Exploiting Data-Usage Statistics for Website Fingerprinting Attacks on Android

Raphael Spreitzer, Simone Griesmayr, Thomas Korak, Stefan Mangard

The browsing behavior of a user allows to infer personal details, such as health status, political interests, sexual orientation, etc. In order to protect this sensitive information and to cope with possible privacy threats, defense mechanisms like SSH tunnels and anonymity networks (e.g., Tor) have been established. A known shortcoming of these defenses is that website fingerprinting attacks allow to infer a user’s browsing behavior based on traffic analysis techniques. However, website fingerprinting typically assumes access to the client’s network or to a router near the client, which restricts the applicability of these attacks.

In this work, we show that this rather strong assumption is not required for website fingerprinting attacks. Our client-side attack overcomes several limitations and assumptions of network-based fingerprinting attacks, e.g., network conditions and traffic noise, disabled browser caches, expensive training phases, etc. Thereby, we eliminate assumptions used for academic purposes and present a practical attack that can be implemented easily and deployed on a large scale. Eventually, we show that an unprivileged application can infer the browsing behavior by exploiting the unprotected access to the Android data-usage statistics. More specifically, we are able to infer 97% of 2 500 page visits out of a set of 500 monitored pages correctly. Even if the traffic is routed through Tor by using the Orbot proxy in combination with the Orweb browser, we can infer 95% of 500 page visits out of a set of 100 monitored pages correctly. Thus, the READ_HISTORY_BOOKMARKS permission, which is supposed to protect the browsing behavior, does not provide protection.

Review:
This paper studies an attack that fingerprints web sites on Android. The attack takes advantage of Android’s data-usage statistics, which are available to all apps without requiring permissions. The authors evaluated the classification rate for a standard browser application as well as when the traffic is routed through Tor.

The reviewers appreciated the practical attack demonstration using an unprivileged application, as well as the quantitative measurement of impact. However, the reviewers had several reservations. First, recent literature has proposed many attacks that exploit information extracted from Android without permissions (e.g., citations [22] and [44] discuss fingerprinting app network traffic based on data usage statistics). Second, the evaluation is based on an ideal scenario where the user is browsing a single web site at a time. The reviewers wondered if it would it still be possible to fingerprint web sites when traffic from different tabs mixes. Finally, while the paper proposes countermeasures, the reviewers would have liked to see an evaluation of the countermeasures.