What-App? App Usage Detection Using Encrypted LTE/5G Traffic
Authors: Jinjin Wang (University of Birmingham), Zishuai Cheng (Beijing University of Posts and Telecommunications), Mihai Ordean (University of Birmingham), Baojiang Cui (Beijing University of Posts and Telecommunications)
Volume: 2026
Issue: 1
Pages: 242–256
DOI: https://doi.org/10.56553/popets-2026-0013
Abstract: Cellular traffic fingerprinting attacks, in which an unprivileged adversary passively monitors encrypted wireless channels to infer user activities, introduce significant privacy risks by giving attackers the ability to track user behaviors, infer sensitive activities, and profile victims without authorization. Although such attacks have been discussed for LTE and 5G, many existing studies rely on idealized assumptions that fall short when faced with the complexities of real-world practical scenarios.
In this paper, we present the first practical traffic fingerprinting attack leveraging a Man-in-the-Middle (MITM) Relay in an operational cellular network. Implemented with open-source software, our attack allows a passive adversary to identify user applications with up to 99.02% accuracy, even under noisy conditions. We evaluate our method using 40 applications across five categories on multiple COTS user equipment (UE). Our approach further demonstrates the ability to infer fine-grained user activities such as browsing, messaging, and video streaming under practical constraints, including partial traffic knowledge and app version drift. The attack also achieves cross-device and cross-network transferability, and it remains robust in open-world scenarios where only a subset of application traffic is known to the adversary.
We additionally propose a novel traffic regularization-based defense tailored specifically for cellular networks. This defense operates as an optional, backward-compatible security layer integrated seamlessly into the existing cellular protocol stack, effectively balancing security strength with practical considerations such as latency and bandwidth overhead.
Keywords: Cellular Network Security, 5G and LTE security and privacy, Traffic Fingerprinting, Man-in-the-Middle (MITM) Relay, False Base Station, Fingerprinting Defense, Traffic Regularization
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
