Abstract

This paper describes how mobile device apps can inadvertently broadcast personal information through their use of wireless networks despite the correct use of encryption. Using a selection of personas we illustrate how app usage can be tied to personal information. Users would likely assume the confidentiality of personal information (including age, religion, sexuality and gender) when using an encrypted network. However, we demonstrate how encrypted traffic pattern analysis can allow a remote observer to infer potentially sensitive data passively and undetectably without any network credentials.Without the ability to read encrypted WiFi traffic directly, we process the limited side-channel data available (timings and frame sizes) to enable remote app detection. These side-channel data measurements are represented as histograms and used to construct a Random Forest classifier capable of accurately identifying mobile apps from the encrypted traffic they cause. The Random Forest algorithm was able to correctly identify apps with a mean accuracy of ∼99% within the training set.The classifier was then adapted to form the core of a detection program that could monitor multiple devices in real-time. Tests in a closed-world scenario showed 84% accuracy and demonstrated the ability to overcome the data limitations imposed by WiFi encryption. Although accuracy suffers greatly (67%) when moving to an open-world scenario, a high recall rate of 86% demonstrates that apps can unwittingly broadcast personal information openly despite using encrypted WiFi. The open-world false positive rate (38% overall, or 72% for unseen activity alone) leaves much room for improvement but the experiment demonstrates a plausible threat nevertheless.Finally, avenues for improvement and the limitations of this approach are identified. We discuss potential applications, strategies to prevent these leaks, and consider the effort required for an observer to present a practical privacy threat to the everyday WiFi user. This paper presents and demonstrates a nuanced and difficult to solve privacy vulnerability that cannot not be mitigated without considerable changes to current- and next-generation wireless communication protocols.

Highlights

  • WiFi communications are an everpresent part of modern society; pervading homes, business and almost everything be-J.S

  • If an app’s network activity was truly present in live traffic, the app would be identified with high recall and any personal information associated with that app was demonstrably leaked to the surrounding area

  • This means that identifiable patterns that betray personal information are broadcast from mobile devices whenever an app is used despite the use of encryption

Read more

Summary

Introduction

J.S. Atkinson et al / Future Generation Computer Systems 80 (2018) 546–557 present a perfect storm making users’ private and sensitive information vulnerable. Atkinson et al / Future Generation Computer Systems 80 (2018) 546–557 present a perfect storm making users’ private and sensitive information vulnerable This information can be leaked to any listening party within reception range of the wireless network. Network data was collected as the apps were opened. This network activity denotes the use of a particular app. The distributions can be used to differentiate between samples of encrypted network activity from different apps. Personas were created to emulate different people, possible app choices, and monitored in real-time to demonstrate how personal information can be leaked

Methods
Findings
Discussion
Conclusion

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.