys Tuts., vol. 18, no. 1, pp. 124–161, 1st Quart., 2016.Google ScholarDigital Library
- [4] , “ProfileDroid: Multi-layer profiling of android applications,” in Proc. 18th Annu. Int. Conf. Mobile Comput. Netw. (MobiCom),
Istanbul, Turkey :ACM ,2012 , pp. 137–148.Google Scholar - [5] , “AntMonitor: A system for monitoring from mobile devices,” in Proc. ACM SIGCOMM Workshop Crowdsourcing Crowdsharing Big (Internet) Data (C2B(1)D),
London, U.K. :ACM ,2015 , pp. 15–20.Google Scholar - [6] , “Can Android applications be identified using only TCP/IP headers of their launch time traffic?” in Proc. 9th ACM Conf. Security Privacy Wireless Mobile Netw. (WiSec), Darmstadt,
Germany :ACM ,2016 , pp. 61–66.Google Scholar - [7] , “Interactive app traffic: An action-based model and data-driven analysis,” in Proc. 14th Int. Symp. Model. Optim. Mobile Ad Hoc Wireless Netw. (WiOpt), Tempe,
AZ, USA :IEEE Control Syst. Soc .,2016 , pp. 187–194.Google Scholar - [8] , “TrafficAV: An effective and explainable detection of mobile malware behavior using network traffic,” in Proc. 24th IEEE/ACM Int. Symp. Qual. Service (IWQoS),
Beijing, China :IEEE ,2016 , pp. 1–6.Google Scholar - [9] , “Usage patterns in an urban WiFi network,” IEEE/ACM Trans. Netw., vol. 18, no. 5, pp. 1359–1372, Oct. 2010.Google ScholarDigital Library
- [10] , “A first look at traffic on smartphones,” in Proc. ACM SIGCOMM Internet Meas. Conf. (IMC),
Melbourne, VIC, Australia :ACM ,2010 , pp. 281–287.Google Scholar - [11] , “Mobile location tracking in metro areas: Malnets and others,” in Proc. 17th ACM Conf. Comput. Commun. Security (CCS),
Chicago, IL, USA :ACM ,2010 , pp. 85–96.Google Scholar - [12] , “A first look at mobile hand-held device traffic,” in Proc. 11th Int. Conf. Passive Active Meas. (PAM),
Zürich, Switzerland :Springer ,2010 , pp. 161–170.Google Scholar - [13] , “LiveLab: Measuring wireless networks and smartphone users in the field,” ACM SIGMETRICS Perform. Eval. Rev., vol. 38, no. 3, pp. 15–20, Dec. 2010.Google Scholar
- [14] , “YouTube everywhere: Impact of device and infrastructure synergies on user experience,” in Proc. ACM SIGCOMM Internet Meas. Conf. (IMC),
Berlin, Germany :ACM ,2011 , pp. 345–360.Google Scholar - [15] , “A comparative study of handheld and non-handheld traffic in campus Wi-Fi networks,” in Proc. 12th Int. Conf. Passive Active Meas. (PAM),
Atlanta, GA, USA :Springer ,2011 , pp. 173–183.Google Scholar - [16] , “A study on smart-phone traffic analysis,” in Proc. 13th Asia–Pac. Netw. Oper. Manag. Symp. (APNOMS),
Taipei, Taiwan :IEEE Commun. Soc .,2011 , pp. 177–183.Google Scholar - [17] , “Network characteristics of video streaming traffic,” in Proc. 7th Conf. Emerg. Netw. Exp. Technol. (CoNEXT), vol. 25.
Tokyo, Japan :ACM ,2011 , pp. 1–12.Google Scholar - [18] , “An investigation into traffic analysis for diverse data applications on smartphones,” in Proc. 18th Nat. Conf. Commun. (NCC),
Kharagpur, India :IEEE Commun. Soc .,2012 , pp. 165–169.Google Scholar - [19] , “Network performance of smart mobile handhelds in a university campus WiFi network,” in Proc. ACM SIGCOMM Internet Meas. Conf. (IMC),
Boston, MA, USA :ACM ,2012 , pp. 315–328.Google Scholar - [20] , “Application-level traffic analysis of smartphone users using embedded agents,” in Proc. 14th Asia–Pac. Netw. Oper. Manag. Symp. (APNOMS),
Seoul, South Korea :IEEE Commun. Soc .,2012 , pp. 1–4.Google Scholar - [21] , “Tracking unmodified smartphones using Wi-Fi monitors,” in Proc. 10th ACM Conf. Embedded Netw. Sensor Syst. (SenSys),
Toronto, ON, Canada :ACM ,2012 , pp. 281–294.Google Scholar - [22] , “‘Andromaly’: A behavioral malware detection framework for Android devices,” J. Intell. Inf. Syst., vol. 38, no. 1, pp. 161–190, Feb. 2012.Google ScholarDigital Library
- [23] , “Investigating user privacy in android ad libraries,” in Proc. Workshop Mobile Security Technol. (MoST),
2012 , p. 10.Google Scholar - [24] , “Smartphone dual defense protection framework: Detecting malicious applications in Android markets,” in Proc. 8th Int. Conf. Mobile Ad Hoc Sensor Netw. (MSN),
Chengdu, China :IEEE Comput. Soc .,2012 , pp. 153–160.Google Scholar - [25] , “Android malware detection via a latent network behavior analysis,” in Proc. 11th IEEE Int. Conf. Trust Security Privacy Comput. Commun. (TrustCom),
Liverpool, U.K. :IEEE Comput. Soc .,2012 , pp. 1251–1258.Google Scholar - [26] , “Signals from the crowd: Uncovering social relationships through smartphone probes,” in Proc. ACM SIGCOMM Internet Meas. Conf. (IMC),
Barcelona, Spain :ACM ,2013 , pp. 265–276.Google Scholar - [27] , “Signature generation for sensitive information leakage in Android applications,” in Proc. 29th IEEE Int. Conf. Data Eng. (ICDE),
Brisbane, QLD, Australia :IEEE Comput. Soc .,2013 , pp. 112–119.Google Scholar - [28] , “Application-awareness in SDN,” in Proc. Annu. Conf. ACM Special Interest Group Data Commun. (SIGCOMM),
Hong Kong :ACM ,2013 , pp. 487–488.Google Scholar - [29] , “Using the middle to meddle with mobile,” College Comput. Inf. Sci., Northeastern Univ., Boston, MA, USA, Rep. NEUCCS-2013-12-10, Dec. 2013.Google Scholar
- [30] , “Using network traffic to remotely identify the type of applications executing on mobile devices,” in Proc. 2nd Workshop Mobile Security Technol. (MoST),
San Francisco, CA, USA :IEEE Comput. Soc .,2013 .Google Scholar - [31] , “OS fingerprinting and tethering detection in mobile networks,” in Proc. ACM SIGCOMM Internet Meas. Conf. (IMC),
Vancouver, BC, Canada :ACM ,2014 , pp. 173–180.Google Scholar - [32] , “Traffic analysis of encrypted messaging services: Apple iMessage and beyond,” ACM SIGCOMM Comput. Commun. Rev., vol. 44, no. 5, pp. 5–11, Oct. 2014.Google ScholarDigital Library
- [33] , “MAdFraud: Investigating ad fraud in Android applications,” in Proc. 12th Annu. Int. Conf. Mobile Syst. Appl. Services (MobiSys),
Bretton Woods, NH, USA :ACM ,2014 , pp. 123–134.Google Scholar - [34] , “ANDRUBIS—1,000,000 apps later: A view on current Android malware behaviors,” in Proc. 3rd Int. Workshop Build. Anal. Datasets Gathering Exp. Returns Security (BADGERS),
Wrocław, Poland :IEEE Comput. Soc .,2014 , pp. 3–17.Google Scholar - [35] , “Mobile malware detection through analysis of deviations in application network behavior,” Comput. Security, vol. 43, pp. 1–18, Jun. 2014.Google ScholarCross Ref
- [36] , “No NAT’d user left behind: Fingerprinting users behind NAT from NetFlow records alone,” in Proc. 34th IEEE Int. Conf. Distrib. Comput. Syst. (ICDCS),
Madrid, Spain :IEEE Comput. Soc .,2014 , pp. 218–227.Google Scholar - [37] , “A first look at Android malware traffic in first few minutes,” in Proc. IEEE Trustcom/BigDataSE/ISPA,
Helsinki, Finland :IEEE Comput. Soc .,2015 , pp. 206–213.Google Scholar - [38] , “Tracking the evolution and diversity in network usage of smartphones,” in Proc. ACM SIGCOMM Internet Meas. Conf. (IMC),
Tokyo, Japan :ACM ,2015 , pp. 253–266.Google Scholar - [39] , “Encryption is not enough: Inferring user activities on KakaoTalk with traffic analysis,” in Proc. 16th Int. Workshop Inf. Security Appl. (WISA),
Cham, Switzerland :Springer ,2015 , pp. 254–265.Google Scholar - [40] , “Session level network usage patterns of mobile handsets,” in Proc. 13th Int. Conf. Telecommun. (ConTEL),
Graz, Austria :IEEE Commun. Soc .,2015 , pp. 309–316.Google Scholar - [41] , “PrivacyGuard: A VPN-based platform to detect information leakage on Android devices,” in Proc. 5th Annu. CM CCS Workshop Security Privacy Smartphones Mobile Devices (SPSM),
Denver, CO, USA :ACM ,2015 , pp. 15–26.Google Scholar - [42] , “I know what you did on your smartphone: Inferring app usage over encrypted data traffic,” in Proc. IEEE Conf. Commun. Netw. Security (CNS),
Florence, Italy :IEEE Commun. Soc .,2015 , pp. 433–441.Google Scholar - [43] , “SAMPLES: Self adaptive mining of persistent LExical snippets for classifying mobile application traffic,” in Proc. 21st Annu. Int. Conf. Mobile Comput. Netw. (MobiCom),
Paris, France :ACM ,2015 , pp. 439–451.Google Scholar - [44] , “Malware detection in Android by network traffic analysis,” in Proc. 1st Int. Conf. Netw. Syst. Security (NSysS),
Dhaka, Bangladesh :IEEE Bangladesh Section ,2015 , pp. 1–5.Google Scholar - [45] , “Analyzing Android encrypted network traffic to identify user actions,” IEEE Trans. Inf. Forensics Security, vol. 11, no. 1, pp. 114–125, Jan. 2016.Google ScholarDigital Library
- [46] , “Service usage classification with encrypted Internet traffic in mobile messaging apps,” IEEE Trans. Mobile Comput., vol. 15, no. 11, pp. 2851–2864, Nov. 2016.Google ScholarDigital Library
- [47] , “Combining communication patterns & traffic patterns to enhance mobile traffic identification performance,” J. Inf. Process., vol. 24, no. 2, pp. 247–254, Mar. 2016.Google Scholar
- [48] , “Evaluation of machine learning classifiers for mobile malware detection,” Soft Comput., vol. 20, no. 1, pp. 343–357, Jan. 2016.Google ScholarDigital Library
- [49] , “An analysis of mobile application network behavior,” in Proc. 12th Asian Internet Eng. Conf. (AINTEC),
Bangkok, Thailand :ACM ,2016 , pp. 9–16.Google Scholar - [50] , “ReCon: Revealing and controlling PII leaks in mobile network traffic,” in Proc. 14th Annu. Int. Conf. Mobile Syst. Appl. Services (MobiSys),
Singapore :ACM ,2016 , pp. 361–374.Google Scholar - [51] , “Smartphone reconnaissance: Operating system identification,” in Proc. 13th IEEE Annu. Consum. Commun. Netw. Conf. (CCNC),
Las Vegas, NV, USA :IEEE Commun. Soc .,2016 , pp. 1086–1091.Google Scholar - [52] , “Eavesdropping on fine-grained user activities within smartphone apps over encrypted network traffic,” in Proc. 10th USENIX Workshop Offensive Technol. (WOOT),
Austin, TX, USA :USENIX Assoc .,2016 , pp. 69–78.Google Scholar - [53] , “Exploiting data-usage statistics for website fingerprinting attacks on Android,” in Proc. 9th ACM Conf. Security Privacy Wireless Mobile Netw. (WiSec),
Darmstadt, Germany :ACM ,2016 , pp. 49–60.Google Scholar - [54] , “Leaky birds: Exploiting mobile application traffic for surveillance,” in Proc. 20th Int. Conf. Financ. Cryptography Data Security (FC),
Heidelberg, Germany :Springer ,2017 , pp. 367–384.Google Scholar - [55] , “Minimizing network traffic features for Android mobile malware detection,” in Proc. 18th Int. Conf. Distrib. Comput. Netw. (ICDCN),
Hyderabad, India :ACM ,2017 , p. 32.Google Scholar - [56] , “Mass discovery of Android traffic imprints through instantiated partial execution,” in Proc. ACM SIGSAC Conf. Comput. Commun. Security (CCS),
ACM ,2017 , pp. 815–828.Google Scholar - [57] , “Detecting information theft based on mobile network flows for Android users,” in Proc. Int. Conf. Netw. Archit. Storage (NAS),
IEEE ,2017 , pp. 1–10.Google Scholar - [58] , “Obfuscation-resilient privacy leak detection for mobile apps through differential analysis,” in Proc. Netw. Distrib. Syst. Security Symp. (NDSS),
San Diego, CA, USA :Internet Soc .,2017 , pp. 1–16.Google Scholar - [59] , “Performance analysis of Spotify® for Android with model-based testing,” Mobile Inf. Syst., vol. 2017, p. 14, 2017.Google ScholarCross Ref
- [60] , “Using network traffic to verify mobile device forensic artifacts,” in Proc. 14th IEEE Annu. Consumer Commun. Netw. Conf. (CCNC),
Las Vegas, NV, USA :IEEE Commun. Soc .,2017 , pp. 114–119.Google Scholar - [61] , “Robust smartphone app identification via encrypted network traffic analysis,” IEEE Trans. Inf. Forensics Security, vol. 13, no. 1, pp. 63–78, Jan. 2018.Google ScholarCross Ref
- [62] , “Characterizing the behavior of handheld devices and its implications,” Comput. Netw., vol. 114, pp. 1–12, Feb. 2017.Google ScholarCross Ref
- [63] , “Predicting user traits from a snapshot of apps installed on a smartphone,” SIGMOBILE Mob. Comput. Commun. Rev., vol. 18, no. 2, pp. 1–8, Jun. 2014.Google ScholarDigital Library
- [64] , “Enhancing the performance of mobile traffic identification with communication patterns,” in Proc. IEEE 39th Annu. Comput. Softw. Appl. Conf. (COMPSAC),
Taichung, Taiwan :IEEE Comput . Soc.,2015 , pp. 336–345.Google Scholar - [65] , “AppScanner: Automatic fingerprinting of smartphone apps from encrypted network traffic,” in Proc. 1st IEEE Eur. Symp. Security Privacy (EuroS&P),
Saarbrücken, Germany :IEEE Comput. Soc .,2016 , pp. 439–454.Google Scholar - [66] , “TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones,” in Proc. 9th USENIX Symp. Oper. Syst. Design Implement. (OSDI),
Vancouver, BC, Canada :USENIX Assoc .,2010 , pp. 393–407.Google Scholar - [67] , “Malware detection using network traffic analysis in Android based mobile devices,” in Proc. 8th Int. Conf. Next Gener. Mobile Apps Services Technol. (NGMAST),
Oxford, U.K. :IEEE Comput. Soc .,2014 , pp. 66–71.Google Scholar - [68] , “Inferring the source of encrypted HTTP connections,” in Proc. 13th ACM Conf. Comput. Commun. Security (CCS),
Alexandria, VA, USA :ACM ,2006 , pp. 255–263.Google Scholar - [69] , “Website fingerprinting: Attacking popular privacy enhancing technologies with the multinomial naïve–Bayes classifier,” in Proc. ACM Workshop Cloud Comput. Security (CCSW),
Chicago, IL, USA :ACM ,2009 , pp. 31–42.Google Scholar - [70] , “Website fingerprinting in onion routing based anonymization networks,” in Proc. 10th Annu. ACM Workshop Privacy Electron. Soc. (WPES),
Chicago, IL, USA :ACM ,2011 , pp. 103–114.Google Scholar - [71] , “DELTA: Data extraction and logging tool for android,” IEEE Trans. Mobile Comput., vol. 17, no. 6, pp. 1289–1302, Jun. 2018.Google ScholarCross Ref
- [72] Statista. (Nov. 2016). Mobile Operating Systems’ Market Share Worldwide From January 2012 to June 2016. Accessed: Mar. 15, 2018. [Online]. Available: https://www.statista.com/statistics/272698/global-market-share-held-by-mobile-operating-systems-since-2009/Google Scholar
- [73] AppBrain. (Mar. 2018). Number of Android Applications. Accessed: Mar. 15, 2018. [Online]. Available: http://www.appbrain.com/statsGoogle Scholar
- [74] Statista. (Nov. 2016). Number of Available Apps in the Apple App Store From July 2008 to June 2016. Accessed: Mar. 15, 2018. [Online]. Available: https://www.statista.com/statistics/263795/number-of-available-apps-in-the-apple-app-store/Google Scholar
- [75] , Time Series Analysis, vol. 2. Princeton, NJ, USA: Princeton Univ. Press, 1994.Google ScholarCross Ref
- [76] , Statistical Methods for Research Workers. Guildford, U.K.: Genesis, 1925.Google Scholar
- [77] , Principal Components Analysis. Newbury Park, CA, USA: Sage, 1989.Google ScholarCross Ref
- [78] , Analysis of Variance. Newbury Park, CA, USA: Sage, 1987.Google Scholar
- [79] , “Feature selection based on mutual information criteria of max-dependency, max-relevance, and min-redundancy,” IEEE Trans. Pattern Anal. Mach. Intell., vol. 27, no. 8, pp. 1226–1238, Aug. 2005.Google ScholarDigital Library
- [80] , “
Dynamic time warping ,” in Information Retrieval for Music and Motion. Berlin, Germany: Springer,2007 , pp. 69–84.Google Scholar - [81] , “The probabilistic basis of Jaccard’s index of similarity,” Syst. Biol., vol. 45, no. 3, pp. 380–385, 1996.Google ScholarCross Ref
- [82] , “Friends and neighbors on the Web,” Soc. Netw., vol. 25, no. 3, pp. 211–230, Jul. 2003.Google ScholarCross Ref
- [83] , “Website fingerprinting at Internet scale,” in Proc. NDSS,
2016 , pp. 1–15.Google Scholar - [84] , “Peek-a-boo, I still see you: Why efficient traffic analysis countermeasures fail,” in Proc. IEEE Symp. Security Privacy (SP),
San Francisco, CA, USA ,IEEE ,2012 , pp. 332–346.Google Scholar - [85] , “A systematic approach to developing and evaluating website fingerprinting defenses,” in Proc. ACM SIGSAC Conf. Comput. Commun. Security,
ACM ,2014 , pp. 227–238.Google Scholar - [86] , “Walkie-talkie: An efficient defense against passive website fingerprinting attacks,” in Proc. 26th USENIX Security Symp. (USENIX Security),
2017 , pp. 1375–1390.Google Scholar - [87] , “Traffic morphing: An efficient defense against statistical traffic analysis,” in Proc. NDSS, vol. 9,
2009 , pp. 237–250.Google Scholar - [88] , “Glove: A bespoke website fingerprinting defense,” in Proc. 13th Workshop Privacy Electron. Soc. (WPES),
ACM ,2014 , pp. 131–134.Google Scholar - [89] AppBrain. (Jul. 2013). Network Log. Accessed: Mar. 15, 2018. [Online]. Available: https://github.com/pragma-/networklogGoogle Scholar
- [90] , “Mirage: Toward a stealthier and modular malware analysis sandbox for android,” in Proc. Eur. Symp. Res. Comput. Security,
Springer ,2017 , pp. 278–296.Google Scholar
Index Terms
- The Dark Side(-Channel) of Mobile Devices: A Survey on Network Traffic Analysis
Recommendations
A survey on analyzing encrypted network traffic of mobile devices
AbstractOver the years, use of smartphones has come to dominate several areas, improving our lives, offering us convenience, and reshaping our daily work circumstances. Beyond traditional use for communication, they are used for many peripheral tasks such ...
A Survey on Multi-Factor Authentication Methods for Mobile Devices
ICSIM '21: Proceedings of the 2021 4th International Conference on Software Engineering and Information ManagementThe use of mobile devices worldwide has been on the increase. More and more people are using mobile devices to carry out activities on the Internet. The activities include checking emails, online banking, school, and work activities. However, mobile ...
Video streaming to mobile handheld devices: challenges in decoding, adaptation, and browsing
MCAM'07: Proceedings of the 2007 international conference on Multimedia content analysis and miningGrowing popularity and richer functionality of contemporary mobile handheld devices such as PDAs and smart phones have enabled emerging video streaming applications to these devices via various wireless networks. However, these handheld devices are ...
Comments