{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,13]],"date-time":"2025-11-13T12:32:35Z","timestamp":1763037155858,"version":"build-2065373602"},"reference-count":33,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2018,1,31]],"date-time":"2018-01-31T00:00:00Z","timestamp":1517356800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>Popular mobile apps use push notifications extensively to offer an \u201calways connected\u201d experience to their users. Social networking apps use them as a real-time channel to notify users about new private messages or new social interactions (e.g., friendship request, tagging, etc.). Despite the cryptography used to protect these communication channels, the strict temporal binding between the actions that trigger the notifications and the reception of the notification messages in the mobile device may represent a privacy issue. In this work, we present the push notification attack designed to bind the physical owners of mobile devices with their virtual identities, even if pseudonyms are used. In an online attack, an active attacker triggers a push notification and captures the notification packets that transit in the network. In an offline attack, a passive attacker correlates the social network activity of a user with the received push notification. The push notification attack bypasses the standard ways of protecting user privacy based on the network layer by operating at the application level. It requires no additional software on the victim\u2019s mobile device.<\/jats:p>","DOI":"10.3390\/fi10020013","type":"journal-article","created":{"date-parts":[[2018,1,31]],"date-time":"2018-01-31T05:51:17Z","timestamp":1517377877000},"page":"13","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":11,"title":["Push Attack: Binding Virtual and Real Identities Using Mobile Push Notifications"],"prefix":"10.3390","volume":"10","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2348-5077","authenticated-orcid":false,"given":"Pierpaolo","family":"Loreti","sequence":"first","affiliation":[{"name":"Electronic Engineering Department, University of Rome Tor Vergata, 00173 Rome, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6673-3157","authenticated-orcid":false,"given":"Lorenzo","family":"Bracciale","sequence":"additional","affiliation":[{"name":"Electronic Engineering Department, University of Rome Tor Vergata, 00173 Rome, Italy"}]},{"given":"Alberto","family":"Caponi","sequence":"additional","affiliation":[{"name":"Electronic Engineering Department, University of Rome Tor Vergata, 00173 Rome, Italy"}]}],"member":"1968","published-online":{"date-parts":[[2018,1,31]]},"reference":[{"key":"ref_1","unstructured":"(2015). The Smartphone Difference, Pew Research Center. Technical Report."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"29","DOI":"10.1109\/MSP.2013.47","article-title":"Two Tales of Privacy in Online Social Networks","volume":"11","author":"Guerses","year":"2013","journal-title":"IEEE Secur. Priv."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Yang, Y., Lutes, J., Li, F., Luo, B., and Liu, P. (2012, January 7\u20139). Stalking Online: On User Privacy in Social Networks. Proceedings of the Second ACM Conference on Data and Application Security and Privacy, San Antonio, TX, USA.","DOI":"10.1145\/2133601.2133607"},{"key":"ref_4","unstructured":"IETF (1970, January 01). Webpush Working Group. Available online: https:\/\/tools.ietf.org\/wg\/webpush\/."},{"key":"ref_5","unstructured":"(2015). Meraki Whitepaper CMX, Cisco. Technical Report."},{"key":"ref_6","unstructured":"Wilkinson, G., and Cuthbert, D. (2014, February 25). Snoopy: A Distributed Tracking and Profiling Framework. Available online: https:\/\/www.sensepost.com\/blog\/2012\/snoopy-a-distributed-tracking-and-profiling-framework\/."},{"key":"ref_7","unstructured":"Stanton, J.M., and Stam, K.R. (2006). The Visible Employee: Using Workplace Monitoring and Surveillance to Protect Information Assets\u2013without Compromising Employee Privacy Or Trust, Information Today, Inc."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Chen, S., Wang, R., Wang, X., and Zhang, K. (2010, January 16\u201319). Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow. Proceedings of the 2010 IEEE Symposium on Security and Privacy, Berkeley\/Oakland, CA, USA.","DOI":"10.1109\/SP.2010.20"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Zhang, F., He, W., Liu, X., and Bridges, P.G. (2011, January 14\u201317). Inferring Users\u2019 Online Activities Through Traffic Analysis. Proceedings of the Fourth ACM Conference on Wireless Network Security, Hamburg, Germany.","DOI":"10.1145\/1998412.1998425"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Wang, Q., Yahyavi, A., Kemme, B., and He, W. (2015, January 28\u201330). I know what you did on your smartphone: Inferring app usage over encrypted data traffic. Proceedings of the 2015 IEEE Conference on Communications and Network Security (CNS), Florence, Italy.","DOI":"10.1109\/CNS.2015.7346855"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Do, T.M.T., Blom, J., and Gatica-Perez, D. (2011, January 14\u201318). Smartphone Usage in the Wild: A Large-scale Analysis of Applications and Context. Proceedings of the 13th International Conference on Multimodal Interfaces, Alicante, Spain.","DOI":"10.1145\/2070481.2070550"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Di Luzio, A., Mei, A., and Stefa, J. (2016, January 10\u201314). Mind Your Probes: De-Anonymization of Large Crowds Through Smartphone WiFi Probe Requests. Proceedings of the 35th Annual IEEE International Conference on Computer Communications, San Francisco, CA, USA.","DOI":"10.1109\/INFOCOM.2016.7524459"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"74","DOI":"10.1016\/j.jnca.2015.01.008","article-title":"A Review Paper on Preserving Privacy in Mobile Environments","volume":"53","author":"Arunkumar","year":"2015","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Alsarkal, Y., Zhang, N., and Zhou, Y. (2015, January 27\u201329). Linking virtual and real-world identities. Proceedings of the 2015 IEEE International Conference onIntelligence and Security Informatics (ISI), Baltimore, MD, USA.","DOI":"10.1109\/ISI.2015.7165938"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Goldreich, O. (2004). Foundations of Cryptography: Volume 2, Basic Applications, Cambridge University Press.","DOI":"10.1017\/CBO9780511721656"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Shaik, A., Borgaonkar, R., Asokan, N., Niemi, V., and Seifert, J. (arXiv, 2015). Practical attacks against privacy and availability in 4G\/LTE mobile communication systems, arXiv.","DOI":"10.14722\/ndss.2016.23236"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"St\u00f6ber, T., Frank, M., Schmitt, J., and Martinovic, I. (2013, January 17\u201319). Who Do You Sync You Are?: Smartphone Fingerprinting via Application Behaviour. Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, Budapest, Hungary.","DOI":"10.1145\/2462096.2462099"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"86","DOI":"10.1109\/TWC.2013.121013.121473","article-title":"Thwarting Wi-Fi Side-Channel Analysis through Traffic Demultiplexing","volume":"13","author":"Zhang","year":"2014","journal-title":"Wirel. Commun. IEEE Trans."},{"key":"ref_19","unstructured":"Wright, C.V., Coull, S.E., and Monrose, F. (2009, January 8\u201311). Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis. Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, USA."},{"key":"ref_20","unstructured":"OASIS (2018, January 30). MQTT Specifications. Available online: http:\/\/docs.oasis-open.org\/mqtt\/mqtt\/v3.1.1\/os\/mqtt-v3.1.1-os.html."},{"key":"ref_21","unstructured":"Xu, Z., and Zhu, S. (2012, January 6\u20137). Abusing Notification Services on Smartphones for Phishing and Spamming. Proceedings of the 6th USENIX Conference on Offensive Technologies, Bellevue, WA, USA."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"138","DOI":"10.1016\/j.pmcj.2015.06.005","article-title":"Personal information leakage detection method using the inference-based access control model on the Android platform","volume":"24","author":"Choi","year":"2015","journal-title":"Pervasive Mob. Comput."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Herrmann, D., Wendolsky, R., and Federrath, H. (2009, January 13). Website Fingerprinting: Attacking Popular Privacy Enhancing Technologies with the Multinomial Na\u00efve-Bayes Classifier. Proceedings of the 2009 ACM Workshop on Cloud Computing Security, Chicago, IL, USA.","DOI":"10.1145\/1655008.1655013"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Jiang, T., Wang, H.J., and Hu, Y.C. (2007, January 11\u201313). Preserving Location Privacy in Wireless Lans. Proceedings of the 5th International Conference on Mobile Systems, Applications and Services, San Juan, Puerto Rico.","DOI":"10.1145\/1247660.1247689"},{"key":"ref_25","unstructured":"Michalevsky, Y., Nakibly, G., Schulman, A., and Boneh, D. (2015, January 12\u201314). PowerSpy: Location Tracking using Mobile Device Power Analysis. Proceedings of the 24th USENIX Security Symposium, Washington, DC, USA."},{"key":"ref_26","unstructured":"Sun, Q., Simon, D., Wang, Y.M., Russell, W., Padmanabhan, V., and Qiu, L. (2002, January 12\u201315). Statistical identification of encrypted Web browsing traffic. Proceedings of the Security and Privacy, Berkeley, CA, USA."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Conti, M., Mancini, L.V., Spolaor, R., and Verde, N.V. (arXiv, 2014). Can\u2019t you hear me knocking: Identification of user actions on Android apps via traffic analysis, arXiv.","DOI":"10.1145\/2699026.2699119"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Bernaille, L., Teixeira, R., and Salamatian, K. (2006, January 4\u20137). Early Application Identification. Proceedings of the 2006 ACM CoNEXT Conference, Lisboa, Portugal.","DOI":"10.1145\/1368436.1368445"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Crotti, M., Gringoli, F., Pelosato, P., and Salgarelli, L. (2006, January 11\u201315). A statistical approach to IP-level classification of network traffic. Proceedings of the IEEE International Conference on Communications, Istanbul, Turkey.","DOI":"10.1109\/ICC.2006.254723"},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"211","DOI":"10.1109\/TDSC.2005.26","article-title":"Remote physical device fingerprinting","volume":"2","author":"Kohno","year":"2005","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"ref_31","unstructured":"Bissias, G.D., Liberatore, M., Jensen, D., and Levine, B.N. (June, January 30). Privacy Vulnerabilities in Encrypted HTTP Streams. Proceedings of the 5th International Conference on Privacy Enhancing Technologies, Cavtat, Croatia."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"340","DOI":"10.1016\/j.ins.2015.08.046","article-title":"Analysis-preserving protection of user privacy against information leakage of social-network Likes","volume":"328","author":"Buccafurri","year":"2016","journal-title":"Inf. Sci."},{"key":"ref_33","unstructured":"Kune, D.F., Koelndorfer, J., Hopper, N., and Kim, Y. (2012, January 5\u20138). Location leaks on the GSM Air Interface. Proceedings of the NDSS Symposium, San Diego, CA, USA."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/10\/2\/13\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T14:53:12Z","timestamp":1760194392000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/10\/2\/13"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,1,31]]},"references-count":33,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2018,2]]}},"alternative-id":["fi10020013"],"URL":"https:\/\/doi.org\/10.3390\/fi10020013","relation":{},"ISSN":["1999-5903"],"issn-type":[{"type":"electronic","value":"1999-5903"}],"subject":[],"published":{"date-parts":[[2018,1,31]]}}}