Characterizing Mobile Applications Through Analysis of DNS Traffic
Authors: 
Andrea Jimenez-Berenguel, Marta Moure-Garrido, Carlos Garcia-Rubio, Celeste CampoAuthors Info & Claims
Pages 69 - 76
Abstract
User privacy may remain vulnerable when using encrypted communication protocols, such as HTTPS, if DNS queries are sent in cleartext over UDP port 53 (Do53). In this study, we demonstrate the possibility of characterizing the mobile application a user is using based on its Do53 traffic. By analyzing a dataset of traffic captured from 80 Android mobile apps, we can identify the app being used based on its DNS queries with an accuracy of 88.75%. While modern operating systems, including Android since version 9.0, support encrypted DNS traffic, this feature is not enabled by default and relies on the DNS provider's support. Moreover, even when DNS traffic is encrypted, the DNS service provider still has access to our queries and could potentially extract information from them.
References
[1]
Giuseppe Aceto, Domenico Ciuonzo, Antonio Montieri, Valerio Persico, and Antonio Pescapé. 2019. MIRAGE: Mobile-app traffic capture and ground-truth creation. In 2019 4th International Conference on Computing, Communications and Security (ICCCS). IEEE, 1--8.
[2]
Cisco. 2020. Cisco Annual Internet Report (2018--2023). White paper c11--741490 (2020).
[3]
Gerard Draper-Gil, Arash Habibi Lashkari, Mohammad Saiful Islam Mamun, and Ali A Ghorbani. 2016. Characterization of encrypted and vpn traffic using time-related. In Proceedings of the 2nd international conference on information systems security and privacy (ICISSP). 407--414.
[4]
Internet Corporation for Assigned Names and Numbers. [n.,d.]. publicsuffix.org. Online.
[5]
Mitsuhiro Hatada and Tatsuya Mori. 2017. Detecting and Classifying Android PUAs by Similarity of DNS queries. In 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC), Vol. 2. 590--595. https://doi.org/10.1109/COMPSAC.2017.103
[6]
Hong Ye He, Zhi Guo Yang, and Xiang Ning Chen. 2020. PERT: Payload encoding representation from transformer for encrypted traffic classification. In 2020 ITU Kaleidoscope: Industry-Driven Digital Transformation (ITU K). IEEE, 1--8.
[7]
Paul E. Hoffman and Patrick McManus. 2018. DNS Queries over HTTPS (DoH). RFC 8484. https://doi.org/10.17487/RFC8484
[8]
Zi Hu, Liang Zhu, John Heidemann, Allison Mankin, Duane Wessels, and Paul E. Hoffman. 2016. Specification for DNS over Transport Layer Security (TLS). RFC 7858. https://doi.org/10.17487/RFC7858
[9]
Xinjie Lin, Gang Xiong, Gaopeng Gou, Zhen Li, Junzheng Shi, and Jing Yu. 2022. Et-bert: A contextualized datagram representation with pre-training transformers for encrypted traffic classification. In Proceedings of the ACM Web Conference 2022. 633--642.
[10]
Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor Van Der Veen, and Christian Platzer. 2014. Andrubis--1,000,000 apps later: A view on current Android malware behaviors. In 2014 third international workshop on building analysis datasets and gathering experience returns for security (BADGERS). IEEE, 3--17.
[11]
Miguel Lopez-Benitez, Timothy D Drysdale, Simon Hadfield, and Mohamed Ismaeel Maricar. 2017. Prototype for multidisciplinary research in the context of the Internet of Things. Journal of Network and Computer Applications, Vol. 78 (2017), 146--161.
[12]
Mohammad Lotfollahi, Mahdi Jafari Siavoshani, Ramin Shirali Hossein Zade, and Mohammdsadegh Saberian. 2020. Deep packet: A novel approach for encrypted traffic classification using deep learning. Soft Computing, Vol. 24, 3 (2020), 1999--2012.
[13]
Samaneh Mahdavifar, Amgad Hanafy Salem, Princy Victor, Amir H Razavi, Miguel Garzon, Natasha Hellberg, and Arash Habibi Lashkari. 2021. Lightweight hybrid detection of data exfiltration using dns based on machine learning. In 2021 the 11th International Conference on Communication and Network Security. 80--86.
[14]
Marta Moure-Garrido, Celeste Campo, and Carlos Garcia-Rubio. 2022. Detecting Malicious Use of DoH Tunnels Using Statistical Traffic Analysis. In Proceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks (Montreal, Quebec, Canada) (PE-WASUN '22). Association for Computing Machinery, New York, NY, USA, 25--32. https://doi.org/10.1145/3551663.3558605
[15]
Marta Moure-Garrido, Celeste Campo, and Carlos Garcia-Rubio. 2023. Real time detection of malicious DoH traffic using statistical analysis. Computer Networks, Vol. 234 (2023), 109910. https://doi.org/10.1016/j.comnet.2023.109910
[16]
Michael Mühlhauser, Henning Pridöhl, and Dominik Herrmann. 2021. How private is Android's private DNS setting? Identifying apps by encrypted DNS traffic. In Proceedings of the 16th International Conference on Availability, Reliability and Security. 1--10.
[17]
OECD. 2006. Evolution in the Management of Country Code Top-Level Domain Names (ccTLDs). DSTI/ICCP/TISP(2006)6/FINAL. https://www.oecd.org/digital/ieconomy/37730629.pdf
[18]
Sanghak Oh, Minwook Lee, Hyunwoo Lee, Elisa Bertino, and Hyoungshick Kim. 2023. AppSniffer: Towards Robust Mobile App Fingerprinting Against VPN. In Proceedings of the ACM Web Conference 2023. 2318--2328.
[19]
Roberto Perdisci, Thomas Papastergiou, Omar Alrawi, and Manos Antonakakis. 2020. IoTFinder: Efficient Large-Scale Identification of IoT Devices via Passive DNS Traffic Analysis. In 2020 IEEE European Symposium on Security and Privacy (EuroS&P). 474--489.
[20]
Thai-Dien Pham, Thien-Lac Ho, Tram Truong-Huu, Tien-Dung Cao, and Hong-Linh Truong. 2021. Mappgraph: Mobile-app classification on encrypted network traffic using deep graph convolution neural networks. In Annual Computer Security Applications Conference. 1025--1038.
[21]
Jingjing Ren, DJ Dubois, and D Choffnes. 2019. An international view of privacy risks for mobile apps. https://recon.meddle.mobi/papers/cross-market.pdf
[22]
Jingjing Ren, Martina Lindorfer, Daniel J Dubois, Ashwin Rao, David Choffnes, and Narseo Vallina-Rodriguez. 2018. A longitudinal study of pii leaks across android app versions. In Network and Distributed System Security Symposium (NDSS), Vol. 10.
[23]
Vincent F Taylor, Riccardo Spolaor, Mauro Conti, and Ivan Martinovic. 2016. Appscanner: Automatic fingerprinting of smartphone apps from encrypted network traffic. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 439--454.
[24]
Vincent F Taylor, Riccardo Spolaor, Mauro Conti, and Ivan Martinovic. 2017. Robust smartphone app identification via encrypted network traffic analysis. IEEE Transactions on Information Forensics and Security, Vol. 13, 1 (2017), 63--78.
[25]
Thijs Van Ede, Riccardo Bortolameotti, Andrea Continella, Jingjing Ren, Daniel J Dubois, Martina Lindorfer, David Choffnes, Maarten van Steen, and Andreas Peter. 2020. Flowprint: Semi-supervised mobile-app fingerprinting on encrypted network traffic. In Network and Distributed System Security Symposium (NDSS), Vol. 27.
[26]
Tim Wicinski. 2021. DNS Privacy Considerations. RFC 9076. https://doi.org/10.17487/RFC9076
[27]
Hongbo Xu, Shuhao Li, Zhenyu Cheng, Rui Qin, Jiang Xie, and Peishuai Sun. 2022. TrafficGCN: Mobile Application Encrypted Traffic Classification Based on GCN. In GLOBECOM 2022 - 2022 IEEE Global Communications Conference. 891--896. https://doi.org/10.1109/GLOBECOM48099.2022.10000658
[28]
Hiroaki Yamauchi, Akihiro Nakao, Masato Oguchi, Shu Yamamoto, and Saneyasu Yamaguchi. 2020. Service Identification Based on SNI Analysis. In 2020 IEEE 17th Annual Consumer Communications & Networking Conference (CCNC). 1--6. https://doi.org/10.1109/CCNC46108.2020.9045315
Index Terms
- Characterizing Mobile Applications Through Analysis of DNS Traffic
Recommendations
Characterizing Smartphone Usage Patterns from Millions of Android Users
IMC '15: Proceedings of the 2015 Internet Measurement Conferencehe prevalence of smart devices has promoted the popular- ity of mobile applications (a.k.a. apps) in recent years. A number of interesting and important questions remain unan- swered, such as why a user likes/dislikes an app, how an app becomes popular ...
Inferring mobile applications usage from DNS traffic
AbstractIn the digital era, our lives are intrinsically linked to the daily use of mobile applications. As a consequence, we generate and transmit a large amount of personal data that puts our privacy in danger. Despite having encrypted communications, ...
Highlights- Analysis of app DNS traffic, including temporal patterns, impact of TTLs, and caching.
- Methodology for app identification based on DNS traffic, achieving a 98% accuracy.
- Evaluation of the time required for app identification.
- ...
From Fingerprint to Footprint: Characterizing the Dependencies in Encrypted DNS Infrastructures
Computer Security – ESORICS 2024AbstractEncrypted DNS protocols—DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), and DNS-over-QUIC (DoQ), have been standardized and widely embraced by the industry to enhance the security and privacy of DNS transmissions. As more software and devices support ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
October 2023
129 pages
ISBN:9798400703706
DOI:10.1145/3616394
- General Chair:
- Monica Aguilar Igartua,
- Program Chairs:
- Luis J. de la Cruz Llopis,
- Thomas Begin
Copyright © 2023 ACM.
Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 30 October 2023
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- MCIN/AEI/10.13039/501100011033
Conference
MSWiM '23
Sponsor:
MSWiM '23: Int'l ACM Conference on Modeling Analysis and Simulation of Wireless and Mobile Systems
October 30 - November 3, 2023
Quebec, Montreal, Canada
Acceptance Rates
Overall Acceptance Rate 70 of 240 submissions, 29%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 116Total Downloads
- Downloads (Last 12 months)64
- Downloads (Last 6 weeks)5
Reflects downloads up to 13 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in