Classifying User Activities in the Encrypted WeChat Traffic
Abstract: The security and privacy of encrypted mobile applications have attracted the attention of researchers. However, most of the existing researches focus on analysis of SSL/TLS traffic, while few studies focus on proprietary encrypted traffic, which is also important and challenging. In this paper, we make a deep study of WeChat, which is one of the most popular social applications in the world with over one billion active users. The application uses a proprietary encryption protocol called as MMTLS for most of its communications. It is designed based on Transport Layer Security (TLS) 1.3 drafts for both performance and security. We explore the fine-grained classification of typical user activities inside the MMTLS encrypted channels and compare the MMTLS with the HTTPS (e.g. flow duration and packet size), which are jointly used in WeChat. It is found that MMTLS is suitable for scenarios of low latency and lightweight messaging. With the WeChat traffic collected from different platforms (Android, iOS) and devices (Huawei, Samsung, iPhone, iPad, etc.) by different users, we classify seven typical activities, encrypted by MMTLS protocol such as payment, advertisement click, browsing moments and so on. The experimental results show that both of the average precision and recall can reach over 92%. Our work is the first to perform classification on this proprietary encrypted protocol and understanding the difference between MMTLS and TLS. It is believed that the work will benefit the security and privacy of WeChat and other proprietary encryption applications.
Loading