Mobile apps are known to be rich sources for gathering privacy-sensitive information about smartphone users. Despite the presence of encryption, passive network adversaries who have access to the network infrastructure can eavesdrop on the traffic and therefore fingerprint a user’s app by means of packet-level traffic analysis. Since it is difficult to prevent the adversaries from accessing the network, providing secrecy in hostile environments becomes a serious concern.In this study, we propose AdaptiveMutate, a privacy-leak thwarting technique to defend against the statistical traffic analysis of apps. First, we present a method for the identification of mobile apps using traffic analysis. Further, we propose a confusion system in which we obfuscate packet lengths, and/or inter-arrival time information leaked by the mobile traffic to make it hard for intruders to differentiate between the altered app traffic and the actual one using statistical analysis. Our aim is to shape one class of app traffic to obscure its features with the minimum overhead. Our system strives to dynamically maximize its efficiency by matching each app with the corresponding most dissimilar app. Also, AdaptiveMutate has an adaptive capability that allows it to choose the most suitable feature to mutate, depending on the type of apps analyzed and the classifier used, if known.We evaluate the efficiency of our model by conducting a comprehensive simulation analysis that mutates different apps to each other using AdaptiveMutate. We conclude that our algorithm is most efficient when we mutate a feature of one app to its most dissimilar one in another app. When applying the identification technique, we achieve a classification accuracy of 91.1%. Then, using our obfuscation technique, we are able to reduce this accuracy to 7%. Also, we test our algorithm against a recently published approach for mobile apps classification and we are able to reduce its accuracy from 94.8% to 17.9%. Additionally, we analyze the tradeoff between the shaping cost and traffic privacy protection, specifically, the associated overhead and the feasibility for real-time implementation.