As the world’s leading annual cybersecurity conference, Black Hat USA 2020 featured a notable number of researchers presenting their findings on various aspects of mobile security. One of the most interesting and controversial presentations was on the topic of flowprinting, which is a semi-supervised machine learning technique for mobile-app fingerprinting on encrypted network traffic.
The researchers behind this presentation, from North Carolina State University, University of New Hampshire and Uppsala University, explained that flowprinting can be used to deanonymize many popular apps that use TLS encryption for communication. The goal of this work is not to defeat TLS encryption, but rather to show that even encrypted network traffic can give away a lot of information about what apps are being used.
To demonstrate their findings, the researchers created a tool called FlowPrint and used it to fingerprint over 1,200 popular Android apps. They were able to achieve an accuracy of 97% when FlowPrint was used in a semi-supervised manner, which means that it only needed a small amount of labeled data to achieve such high accuracy.
The researchers also showed that FlowPrint can be used to deanonymize users of popular VPN services such as Private Internet Access and TunnelBear. This is possible because FlowPrint can distinguish between different types of encrypted traffic, even when they are coming from the same IP address.
While the findings from this research are certainly alarming, it is important to note that FlowPrint is not a practical attack in its current state. In order for FlowPrint to be effective, an attacker would need access to a victim’s device in order to install the tool. Additionally, the attacker would need access to the victim’s network traffic, which is not always possible.
However, the research does highlight the fact that even encrypted network traffic can give away a lot of information about what apps are being used. This information could be used by an attacker for malicious purposes, such as targeted advertising or deanonymizing users of VPN services. As such, it is important for developers of encrypted communication protocols to be aware of these risks and take steps to mitigate them.
