{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,26]],"date-time":"2026-01-26T05:27:38Z","timestamp":1769405258909,"version":"3.49.0"},"reference-count":0,"publisher":"Privacy Enhancing Technologies Symposium Advisory Board","issue":"1","license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"unspecified","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["PoPETs"],"abstract":"<jats:p>Cellular traffic fingerprinting attacks, in which an unprivileged adversary passively monitors encrypted wireless channels to infer user activities, introduce significant privacy risks by giving attackers the ability to track user behaviors, infer sensitive activities, and profile victims without authorization. Although such attacks have been discussed for LTE and 5G, many existing studies rely on idealized assumptions that fall short when faced with the complexities of real-world practical scenarios.\nIn this paper, we present the first practical traffic fingerprinting attack leveraging a Man-in-the-Middle (MITM) Relay in an operational cellular network. Implemented with open-source software, our attack allows a passive adversary to identify user applications with up to 99.02% accuracy, even under noisy conditions. We evaluate our method using 40 applications across five categories on multiple COTS user equipment (UE). Our approach further demonstrates the ability to infer fine-grained user activities such as browsing, messaging, and video streaming under practical constraints, including partial traffic knowledge and app version drift. The attack also achieves cross-device and cross-network transferability, and it remains robust in open-world scenarios where only a subset of application traffic is known to the adversary.\nWe additionally propose a novel traffic regularization-based defense tailored specifically for cellular networks. This defense operates as an optional, backward-compatible security layer integrated seamlessly into the existing cellular protocol stack, effectively balancing security strength with practical considerations such as latency and bandwidth overhead.<\/jats:p>","DOI":"10.56553\/popets-2026-0013","type":"journal-article","created":{"date-parts":[[2026,1,25]],"date-time":"2026-01-25T18:59:00Z","timestamp":1769367540000},"page":"242-256","source":"Crossref","is-referenced-by-count":0,"title":["What-App? App Usage Detection Using Encrypted LTE\/5G Traffic"],"prefix":"10.56553","volume":"2026","author":[{"given":"Jinjin","family":"Wang","sequence":"first","affiliation":[{"name":"University of Birmingham"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Zishuai","family":"Cheng","sequence":"additional","affiliation":[{"name":"Beijing University of Posts and Telecommunications"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mihai","family":"Ordean","sequence":"additional","affiliation":[{"name":"University of Birmingham"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Baojiang","family":"Cui","sequence":"additional","affiliation":[{"name":"Beijing University of Posts and Telecommunications"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"35752","published-online":{"date-parts":[[2026,1]]},"container-title":["Proceedings on Privacy Enhancing Technologies"],"original-title":[],"deposited":{"date-parts":[[2026,1,25]],"date-time":"2026-01-25T18:59:04Z","timestamp":1769367544000},"score":1,"resource":{"primary":{"URL":"https:\/\/petsymposium.org\/popets\/2026\/popets-2026-0013.php"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1]]},"references-count":0,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,1]]}},"alternative-id":["10.56553\/popets-2026-0013"],"URL":"https:\/\/doi.org\/10.56553\/popets-2026-0013","relation":{},"ISSN":["2299-0984"],"issn-type":[{"value":"2299-0984","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1]]}}}