No Place to Hide that Bytes won't Reveal: Sniffing Location-Based Encrypted Traffic to Track a User's Position
This addresses privacy risks for users of location-based services, revealing vulnerabilities that could be exploited by powerful adversaries, though it is incremental in building on existing traffic analysis methods.
The paper tackles the problem of tracking users' locations through encrypted traffic by proposing a new adversary model for Location Based Services, showing that an unauthorized third party can infer a user's position by analyzing encrypted traffic size and timing, with results from analyzing GoogleNow highlighting the need for better privacy countermeasures.
News reports of the last few years indicated that several intelligence agencies are able to monitor large networks or entire portions of the Internet backbone. Such a powerful adversary has only recently been considered by the academic literature. In this paper, we propose a new adversary model for Location Based Services (LBSs). The model takes into account an unauthorized third party, different from the LBS provider itself, that wants to infer the location and monitor the movements of a LBS user. We show that such an adversary can extrapolate the position of a target user by just analyzing the size and the timing of the encrypted traffic exchanged between that user and the LBS provider. We performed a thorough analysis of a widely deployed location based app that comes pre-installed with many Android devices: GoogleNow. The results are encouraging and highlight the importance of devising more effective countermeasures against powerful adversaries to preserve the privacy of LBS users.