Jimenez-Berenguel, Andrea; Gil, César; García-Rubio, Carlos; Forné, Jordi; Campo, Celeste DNS Query Forgery: A Client-Side Defense Against Mobile App Traffic Profiling Journal Article In: IEEE Access, vol. 13, pp. 1-20, 2025, ISSN: 2169-3536. Abstract | Links | BibTeX | Tags: compromise, Data Perturbation Techniques, Discovery, dns traffic, I-Shaper, Privacy-Enhancing Technologies, Query Forgery, Qursa, user privacy, User Profiling Campo-Vázquez, Celeste; García-Rubio, Carlos; Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel Inferring mobile applications usage from DNS traffic Proceedings Article In: Ad Hoc Networks, Elsevier B.V., 2024. Abstract | Links | BibTeX | Tags: compromise, dns traffic, I-Shaper, mobile applications identification, Qursa, user privacy Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; Campo-Vázquez, Carlos García-Rubio Celeste Characterizing Mobile Applications Through Analysis of DNS Traffic Conference PE-WASUN '23: Proceedings of the Int'l ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor & Ubiquitous Networks., ACM, 2023, ISBN: N 979-8-4007-0370-6. Abstract | Links | BibTeX | Tags: android apps, compromise, dns traffic, encrypted dns, mobile apps characterization, Qursa, user privacy2025
@article{Andrea002,
title = {DNS Query Forgery: A Client-Side Defense Against Mobile App Traffic Profiling},
author = {Andrea Jimenez-Berenguel and César Gil and Carlos García-Rubio and Jordi Forné and Celeste Campo},
url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=11250988
https://ieeexplore.ieee.org/document/11250988
},
doi = {https://doi.org/10.1109/ACCESS.2025.3633695},
issn = {2169-3536},
year = {2025},
date = {2025-11-17},
urldate = {2025-11-17},
journal = {IEEE Access},
volume = {13},
pages = {1-20},
abstract = {Mobile applications generate DNS queries that expose user behavioral patterns to network observers, creating privacy vulnerabilities even when communications are encrypted. Network eavesdroppers and DNS resolvers can analyze domain name sequences to profile users based on their app usage patterns. This paper proposes a client-side defense mechanism based on DNS query forgery to obfuscate user DNS-based profiles. Our method applies a query forgery technique that consists of injecting false DNS queries into genuine traffic streams. We mathematically model user profiles as probability distributions over interest categories and analyze the optimal proportion of false queries needed to achieve desired privacy levels. We evaluate three query forgery strategies: Uniform, TrackMeNot-based, and Optimized, finding that the Optimized strategy using KL divergence is the most effective. To validate our approach, we develop a novel methodology for generating synthetic user traces, creating a dataset of 1,000 users by mapping real app traffic data onto individual user profiles. Our analysis reveals that 50% privacy improvement is achievable with less than 20% traffic overhead, while 100% privacy protection requires approximately 40-60% additional traffic. We further propose a modular system architecture for practical implementation on mobile devices. This work offers a client-side privacy solution that operates without third-party trust requirements, empowering users to defend against traffic analysis without compromising application functionality.},
keywords = {compromise, Data Perturbation Techniques, Discovery, dns traffic, I-Shaper, Privacy-Enhancing Technologies, Query Forgery, Qursa, user privacy, User Profiling},
pubstate = {published},
tppubtype = {article}
}
2024
@inproceedings{campo012,
title = {Inferring mobile applications usage from DNS traffic},
author = {Celeste Campo-Vázquez and Carlos García-Rubio and Andrea Jimenez-Berenguel and Marta Moure-Garrido and Florina Almenares-Mendoza and Daniel Díaz-Sánchez },
url = {https://www.sciencedirect.com/science/article/pii/S1570870524002129#d1e710},
doi = {https://doi.org/10.1016/j.adhoc.2024.103601},
year = {2024},
date = {2024-07-19},
urldate = {2024-07-19},
booktitle = {Ad Hoc Networks},
publisher = {Elsevier B.V.},
abstract = {In the digital era, our lives are intrinsically linked to the daily use of mobile applications. As a consequence, we generate and transmit a large amount of personal data that puts our privacy in danger. Despite having encrypted communications, the DNS traffic is usually not encrypted, and it is possible to extract valuable information from the traffic generated by mobile applications. This study focuses on the analysis of the DNS traffic behavior found in mobile application traces, developing a methodology capable of identifying mobile applications based on the domains they query. With this methodology, we were able to identify apps with 98% accuracy. Furthermore, we have validated the effectiveness of the characterization obtained with one dataset by identifying traces from other independent datasets. The evaluation showed that the methodology provides successful results in identifying mobile applications.},
keywords = {compromise, dns traffic, I-Shaper, mobile applications identification, Qursa, user privacy},
pubstate = {published},
tppubtype = {inproceedings}
}
2023
@conference{campo013,
title = {Characterizing Mobile Applications Through Analysis of DNS Traffic},
author = {Andrea Jimenez-Berenguel and Marta Moure-Garrido and Carlos García-Rubio Celeste Campo-Vázquez},
doi = {https://doi.org/10.1145/3616394.3618268},
isbn = {N 979-8-4007-0370-6},
year = {2023},
date = {2023-10-30},
urldate = {2023-10-30},
booktitle = {PE-WASUN '23: Proceedings of the Int'l ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor & Ubiquitous Networks.},
pages = {69-76},
publisher = {ACM},
abstract = {User privacy may remain vulnerable when using encrypted communication protocols, such as HTTPS, if DNS queries are sent in cleartext over UDP port 53 (Do53). In this study, we demonstrate the possibility of characterizing the mobile application a user is using based on its Do53 traffic. By analyzing a dataset of traffic captured from 80 Android mobile apps, we can identify the app being used based on its DNS queries with an accuracy of 88.75%. While modern operating systems, including Android since version 9.0, support encrypted DNS traffic, this feature is not enabled by default and relies on the DNS provider's support. Moreover, even when DNS traffic is encrypted, the DNS service provider still has access to our queries and could potentially extract information from them.},
keywords = {android apps, compromise, dns traffic, encrypted dns, mobile apps characterization, Qursa, user privacy},
pubstate = {published},
tppubtype = {conference}
}
Publications
DNS Query Forgery: A Client-Side Defense Against Mobile App Traffic Profiling Journal Article In: IEEE Access, vol. 13, pp. 1-20, 2025, ISSN: 2169-3536. Inferring mobile applications usage from DNS traffic Proceedings Article In: Ad Hoc Networks, Elsevier B.V., 2024. Characterizing Mobile Applications Through Analysis of DNS Traffic Conference PE-WASUN '23: Proceedings of the Int'l ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor & Ubiquitous Networks., ACM, 2023, ISBN: N 979-8-4007-0370-6.2025
2024
2023