research-article

Exploiting Data-Usage Statistics for Website Fingerprinting Attacks on Android

Authors:

Raphael Spreitzer,

Simone Griesmayr,

Stefan MangardAuthors Info & Claims

WiSec '16: Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks

Pages 49 - 60

https://doi.org/10.1145/2939918.2939922

Published: 18 July 2016 Publication History

Abstract

The browsing behavior of a user allows to infer personal details, such as health status, political interests, sexual orientation, etc. In order to protect this sensitive information and to cope with possible privacy threats, defense mechanisms like SSH tunnels and anonymity networks (e.g., Tor) have been established. A known shortcoming of these defenses is that website fingerprinting attacks allow to infer a user's browsing behavior based on traffic analysis techniques. However, website fingerprinting typically assumes access to the client's network or to a router near the client, which restricts the applicability of these attacks.

In this work, we show that this rather strong assumption is not required for website fingerprinting attacks. Our client-side attack overcomes several limitations and assumptions of network-based fingerprinting attacks, e.g., network conditions and traffic noise, disabled browser caches, expensive training phases, etc. Thereby, we eliminate assumptions used for academic purposes and present a practical attack that can be implemented easily and deployed on a large scale. Eventually, we show that an unprivileged application can infer the browsing behavior by exploiting the unprotected access to the Android data-usage statistics. More specifically, we are able to infer 97% of 2,500 page visits out of a set of 500 monitored pages correctly. Even if the traffic is routed through Tor by using the Orbot proxy in combination with the Orweb browser, we can infer 95% of 500 page visits out of a set of 100 monitored pages correctly. Thus, the READ_HISTORY_BOOKMARKS permission, which is supposed to protect the browsing behavior, does not provide protection.

References

[1]

A. J. Aviv, B. Sapp, M. Blaze, and J. M. Smith. Practicality of Accelerometer Side Channels on Smartphones. In Annual Computer Security Applications Conference -- ACSAC 2012, pages 41--50. ACM, 2012.

Digital Library

[2]

G. D. Bissias, M. Liberatore, D. Jensen, and B. N. Levine. Privacy Vulnerabilities in Encrypted HTTP Streams. In Privacy Enhancing Technologies -- PET 2005, volume 3856 of LNCS, pages 1--11. Springer, 2005.

Digital Library

[3]

L. Cai and H. Chen. TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion. In USENIX Workshop on Hot Topics in Security -- HotSec. USENIX Association, 2011.

Digital Library

[4]

X. Cai, R. Nithyanand, and R. Johnson. CS-BuFLO: A Congestion Sensitive Website Fingerprinting Defense. In Workshop on Privacy in the Electronic Society -- WPES 2014, pages 121--130. ACM, 2014.

Digital Library

[5]

X. Cai, R. Nithyanand, T. Wang, R. Johnson, and I. Goldberg. A Systematic Approach to Developing and Evaluating Website Fingerprinting Defenses. In Conference on Computer and Communications Security -- CCS 2014, pages 227--238. ACM, 2014.

Digital Library

[6]

X. Cai, X. C. Zhang, B. Joshi, and R. Johnson. Touching from a Distance: Website Fingerprinting Attacks and Defenses. In Conference on Computer and Communications Security -- CCS 2012, pages 605--616. ACM, 2012.

Digital Library

[7]

S. Chen, R. Wang, X. Wang, and K. Zhang. Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow. In IEEE Symposium on Security and Privacy -- S&P 2010, pages 191--206. IEEE Computer Society, 2010.

Digital Library

[8]

M. Conti, L. V. Mancini, R. Spolaor, and N. V. Verde. Analyzing Android Encrypted Network Traffic to Identify User Actions. IEEE Transactions on Information Forensics and Security, 11:114--125, 2016.

Digital Library

[9]

C. Díaz, S. Seys, J. Claessens, and B. Preneel. Towards Measuring Anonymity. In Privacy Enhancing Technologies -- PET 2002, volume 2482 of LNCS, pages 54--68. Springer, 2002.

Digital Library

[10]

R. Dingledine, N. Mathewson, and P. F. Syverson. Tor: The Second-Generation Onion Router. In USENIX Security Symposium 2004, pages 303--320. USENIX, 2004.

Digital Library

[11]

K. P. Dyer, S. E. Coull, T. Ristenpart, and T. Shrimpton. Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail. In IEEE Symposium on Security and Privacy -- S&P 2012, pages 332--346. IEEE Computer Society, 2012.

Digital Library

[12]

A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystified. In Conference on Computer and Communications Security -- CCS 2011, pages 627--638. ACM, 2011.

Digital Library

[13]

A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. Android Permissions: User Attention, Comprehension, and Behavior. In Symposium On Usable Privacy and Security -- SOUPS 2012, page 3. ACM, 2012.

Digital Library

[14]

E. W. Felten and M. A. Schneider. Timing Attacks on Web Privacy. In Conference on Computer and Communications Security -- CCS 2000, pages 25--32. ACM, 2000.

Digital Library

[15]

X. Gong, N. Borisov, N. Kiyavash, and N. Schear. Website Detection Using Remote Traffic Analysis. In Privacy Enhancing Technologies -- PET 2012, volume 7384 of LNCS, pages 58--78. Springer, 2012.

Digital Library

[16]

X. Gong, N. Kiyavash, and N. Borisov. Fingerprinting Websites Using Remote Traffic Analysis. In Conference on Computer and Communications Security -- CCS 2010, pages 684--686. ACM, 2010.

Digital Library

[17]

D. Gruss, D. Bidner, and S. Mangard. Practical Memory Deduplication Attacks in Sandboxed Javascript. In European Symposium on Research in Computer Security -- ESORICS 2015, volume 9326 of LNCS, pages 108--122. Springer, 2015.

[18]

J. Hayes and G. Danezis. Better Open-World Website Fingerprinting. CoRR, abs/1509.00789, 2015.

[19]

G. He, M. Yang, X. Gu, J. Luo, and Y. Ma. A Novel Active Website Fingerprinting Attack Against Tor Anonymous System. In Computer Supported Cooperative Work in Design -- CSCWD 2014, pages 112--117. IEEE, 2014.

[20]

D. Herrmann, R. Wendolsky, and H. Federrath. Website Fingerprinting: Attacking Popular Privacy Enhancing Technologies with the Multinomial Naïve-Bayes Classifier. In Cloud Computing Security Workshop -- CCSW, pages 31--42. ACM, 2009.

Digital Library

[21]

A. Hintz. Fingerprinting Websites Using Traffic Analysis. In Privacy Enhancing Technologies -- PET 2002, volume 2482 of LNCS, pages 171--178. Springer, 2002.

Digital Library

[22]

S. Jana and V. Shmatikov. Memento: Learning Secrets from Process Footprints. In IEEE Symposium on Security and Privacy -- S&P 2012, pages 143--157. IEEE Computer Society, 2012.

Digital Library

[23]

A. Janc and L. Olejnik. Web Browser History Detection as a Real-World Privacy Threat. In European Symposium on Research in Computer Security -- ESORICS 2010, volume 6345 of LNCS, pages 215--231. Springer, 2010.

Digital Library

[24]

M. Juárez, S. Afroz, G. Acar, C. Díaz, and R. Greenstadt. A Critical Evaluation of Website Fingerprinting Attacks. In Conference on Computer and Communications Security -- CCS 2014, pages 263--274. ACM, 2014.

Digital Library

[25]

P. G. Kelley, S. Consolvo, L. F. Cranor, J. Jung, N. M. Sadeh, and D. Wetherall. A Conundrum of Permissions: Installing Applications on an Android Smartphone. In Financial Cryptography -- FC 2012, volume 7398 of LNCS, pages 68--79. Springer, 2012.

Digital Library

[26]

B. Liang, W. You, L. Liu, W. Shi, and M. Heiderich. Scriptless Timing Attacks on Web Browser Privacy. In Dependable Systems and Networks -- DSN 2014, pages 112--123. IEEE, 2014.

Digital Library

[27]

M. Liberatore and B. N. Levine. Inferring the Source of Encrypted HTTP Connections. In Conference on Computer and Communications Security -- CCS 2006, pages 255--263. ACM, 2006.

Digital Library

[28]

L. Lu, E. Chang, and M. C. Chan. Website Fingerprinting and Identification Using Ordered Feature Sequences. In European Symposium on Research in Computer Security -- ESORICS 2010, volume 6345 of LNCS, pages 199--214. Springer, 2010.

Digital Library

[29]

X. Luo, P. Zhou, E. W. W. Chan, W. Lee, R. K. C. Chang, and R. Perdisci. HTTPOS: Sealing Information Leaks with Browser-side Obfuscation of Encrypted Flows. In Network and Distributed System Security Symposium -- NDSS 2011. The Internet Society, 2011.

[30]

B. Miller, L. Huang, A. D. Joseph, and J. D. Tygar. I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis. In Privacy Enhancing Technologies -- PET 2014, volume 8555 of LNCS, pages 143--163. Springer, 2014.

[31]

E. Miluzzo, A. Varshavsky, S. Balakrishnan, and R. R. Choudhury. Tapprints: Your Finger Taps Have Fingerprints. In Mobile Systems -- MobiSys 2012, pages 323--336. ACM, 2012.

Digital Library

[32]

R. Nithyanand, X. Cai, and R. Johnson. Glove: A Bespoke Website Fingerprinting Defense. In Workshop on Privacy in the Electronic Society -- WPES 2014, pages 131--134. ACM, 2014.

Digital Library

[33]

Y. Oren, V. P. Kemerlis, S. Sethumadhavan, and A. D. Keromytis. The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications. In Conference on Computer and Communications Security -- CCS 2015, pages 1406--1418. ACM, 2015.

Digital Library

[34]

E. Owusu, J. Han, S. Das, A. Perrig, and J. Zhang. ACCessory: Password Inference Using Accelerometers on Smartphones. In Mobile Computing Systems and Applications -- HotMobile 2012, page 9. ACM, 2012.

Digital Library

[35]

A. Panchenko, L. Niessen, A. Zinnen, and T. Engel. Website Fingerprinting in Onion Routing Based Anonymization Networks. In Workshop on Privacy in the Electronic Society -- WPES 2011, pages 103--114. ACM, 2011.

Digital Library

[36]

R. Spreitzer. PIN Skimming: Exploiting the Ambient-Light Sensor in Mobile Devices. In Security and Privacy in Smartphones & Mobile Devices -- SPSM@CCS, pages 51--62. ACM, 2014.

Digital Library

[37]

Q. Sun, D. R. Simon, Y. Wang, W. Russell, V. N. Padmanabhan, and L. Qiu. Statistical Identification of Encrypted Web Browsing Traffic. In IEEE Symposium on Security and Privacy -- S&P 2002, pages 19--30. IEEE Computer Society, 2002.

Digital Library

[38]

T. Wang, X. Cai, R. Nithyanand, R. Johnson, and I. Goldberg. Effective Attacks and Provable Defenses for Website Fingerprinting. In USENIX Security Symposium 2014, pages 143--157. USENIX Association, 2014.

Digital Library

[39]

T. Wang and I. Goldberg. Improved Website Fingerprinting on Tor. In Workshop on Privacy in the Electronic Society -- WPES 2013, pages 201--212. ACM, 2013.

Digital Library

[40]

C. V. Wright, S. E. Coull, and F. Monrose. Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis. In Network and Distributed System Security Symposium -- NDSS 2009. The Internet Society, 2009.

[41]

Z. Xu, K. Bai, and S. Zhu. TapLogger: Inferring User Inputs On Smartphone Touchscreens Using On-board Motion Sensors. In Security and Privacy in Wireless and Mobile Networks -- WISEC 2012, pages 113--124. ACM, 2012.

Digital Library

[42]

K. Zhang and X. Wang. Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems. In USENIX Security Symposium 2009, pages 17--32. USENIX Association, 2009.

Digital Library

[43]

N. Zhang, K. Yuan, M. Naveed, X. Zhou, and X. Wang. Leave Me Alone: App-Level Protection against Runtime Information Gathering on Android. In IEEE Symposium on Security and Privacy -- S&P 2015, pages 915--930. IEEE Computer Society, 2015.

Digital Library

[44]

X. Zhou, S. Demetriou, D. He, M. Naveed, X. Pan, X. Wang, C. A. Gunter, and K. Nahrstedt. Identity, Location, Disease and More: Inferring Your Secrets from Android Public Resources. In Conference on Computer and Communications Security -- CCS 2013, pages 1017--1028. ACM, 2013.

Digital Library

Cited By

Fu YYang LPan HChen YXue GRen J(2025)MagSpy: Revealing User Privacy Leakage via Magnetometer on Mobile DevicesIEEE Transactions on Mobile Computing10.1109/TMC.2024.349550624:3(2455-2469)Online publication date: Mar-2025
https://doi.org/10.1109/TMC.2024.3495506
Li THui SZhang SWang HZhang YHui PJin DLi Y(2024)Mobile User Traffic Generation Via Multi-Scale Hierarchical GANACM Transactions on Knowledge Discovery from Data10.1145/366465518:8(1-19)Online publication date: 10-May-2024
https://dl.acm.org/doi/10.1145/3664655
Rauscher FGruss DLuo BLiao XXu JKirda ELie D(2024)Cross-Core Interrupt Detection: Exploiting User and Virtualized IPIsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690242(94-108)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690242
Show More Cited By

Index Terms

Exploiting Data-Usage Statistics for Website Fingerprinting Attacks on Android
1. Security and privacy
  1. Network security
    1. Mobile and wireless security
  2. Systems security
    1. Operating systems security
      1. Mobile platform security

Recommendations

Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Website fingerprinting enables a local eavesdropper to determine which websites a user is visiting over an encrypted connection. State-of-the-art website fingerprinting attacks have been shown to be effective even against Tor. Recently, lightweight ...
Patch-based Defenses against Web Fingerprinting Attacks
AISec '21: Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security

Anonymity systems like Tor are vulnerable to Website Fingerprinting (WF) attacks, where a local passive eavesdropper infers the victim's activity. WF attacks based on deep learning classifiers have successfully overcome numerous defenses. While recent ...
Adversarial Traces for Website Fingerprinting Defense
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Website Fingerprinting (WF) is a traffic analysis attack that enables an eavesdropper to infer the victim's web activity even when encrypted and even when using the Tor anonymity system. Using deep learning classifiers, the attack can reach up to 98% ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WiSec '16: Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks

July 2016

242 pages

ISBN:9781450342704

DOI:10.1145/2939918

General Chair:
Matthias Hollick
TU Darmstadt, Germany
,
Program Chairs:
Panos Papadimitratos
KTH, Sweden
,
William Enck
NC State University, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

In-Cooperation

SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 July 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Seventh Framework Programme
Österreichische Forschungsförderungsgesellschaft

Conference

WiSec'16

Sponsor:

SIGSAC

WiSec'16: 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks

July 18 - 20, 2016

Darmstadt, Germany

Acceptance Rates

WiSec '16 Paper Acceptance Rate 13 of 51 submissions, 25%;

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

35
Total Citations
View Citations
584
Total Downloads

Downloads (Last 12 months)77
Downloads (Last 6 weeks)9

Reflects downloads up to 23 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Fu YYang LPan HChen YXue GRen J(2025)MagSpy: Revealing User Privacy Leakage via Magnetometer on Mobile DevicesIEEE Transactions on Mobile Computing10.1109/TMC.2024.349550624:3(2455-2469)Online publication date: Mar-2025
https://doi.org/10.1109/TMC.2024.3495506
Li THui SZhang SWang HZhang YHui PJin DLi Y(2024)Mobile User Traffic Generation Via Multi-Scale Hierarchical GANACM Transactions on Knowledge Discovery from Data10.1145/366465518:8(1-19)Online publication date: 10-May-2024
https://dl.acm.org/doi/10.1145/3664655
Rauscher FGruss DLuo BLiao XXu JKirda ELie D(2024)Cross-Core Interrupt Detection: Exploiting User and Virtualized IPIsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690242(94-108)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690242
Mishra NDutta TShukla SChakraborty AMukhopadhyay D(2024)Too Hot to Handle: Novel Thermal Side-Channel in Power Attack-Protected Intel Processors2024 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)10.1109/HOST55342.2024.10545405(378-382)Online publication date: 6-May-2024
https://doi.org/10.1109/HOST55342.2024.10545405
Farzand HAbraham MBrewster SKhamis MMarky K(2024)A Systematic Deconstruction of Human-Centric Privacy & Security Threats on Mobile PhonesInternational Journal of Human–Computer Interaction10.1080/10447318.2024.236151941:2(1628-1651)Online publication date: 12-Jun-2024
https://doi.org/10.1080/10447318.2024.2361519
Weber DThomas FGerlach LZhang RSchwarz M(2024)Indirect Meltdown: Building Novel Side-Channel Attacks from Transient-Execution AttacksComputer Security – ESORICS 202310.1007/978-3-031-51479-1_2(22-42)Online publication date: 12-Jan-2024
https://doi.org/10.1007/978-3-031-51479-1_2
Reyes DDynowski EChovan TMikos JChan-Tin EAbuhamad MKennison S(2023)WebTracker: Real Webbrowsing Behaviors2023 Silicon Valley Cybersecurity Conference (SVCC)10.1109/SVCC56964.2023.10164930(1-8)Online publication date: 17-May-2023
https://doi.org/10.1109/SVCC56964.2023.10164930
Liu PHe LLi Z(2023)A Survey on Deep Learning for Website Fingerprinting Attacks and DefensesIEEE Access10.1109/ACCESS.2023.325355911(26033-26047)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3253559
Mohd Aminuddin MZaaba ZSamsudin AZaki FAnuar N(2023)The rise of website fingerprinting on TorJournal of Network and Computer Applications10.1016/j.jnca.2023.103582212:COnline publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1016/j.jnca.2023.103582
Mohd Aminuddin MZaaba Z(2023)WFP-Collector: Automated dataset collection framework for website fingerprinting evaluations on Tor BrowserJournal of King Saud University - Computer and Information Sciences10.1016/j.jksuci.2023.10177835:9(101778)Online publication date: Oct-2023
https://doi.org/10.1016/j.jksuci.2023.101778
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten