Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Security Practice and Experience

ISPEC 2019: Information Security Practice and Experience pp 95–112Cite as

Peel the Onion: Recognition of Android Apps Behind the Tor Network

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11879))

Abstract

According to Freedom on the Net 2017 report [15] more than 60% of World’s Internet users are not completely free from censorship. Solutions like Tor allow users to gain more freedom, bypassing these restrictions. For this reason they are continuously under deep observation to detect vulnerabilities that would compromise users anonymity. The aim of this work is showing that Tor is vulnerable to app deanonymization attacks on Android devices through network traffic analysis. While attacks against Tor anonymity have already gained considerable attention in the context of website fingerprinting in desktop environments, to the best of our knowledge this is the first work that addresses a similar problem on Android devices. For this purpose, we describe a general methodology for performing an attack that allows to deanonymize the apps running on a target smartphone using Tor. Then, we discuss a Proof-of-Concept, implementing the methodology, that shows how the attack can be performed in practice and allows to assess the deanonymization accuracy that it is possible to achieve. Moreover, we made the software of the Proof-of-Concept available, as well as the datasets used to evaluate it. In our extensive experimental evaluation, we achieved an accuracy of \(97\%\).

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Both the software necessary to reproduce the Proof-of-Concept and the dataset can be downloaded from the following repository: https://github.com/Immanuel84/peeltheonion.

  2. 2.

    https://arxiv.org/abs/1901.04434.

References

  1. Orbot: Tor for android (2018). https://guardianproject.info/apps/orbot/

  2. Tcpdump (2018). https://www.tcpdump.org/

  3. Androidviewclient (2019). https://github.com/dtmilano/AndroidViewClient

  4. Culebra (2019). http://culebra.dtmilano.com/

  5. The majestic million (2019). https://majestic.com/reports/majestic-million

  6. Socialblade.com top 500 most followed profiles (sorted by followers count) (2019). https://socialblade.com/instagram/top/500/followers

  7. Socialblade.com top 500 most liked facebook pages (sorted by count) (2019). https://socialblade.com/facebook/top/500/likes

  8. Wireshark (2019). https://www.wireshark.org/

  9. AlSabah, M., Bauer, K., Goldberg, I.: Enhancing tor’s performance using real-time traffic classification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 73–84. ACM, New York (2012). https://doi.org/10.1145/2382196.2382208

  10. Bissias, G.D., Liberatore, M., Jensen, D., Levine, B.N.: Privacy vulnerabilities in encrypted HTTP streams. In: Danezis, G., Martin, D. (eds.) PET 2005. LNCS, vol. 3856, pp. 1–11. Springer, Heidelberg (2006). https://doi.org/10.1007/11767831_1

    Chapter  Google Scholar 

  11. Chakravarty, S., Barbera, M.V., Portokalidis, G., Polychronakis, M., Keromytis, A.D.: On the effectiveness of traffic analysis against anonymity networks using flow records. In: Faloutsos, M., Kuzmanovic, A. (eds.) PAM 2014. LNCS, vol. 8362, pp. 247–257. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04918-2_24

    Chapter  Google Scholar 

  12. Conti, M., Mancini, L.V., Spolaor, R., Verde, N.V.: Can’t you hear me knocking: identification of user actions on android apps via traffic analysis. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy CODASPY 2015, pp. 297–304. ACM, New York (2015). https://doi.org/10.1145/2699026.2699119

  13. Dai, S., Tongaonkar, A., Wang, X., Nucci, A., Song, D.: Networkprofiler: towards automatic fingerprinting of android apps, pp. 809–817, April 2013. https://doi.org/10.1109/INFCOM.2013.6566868

  14. Finamore, A., Mellia, M., Munafò, M.M., Torres, R., Rao, S.G.: Youtube everywhere: impact of device and infrastructure synergies on user experience. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, pp. 345–360. ACM (2011)

    Google Scholar 

  15. Freedom on the Net: 2017 report (2017). https://freedomhouse.org/report/freedom-net/freedom-net-2017

  16. Gember, A., Anand, A., Akella, A.: A comparative study of handheld and non-handheld traffic in campus wi-fi networks. In: Spring, N., Riley, G.F. (eds.) PAM 2011. LNCS, vol. 6579, pp. 173–183. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19260-9_18

    Chapter  Google Scholar 

  17. Habibi Lashkari, A., Draper Gil, G., Mamun, M.S.I., Ghorbani, A.A.: Characterization of tor traffic using time based features. In: Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, pp. 253–262. INSTICC, SciTePress (2017). https://doi.org/10.5220/0006105602530262

  18. Hintz, A.: Fingerprinting websites using traffic analysis. In: Dingledine, R., Syverson, P. (eds.) PET 2002. LNCS, vol. 2482, pp. 171–178. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36467-6_13. http://dl.acm.org/citation.cfm?id=1765299.1765312

    Chapter  Google Scholar 

  19. Juarez, M., Afroz, S., Acar, G., Diaz, C., Greenstadt, R.: A critical evaluation of website fingerprinting attacks. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security CCS 2014, pp. 263–274. ACM, New York (2014). https://doi.org/10.1145/2660267.2660368

  20. Liberatore, M., Levine, B.N.: Inferring the source of encrypted http connections. In: Proceedings of the 13th ACM Conference on Computer and Communications Security CCS 2006, pp. 255–263. ACM, New York (2006). https://doi.org/10.1145/1180405.1180437

  21. Ling, Z., Luo, J., Wu, K., Yu, W., Fu, X.: Torward: discovery of malicious traffic over tor. In: IEEE INFOCOM 2014 - IEEE Conference on Computer Communications, pp. 1402–1410 (2014)

    Google Scholar 

  22. Mittal, P., Khurshid, A., Juen, J., Caesar, M., Borisov, N.: Stealthy traffic analysis of low-latency anonymous communication using throughput fingerprinting. In: Proceedings of the 18th ACM Conference on Computer and Communications Security CCS 2011, pp. 215–226. ACM, New York (2011). https://doi.org/10.1145/2046707.2046732

  23. Perry, M.: Tor padding specification (2019). https://gitweb.torproject.org/torspec.git/tree/padding-spec.txt

  24. Project, T.: Tor metrics. https://metrics.torproject.org/. Accessed Jan 2019

  25. Redondi, A.E.C., Sanvito, D., Cesana, M.: Passive classification of wi-fi enabled devices. In: Proceedings of the 19th ACM International Conference on Modeling, Analysis and Simulation of Wireless and Mobile Systems MSWiM 2016, pp. 51–58. ACM, New York (2016). https://doi.org/10.1145/2988287.2989161

  26. Dinledine, R., Mathewson, N., Murdoch, S., Syverson, P.: Tor: the second-generation onion router (2014 draft v1) (2014). https://murdoch.is/papers/tor14design.pdf

  27. Saltaformaggio, B., et al.: Eavesdropping on fine-grained user activities within smartphone apps over encrypted network traffic. In: Proceedings of the 10th USENIX Conference on Offensive Technologies WOOT 2016, pp. 69–78. USENIX Association, Berkeley (2016). http://dl.acm.org/citation.cfm?id=3027019.3027026

  28. Sokolova, M., Lapalme, G.: A systematic analysis of performance measures for classification tasks. Inf. Process. Manage. 45(4), 427–437 (2009). https://doi.org/10.1016/j.ipm.2009.03.002

    Article  Google Scholar 

  29. Stöber, T., Frank, M., Schmitt, J., Martinovic, I.: Who do you sync you are?: Smartphone fingerprinting via application behaviour. In: Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks WiSec 2013, pp. 7–12. ACM, New York (2013). https://doi.org/10.1145/2462096.2462099

  30. Taylor, V.F., Spolaor, R., Conti, M., Martinovic, I.: Appscanner: automatic fingerprinting of smartphone apps from encrypted network traffic. In: 2016 IEEE European Symposium on Security and Privacy (EuroS P), pp. 439–454, March 2016. https://doi.org/10.1109/EuroSP.2016.40

  31. Wang, T., Cai, X., Nithyanand, R., Johnson, R., Goldberg, I.: Effective attacks and provable defenses for website fingerprinting. In: Proceedings of the 23rd USENIX Conference on Security Symposium SEC 2014, pp. 143–157. USENIX Association, Berkeley (2014). http://dl.acm.org/citation.cfm?id=2671225.2671235

Download references

Author information

Authors and Affiliations

  1. Department of Computer, Control, and Management Engineering, “Antonio Ruberti” (DIAG), Rome, Italy

    Emanuele Petagna, Giuseppe Laurenza, Claudio Ciccotelli & Leonardo Querzoni

Authors
  1. Emanuele Petagna
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Giuseppe Laurenza
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Claudio Ciccotelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Leonardo Querzoni
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Giuseppe Laurenza .

Editor information

Editors and Affiliations

  1. Multimedia University, Malacca, Malaysia

    Swee-Huay Heng

  2. University of Malaga, Malaga, Spain

    Javier Lopez

Appendices

A User Simulation

This section describes how we simulated the user interaction in our Proof-of-Concept.

Tor Browser. The user activity on the Tor Browser app has been simulated through a python script that visits webpages randomly sampled from a list of the top 10,000 sites extracted from the Majestic Million dataset [5]. The script spend a randomly drawn amount of time on each webpage, before navigating to the next one.

Instagram. To simulate the user interaction with Instagram, we created a new account and added the Socialblade’s top 500 most followed profiles [6]. The simulation script generates random swipe inputs on the Instagram app to scroll the main page up and down with random delays. Swipe down inputs are generated with higher probability than swipe up inputs, as a user browsing Instagram posts would typically scroll the page from top to bottom. After a random number of swipes there is a 30% probability that the user decides to visit another random profile, or otherwise a 30% probability that the user will push the like button on the current Instagram post.

Facebook. The simulation of the user interaction with the Facebook app is very similar to that of Instagram. First we create a Facebook account for the user and we add a list of followed pages derived from Socialblade’s top 500 most liked Facebook Pages [7]. Similarly to that of Instagram, the simulation script scrolls the posts in the main page of the Facebook app, by generating random swipe inputs with random delays. After a random number of swipes there is a 30% probability that the user pushes the like button on the post showing on the screen.

Skype. Skype calls have been generated by starting calls with an audio source near the smartphone microphone.

UTorrent. The uTorrent app is a Torrent client and, therefore, it does not require a complex user interaction. We simply add some torrent file to the app, and it starts the download.

Dailymotion, Replaio Radio, Spotify, Twitch, YouTube. Also this apps do not require a very complex interaction with the user. We start each app on some streaming content and leave the app in execution.

B Experiments Result Summary

Table 7 shows the settings of all the experiments that we performed and a summary of the results obtained.

Table 7. Complete set of experiments with results (Flow Timeout and Activity Timeout are in seconds).
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Petagna, E., Laurenza, G., Ciccotelli, C., Querzoni, L. (2019). Peel the Onion: Recognition of Android Apps Behind the Tor Network. In: Heng, SH., Lopez, J. (eds) Information Security Practice and Experience. ISPEC 2019. Lecture Notes in Computer Science(), vol 11879. Springer, Cham. https://doi.org/10.1007/978-3-030-34339-2_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-34339-2_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-34338-5

  • Online ISBN: 978-3-030-34339-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation