Network Profiler: Towards Automatic Fingerprinting of Android Apps Shuaifu Dai Alok Tongaonkar Xiaoyin Wang Antonio Nucci Dawn Song 4/21/2015 Deepthi Gangala

Outline Introduction Objective System Design Evaluation Limitations Conclusion 4/21/2015 Deepthi Gangala

Introduction 488 million smartphones have been sold in year 2011, compared to 415 personal computers. 87% of the 90k android apps in the android Market requires permission for Internet access. 4/21/2015 Deepthi Gangala

NetworkProfiler Is a system to efficiently generate network profiles for Android apps. This is an automatic technique for extracting apps fingerprints form the network traces obtained by running these apps in an emulator in an automated fashion. 4/21/2015 Deepthi Gangala

Objective Objective is to extract fingerprints i.e., patterns of string within the network traces that are unique to the app and can be used to distinguish the app from other apps. The network behavior of an app different in terms of the HTTP methods, hosts connected, URL paths or queries, and so on. To illustrate this network behavior lets take an Zedge a popular android app. 4/21/2015 Deepthi Gangala

Zegde app 4/21/2015 Deepthi Gangala

4/21/2015 Deepthi Gangala

The invariant parts which are unique are used to identify the app. Key Idea behind fingerprint extraction algorithm is to identify the invariant parts of the flows belonging to an app. The invariant parts which are unique are used to identify the app. 4/21/2015 Deepthi Gangala

4/21/2015 Deepthi Gangala

System Design Network Profiler is an automatic network profile generator for android apps. It has two main components Fingerprint Extractor Droid Driver 4/21/2015 Deepthi Gangala

Fingerprint Extractor Fingerprint Extractor first tokenizes the HTTP flows via a parses and sends the tokenized flows to the clusterer. Tokenize or breakup the request into various components as shown in figure5 Break the request into method(m), page(P), query(q). Page can be broken into a number of page-components(pcs), filename(fn). Query can be split into key-value pairs(k-v) Initially all flows based in just method type i.e., all requests having same methods are grouped together. The clusterer then performs an agglomerative clustering of HTTP request within each group. 4/21/2015 Deepthi Gangala

4/21/2015 Deepthi Gangala

4/21/2015 Deepthi Gangala

Measure of Distance between two HTTP requests: Distance between pages dp(i,j): Compute jacard index between page components of the page as a measure of similarity. Distance between queries dq(i,j): Compute jacard index between keys in the as a measure of similarity. Distance between two requests i,j as dh(i,j) =(dp(i,j)+dq(i,j))/2 4/21/2015 Deepthi Gangala

4/21/2015 Deepthi Gangala

Droid Driver Droid Driver is the component responsible for executing Android apps and collecting network traces. It has 3 main components: Random Tester Directed Tester 4/21/2015 Deepthi Gangala

Directed Tester system as an extension to the android testing framework ,allows users to communicate has 3 modules: Path Recorded Heuristic Path Generator Path Replayer 4/21/2015 Deepthi Gangala

Path Recorder It records the user events for apps running un and emulator. This is build by modifying Android tool monkeymaker and hierarchy viewer which provides information about the coordinates on the screen where and event occurred and coordinates of different viewer. 4/21/2015 Deepthi Gangala

Heuristic Path Generator It is responsible for generating the unexplored paths to be executed by the app. It is based on UI fuzzing technique. The intuition behind this is to generate network paths for parallel views that have same action of another action like button clicking etc. 4/21/2015 Deepthi Gangala

4/21/2015 Deepthi Gangala

Path Replayer It is a dynamic path driven engine which forces the app to execute a given path and then capture the network trace of the app. It consists of four components : View Identification Module Identifies the views like button positions in the current activity Event Emulation Module Takes paths as input and performs actions one by one. It supports user behaviors like clicking/swiping on the screen. 4/21/2015 Deepthi Gangala

System APL Logging Module Used to identify which network traffic is originating form the app under observations. Network Traffic Capture Module captures network traffic using tcpdump. 4/21/2015 Deepthi Gangala

Evaluation Ad traffic Non-Ad Traffic 4/21/2015 Deepthi Gangala

Ad Traffic Evaluated the fingerprint extraction algorithm for ad libraries. 4/21/2015 Deepthi Gangala

4/21/2015 Deepthi Gangala

Non-Ad traffic We Consider 6 popular, Flixster, ESPN, Score Center, CNET News, Pandora and Zedge to evaluate the non-ad traffic fingerprints. Manually generated a seed action path for each app and the installation package of the app to the NetworkProfiler system. 4/21/2015 Deepthi Gangala

4/21/2015 Deepthi Gangala

Limitations Can not distinguish apps which use the same service and have no distinct network behavior. Need a user seed path when login is involved Time required to download and run apps for the emulator. 4/21/2015 Deepthi Gangala

Conclusion And Future Work Proposed novel system called Network Profiler for the automated generation of network profiles for android apps. In future, build a comprehensive network profile library for the apps present in the android market. Combine state analysis with dynamic analysis to improve coverage execution 4/21/2015 Deepthi Gangala

4/21/2015 Deepthi Gangala