Nothing But Net: Invading Android User Privacy Using Only Network Access Patterns

TL;DR

This paper demonstrates that simple network traffic metadata can be exploited to infer user location and browsing history on Android devices, raising significant privacy concerns without requiring permissions.

Contribution

It shows that basic network statistics alone can be used to violate user privacy on Android, even with minimal data and simple classification methods.

Findings

Traffic statistics can reveal user location elements.

Network metadata can identify visited websites.

Attacks are feasible with process-level data without permissions.

Abstract

We evaluate the power of simple networks side-channels to violate user privacy on Android devices. Specifically, we show that, using blackbox network metadata alone (i.e., traffic statistics such as transmission time and size of packets) it is possible to infer several elements of a user's location and also identify their web browsing history (i.e, which sites they visited). We do this with relatively simple learning and classification methods and basic network statistics. For most Android phones currently on the market, such process-level traffic statistics are available for any running process, without any permissions control and at fine-grained details, although, as we demonstrate, even device-level statistics are sufficient for some of our attacks. In effect, it may be possible for any application running on these phones to identify privacy-revealing elements of a user's location, for example, correlating travel with places of worship, point-of-care medical establishments, or political activity.