The ICSI HaystackA Platform for Hybrid Mobile

Measurements in the Wild

Narseo Vallina-Rodriguez

In collaboration with:

S. Sundaresan, C. Kreibich, M. Allman, V. Paxson (ICSI/UC Berkeley)A. Razaghpanah, P. Gill (Stony Brook University)

AIMS Workshop - CAIDA, February 2016

2

How much do we know about the mobile ecosystem?

3

Privacy

Performance

MVNO3G

Proxies

CDNs

Users

Apps

Security

WiFi

Ads

LTE

The mobile jigsaw

DNS

QUICIPv6

NAT

CGNsTLS

ACTIVEMEASUREMENTS

4

Privacy

Performance

MVNO3G

Proxies

CDNs

Users

Apps

Security

WiFi

Ads

LTE

The mobile jigsaw

DNS

QUICIPv6

NAT

CGNsTLS

STATIC AND DYNAMIC ANALYSIS

5

Privacy

Performance

MVNO3G

Proxies

CDNs

Users

Apps

Security

WiFi

Ads

LTE

The mobile jigsaw

DNS

QUICIPv6

NAT

CGNsTLS

INSTRUMENTED PHONES

(root access)

6

Privacy

Performance

MVNO3G

Proxies

CDNs

Users

Apps

Security

WiFi

Ads

LTE

The mobile jigsaw

DNS

QUICIPv6

NAT

CGNsTLS

ISPTRACES

7

Privacy

Performance

MVNO3G

Proxies

CDNs

Users

Apps

Security

WiFi

Ads

LTE

The mobile jigsaw

DNS

QUICIPv6

NAT

CGNsTLS

VPN AND PROXY TRACES

8

TRADE- OFFS!

9

The ideal mobile measurements platform:

Real-world operation

Comprehensiveness

Local operation

Large scale

A user-centric, and on-device measurements platform that intercepts

and studies network traffic and app activity in user space

The ICSI Haystack

10

Traffic Analyzer (off-path)

Forwarder tun

interface

Schematic view of Haystack

DefaultGW

TLS Proxy

Anonymizedreports (IRB)

DB @ ICSI

App traffic

InternetRaw packets

Java sockets! 😡i.e., no-packet level traces

Max throughput: ~55 MbpsExtra latency < 1-4 ms

Battery overhead: 2-9 %

Optional TLSinterception

Contextualized traffic analysis

12

A easy-to-deploy tool for mobile users!

The user engagement challenge

13

14

Technical details and performance evaluation:

Ongoing and FutureResearch Directions

15

We are [mostly] in the dark about how mobile apps behave in ANY network!

“I love working for the NSA, but if I’d wanted to snoop on people’s most intimate information, I’d have become an app developer!”

http://www.robcottingham.ca/

Who do apps talk to, what do they talk about, and how?

17

0

10

20

30

40

grap

h.fa

cebo

ok.c

omcr

ashl

ytic

s.co

mgo

ogle

.com

goog

leap

is.co

mdo

uble

clic

k.ne

tflu

rry.c

omgs

tatic

.com

goog

lesy

ndic

atio

n.co

mam

azon

aws.

com

scor

ecar

dres

earc

h.co

mgo

ogle

tagm

anag

er.c

omam

azon−a

dsys

tem

.com

mix

pane

l.com

goog

leus

erco

nten

t.com

mop

ub.c

omgo

ogle−a

naly

tics.

com

clou

dfro

nt.n

ettw

itter

.com

face

book

.com

twim

g.co

m

% o

f App

s

Provides DPI and generates accurate behavioral signatures New-generation analytics and ad networks use TLS!

Allows users to stay in control of their traffic

Performance evaluation: Real-world DNS

18

Can measure contextualized “real-world” traffic performance

Enables reactive measurements [Allman+Paxson, PAM 2008]

App Median 𝞓(tApp-ttcpdump) (𝞵s) StdDev 𝞓(tApp-ttcpdump) (𝞵s)

JavaApp 1,254 658

Haystack 1,211 303

• What are your reactions both as users and researchers?

• How can we improve app usability and mobile transparency?

• What are the most challenging, worrying and urging aspects of mobile systems?

19

Community feedback:

Visit: www.haystack.com