The ICSI Haystack A Platform for Hybrid Mobile Measurements in the - - PowerPoint PPT Presentation

The ICSI Haystack

A Platform for Hybrid Mobile 
 Measurements in the Wild

Narseo Vallina-Rodriguez

In collaboration with:

• S. Sundaresan, C. Kreibich, M. Allman, V. Paxson (ICSI/UC Berkeley)

• A. Razaghpanah, P. Gill (Stony Brook University)

AIMS Workshop - CAIDA, February 2016

2

How much do we know about the mobile ecosystem?

3

Privacy Performance MVNO 3G Proxies CDNs Users Apps Security WiFi Ads LTE

The mobile jigsaw

DNS QUIC IPv6 NAT CGNs TLS

ACTIVE
 MEASUREMENTS

4

Privacy Performance MVNO 3G Proxies CDNs Users Apps Security WiFi Ads LTE

The mobile jigsaw

DNS QUIC IPv6 NAT CGNs TLS

STATIC AND 
 DYNAMIC ANALYSIS

5

Privacy Performance MVNO 3G Proxies CDNs Users Apps Security WiFi Ads LTE

The mobile jigsaw

DNS QUIC IPv6 NAT CGNs TLS

INSTRUMENTED
 PHONES 
 (root access)

6

Privacy Performance MVNO 3G Proxies CDNs Users Apps Security WiFi Ads LTE

The mobile jigsaw

DNS QUIC IPv6 NAT CGNs TLS

ISP
 TRACES

7

Privacy Performance MVNO 3G Proxies CDNs Users Apps Security WiFi Ads LTE

The mobile jigsaw

DNS QUIC IPv6 NAT CGNs TLS

VPN AND 
 PROXY TRACES

8

TRADE- OFFS!

9

The ideal mobile measurements platform: Real-world operation Comprehensiveness Local operation Large scale

A user-centric, and on-device measurements platform that intercepts and studies network traffic and app activity in user space

The ICSI Haystack

10

Traffic Analyzer (off-path) Forwarder
 
 
 
 
 tun
 interface

Schematic view of Haystack

Default
 GW TLS Proxy

Anonymized
 reports (IRB)

DB @ ICSI

App traffic

Internet

Raw 
 packets Java sockets! 😢
 i.e., no-packet level traces

Max throughput: ~55 Mbps
 Extra latency < 1-4 ms 
 Battery overhead: 2-9 %

Optional TLS
 interception Contextualized 
 traffic analysis

12

A easy-to-deploy tool for mobile users!

The user engagement challenge

13

14

Technical details and performance evaluation:

Ongoing and Future Research Directions

15

We are [mostly] in the dark about how mobile apps behave in ANY network!

“I love working for the NSA, but if I’d wanted to snoop on people’s most

intimate information, I’d have become an app developer!”

http://www.robcottingham.ca/

Who do apps talk to, what do they talk about, and how?

17

10 20 30 40 graph.facebook.com crashlytics.com google.com googleapis.com doubleclick.net flurry.com gstatic.com googlesyndication.com amazonaws.com scorecardresearch.com googletagmanager.com amazon−adsystem.com mixpanel.com googleusercontent.com mopub.com google−analytics.com cloudfront.net twitter.com facebook.com twimg.com

% of Apps

Provides DPI and generates accurate behavioral signatures New-generation analytics and ad networks use TLS! Allows users to stay in control of their traffic

Performance evaluation: Real-world DNS

18


 Can measure contextualized “real-world” traffic performance
 
 Enables reactive measurements [Allman+Paxson, PAM 2008]

App Median 𝞔(tApp-ttcpdump) (𝞶s) StdDev 𝞔(tApp-ttcpdump) (𝞶s) JavaApp 1,254 658 Haystack 1,211 303

• What are your reactions both as users and researchers?
• How can we improve app usability and mobile transparency?
• What are the most challenging, worrying and urging aspects 

• f mobile systems?

19

Community feedback:

Visit: www.haystack.com