Hao Pan,Lanqing Yang,Honglu Li,Chuang-Wen You,Xiaoyu Ji,Yi-Chao Chen,Zhenxian Hu,Guangtao Xue

DOI: https://doi.org/10.1109/secon52354.2021.9491601

2021-01-01

Abstract:Various characteristics of mobile applications (apps) and associated in-app services have been used reveal potentially-sensitive user information; however, privacy concerns have prompted third-party apps to rigorously restrict access to data related to mobile app usage. This paper outlines a novel approach to the extraction of detailed app usage information based on analysis of the electromagnetic (EM) signals emitted from mobile devices when executing app-related tasks. Note that this type of EM leakage becomes high-complex when multiple apps are used simultaneously and is subject to interference from geomagnetic signals generated by device movement. This paper proposes a deep learning-based multi-label classification system to identify apps and in-app services based on magnetometer readings. The proposed MAGTHIEF system uses accelerometer and gyroscope data to cancel out the offset in geomagnetic signals followed by an elaborate deep region convolution neural network (DRCNN) to differentiate among multiple apps and the corresponding inapp services. Experiments on 50 apps demonstrated the efficacy of MAGTHIEF in identifying multiple apps and in-app services, achieving high average macro F1 scores of 0.87 and 0.95, respectively. MAGTHIEF also achieved time duration accuracy of 89.5% in recognizing app trajectory in the real-world scene.

Zhenyu Cheng,Xunxun Chen,Yongzheng Zhang,Shuhao Li,Jian Xu

DOI: https://doi.org/10.1109/trustcom/bigdatase.2019.00039

2019-01-01

Abstract:The emergence of information theft apps poses a serious threat to smartphone users. Most of information theft apps rely on network interfaces to steal users' privacy and use short message service (SMS) to implement command and control. In this paper, we propose an available and effective user-role identification model, MURITE-detector (Mobile User-Role in Information Theft Events detector), by using network flows and call detail records (CDRs) with convolutional neural network (CNN) algorithm. Firstly, we generate network flow vectors and CDR vectors from raw data sets, and then match them into node vectors. Subsequently, we use CNN to classify user-roles into: Sourcer, Transferer, Victim and Other. Because of command-and-control server invalidation and system version incompatibility, etc., most of the collected information theft apps can't run properly in reality. So we extract code modules from some of these apps, and then recode and compile them into ITM-capsule (Information Theft Modules capsule) to generate information theft network traffic. Finally, we obtain 37,384 information theft network flows, 61,635 benign network flows and 200,522 short message CDRs. We match these data through labels and construct two node vector sets A and B randomly. In addition, we also compare CNN with other machine learning algorithms, and the result shows that CNN performs better. In an evaluation of MURITE-detector, it gets an accuracy of 92.17%, a precision of 93.18% and a recall of 94.68%. Therefore, our model is suitable for identifying user-role in mobile network information theft events.

Zhenyu Cheng,Xunxun Chen,Yongzheng Zhang,Shuhao Li,Yafei Sang

DOI: https://doi.org/10.1109/nas.2017.8026853

2017-01-01

Abstract:With the widespread use of smartphones, more and more malicious attacks happen with information leakage from apps installed on users' devices. The adversary always uses a malware as the client to take remote control of smartphones, and leverages the vulnerability of operation systems to send back the collected information without users' permissions. All the information has to be transferred by network traffic. In this paper, we consider that different apps maybe generate different network flows by different operations, and the "shapes" of the benign flows and malicious ones will be diverse. Thus we propose a detection model based on the analysis of relationships between behavior patterns and network flows, which achieves our goal by using the Random Forest machine learning algorithm to classify the network flows into benign or malicious. To further improve the controllability of the experiment, we design an app called Moledroid to simulate malwares by uploading the user's privacy without authorization, in addition, we can change the behavior pattern of the app to complete our evaluation. Finally, we run this app and several benign apps to generate traffic to detect the malicious network flows, and it shows that our detection model can achieve precision and accuracy higher than 95%, which demonstrates that our model is suitable for detecting the network flows of information theft.

Rui Ning,Cong Wang,ChunSheng Xin,Jiang Li,Hongyi Wu

DOI: https://doi.org/10.1016/j.pmcj.2019.101106

IF: 3.848

2020-01-01

Pervasive and Mobile Computing

Abstract:In this paper, we report a newfound vulnerability on smartphones due to the malicious use of unsupervised sensor data. We demonstrate that an attacker can train deep Convolutional Neural Networks (CNN) by using magnetometer or orientation data to effectively infer the Apps and their usage information on a smartphone with an accuracy of over 80%. Furthermore, we show that such attacks can become even worse if sophisticated attackers exploit motion sensors to cluster the magnetometer or orientation data, improving the accuracy to as high as 98%. To mitigate such attacks, we propose a noise injection scheme that can effectively reduce the App sniffing accuracy to only 15% and at the same time has negligible effect on benign Apps.

Yushi Cheng,Xiaoyu Ji,Wenyuan Xu,Hao Pan,Zhuangdi Zhu,Chuang-Wen You,Yi-Chao Chen,Lili Qiu

DOI: https://doi.org/10.1145/3321705.3329817

2019-01-01

Abstract:Mobile devices have emerged as the most popular platforms to access information. However, they have also become a major concern of privacy violation and previous researches have demonstrated various approaches to infer user privacy based on mobile devices. In this paper, we study a new side channel of a laptop that could be harvested by a commercial-off-the-shelf (COTS) mobile device, eg, a smartphone. We propose MagAttack, which exploits the electromagnetic (EM) side channel of a laptop to infer user activities, i.e., application launching and application operation. The key insight of MagAttack is that applications are discrepant in essence due to the different compositions of instructions, which can be reflected on the CPU power consumption, and thus the corresponding EM emissions. MagAttack is challenging since that EM signals are noisy due to the dynamics of applications and the limited sampling rate of the built-in magnetometers in COTS mobile devices. We overcome these challenges and convert noisy coarse-grained EM signals to robust fine-grained features. We implement MagAttack on both an iOS and an Android smartphone without any hardware modification, and evaluate its performance with 13 popular applications and 50 top websites in China. The results demonstrate that MagAttack can recognize aforementioned 13 applications with an average accuracy of 98.6%, and figure out the visiting operation among 50 websites with an average accuracy of 84.7%.

Wu Zhou,Yajin Zhou,Michael C. Grace,Xuxian Jiang,Shihong Zou

DOI: https://doi.org/10.1145/2435349.2435377

2013-01-01

Abstract:Mobile applications (or apps) are rapidly growing in number and variety. These apps provide useful features, but also bring certain privacy and security risks. For example, malicious authors may attach destructive payloads to legitimate apps to create so-called "piggybacked" apps and advertise them in various app markets to infect unsuspecting users. To detect them, existing approaches typically employ pair-wise comparison, which unfortunately has limited scalability. In this paper, we present a fast and scalable approach to detect these apps in existing Android markets. Based on the fact that the attached payload is not an integral part of a given app's primary functionality, we propose a module decoupling technique to partition an app's code into primary and non-primary modules. Also, noticing that piggybacked apps share the same primary modules as the original apps, we develop a feature fingerprint technique to extract various semantic features (from primary modules) and convert them into feature vectors. We then construct a metric space and propose a linearithmic search algorithm (with O(n log n) time complexity) to efficiently and scalably detect piggybacked apps. We have implemented a prototype and used it to study 84,767 apps collected from various Android markets in 2011. Our results show that the processing of these apps takes less than nine hours on a single machine. In addition, among these markets, piggybacked apps range from 0.97% to 2.7% (the official Android Market has 1%). Further investigation shows that they are mainly used to steal ad revenue from the original developers and implant malicious payloads (e.g., for remote bot control). These results demonstrate the effectiveness and scalability of our approach.

Yajin Zhou,Xinwen Zhang,Xuxian Jiang,Vincent W. Freeh

DOI: https://doi.org/10.1007/978-3-642-21599-5_7

2011-01-01

Abstract:Smartphones have been becoming ubiquitous and mobile users are increasingly relying on them to store and handle personal information. However, recent studies also reveal the disturbing fact that users' personal information is put at risk by (rogue) smartphone applications. Existing solutions exhibit limitations in their capabilities in taming these privacy-violating smartphone applications. In this paper, we argue for the need of a new privacy mode in smartphones. The privacy mode can empower users to flexibly control in a fine-grained manner what kinds of personal information will be accessible to an application. Also, the granted access can be dynamically adjusted at runtime in a fine-grained manner to better suit a user's needs in various scenarios (e.g., in a different time or location). We have developed a system called TISSA that implements such a privacy mode on Android. The evaluation with more than a dozen of information-leaking Android applications demonstrates its effectiveness and practicality. Furthermore, our evaluation shows that TISSA introduces negligible performance overhead.

Xin Wang,Shuhui Chen,Jinshu Su

DOI: https://doi.org/10.1109/access.2020.3029190

IF: 3.9

2020-01-01

IEEE Access

Abstract:The proliferation of handheld devices has led to an explosive growth of mobile traffic volumes on the Internet. Identifying mobile apps from network traffic has become a crucial task for mobile network management and security. Traditionally, the design of accurate identifiers relies on the deep packet inspection (DPI) techniques. However, such approaches have become less effective with the raising adoption of encrypted protocols in mobile applications (mostly TLS). To address the problem, various machine learning methods have been studied and used. Most of them use linear classifiers on top of hand-engineered features, which are unreliable due to the complexity of mobile traffic. In this article we propose App-Net, an end-to-end hybrid neural network for mobile app identification from encrypted TLS traffic. App-Net is designed by combining RNN and CNN in a parallel way and can automatically learn effective features from raw TLS flows. With coordinated fusion and optimized training, the hybrid and multimodal architecture is able to characterize both flow sequence patterns and app signatures to learn a joint flow-app embedding. We evaluate App-Net on a real-world dataset covering 80 apps. The results show that our method can achieve an excellent performance and outperform the state-of-the-art methods.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chong Xiang,Qingrong Chen,Minhui Xue,Haojin Zhu

DOI: https://doi.org/10.1109/GLOCOM.2018.8647508

2018-01-01

Abstract:As smart phones gradually become the dominant network traffic generators, app traffic analysis methods have gained great interests for network management and targeted advertisement. Specifically, previous works have shown that the scalability of app inference via traffic meta-data has the edge over traditional payload based analysis. However, such works mainly considered the ideal inference scenario where only one app is running on the client's device, without any background traffic noise interfered. In this paper, we extend the research to a more practical scenario, by assuming that multiple apps simultaneously run on a smart phone in the noisy background with complex traffic generated by the operating system. To that end, we propose APPCLASSIFIER, an Android app fingerprinting scheme for real-time app inference. We first leverage the observed differences in packet size distributions and traffic sequential behaviors to boost inference accuracy for noise-free traffic analysis. We then propose novel heuristic based methods to re-correct mislabeled traffic flows to realize real-time traffic inference. As a result, APPCLASSIFIER achieves inference accuracy of 823% for noise-free traffic analysis and reduces error rate from 66.7% to 36.4% for real-time traffic inference.

Shuang Zhao,Shuhui Chen,Ziling Wei

DOI: https://doi.org/10.48550/arXiv.2112.12346

2021-12-23

Abstract:With the popularity of smartphones, mobile applications (apps) have penetrated the daily life of people. Although apps provide rich functionalities, they also access a large amount of personal information simultaneously. As a result, privacy concerns are raised. To understand what personal information the apps collect, many solutions are presented to detect privacy leaks in apps. Recently, the traffic monitoring-based privacy leak detection method has shown promising performance and strong scalability. However, it still has some shortcomings. Firstly, it suffers from detecting the leakage of personal information with obfuscation. Secondly, it cannot discover the privacy leaks of undefined type. Aiming at solving the above problems, a new personal information detection method based on traffic monitoring is proposed in this paper. In this paper, statistical features of personal information are designed to depict the occurrence patterns of personal information in the traffic, including local patterns and global patterns. Then a detector is trained based on machine learning algorithms to discover potential personal information with similar patterns. Since the statistical features are independent of the value and type of personal information, the trained detector is capable of identifying various types of privacy leaks and obfuscated privacy leaks. As far as we know, this is the first work that detects personal information based on statistical features. Finally, the experimental results show that the proposed method could achieve better performance than the state-of-the-art.

Cryptography and Security,Machine Learning

Ziqiang Yan,Ming Fan,Yin Wang,Jifei Shi,Haoran Wang,Ting Liu

DOI: https://doi.org/10.1145/3605762.3624429

2023-01-01

Abstract:In recent years, the rise of miniapps, lightweight applications based on WebView, has become a prominent trend in mobile app development. This trend has rapidly expanded on popular social platforms like WeChat, TikTok, Grab, and even Snapchat. In these miniapps, user data is pivotal for providing personalized services and improving user experience. However, there are still shortcomings in identifying the source of sensitive data in miniapps. This paper introduces MUID, an innovative method for detecting user input data in miniapps. MUID integrates an engine that can dynamically test miniapps to overcome the challenges in WebView page extraction, uses a hybrid analysis approach to identify sensitive components, and infers the type of information collected based on contextual hint words. In the evaluation of MUID across 30 popular miniapps randomly selected on WeChat, we demonstrated its high dynamic testing efficiency and its capability to recognize components with a recall rate of 95.74% and a precision rate of 81.32%. The overall precision of MUID is 78.31%, and the recall rate is 92.19%, demonstrating the effectiveness of MUID in conducting security and privacy analyses.

Zhaoxuan Li,Ziming Zhao,Rui Zhang,Haoyang Lu,Wenhao Li,Fan Zhang,Siqi Lu,Rui Xue

DOI: https://doi.org/10.1016/j.comnet.2024.110563

IF: 5.493

2024-01-01

Computer Networks

Abstract:The continuous emergence of malware has threatened to the Android platform and user privacy. With the evolution of the Android system and malware, it is challenging to design a method that can accurately identify the categories of sophisticated malware, including known and unknown families, as well as their obfuscated variants, given that they may be newly emerging and lack available detection knowledge. Although some methods try to use anomaly detection and zero-shot technology to identify unseen applications, they are limited to binary classification or lack the robustness, stability, universality, and interpretability in multi-class identification. To this end, we first propose a generic meta-features mining algorithm, which can discover the potential relationships between samples belonging to the same category. Then we present metaNet, a novel method leveraging meta-features to identify sophisticated Android malware. Specifically, metaNet is mainly powered by four components: (i) mExtractor is a feature collector to obtain the static and dynamic features. (ii) mProcessor is taking unique meta-features of each category from extracted features. (iii) mLearner is a machine learning suite that leverages features and meta-features to design and train a classifier called HSU-Net. (iv) mEnforcer is a flexible deployer that identifies categories of malware families in the real world. We implement a prototype of metaNet with 15K lines of Python code and compare it with state-of-the-art (SOTA) methods. The results show that it can not only achieve superior performance in terms of known families (99.52% of accuracy) and unknown families (99.31% of accuracy trained with 80% known families) for binary classification, but also perform well in multi-class identification, i.e., 99.05% and 93.45% of accuracy for known and unknown families, respectively. Furthermore, we deploy and evaluate metaNet in the real world. It can identify applications over an acceptable time and memory overheads, i.e., average of 11.8s and 56MB per sample with a size of 8MB. Also, the few-shot detection and feature perturbation experiments reflect its robustness and stability benefiting from meta-features. Finally, we collect the traffic of 112 decentralized applications (DApps) belonging to 16 categories, such as finance and health, and evaluated metaNet in DApp identification. The results illustrate its applicability across various tasks. That is, it can accurately classify 94.6% and 81.36% of DApp flows in all-known and 80%-known DApp scenarios, respectively, outperforming the SOTA methods.

Gaofeng He,Bingfeng Xu,Lu Zhang,Haiting Zhu

DOI: https://doi.org/10.1177/1550147718817292

IF: 1.938

2018-12-01

International Journal of Distributed Sensor Networks

Abstract:Mobile application (simply “app”) identification at a per-flow granularity is vital for traffic engineering, network management, and security practices. However, uncertainty is caused by a growing fraction of encrypted traffic such as Hypertext Transfer Protocol Secure. To address this challenge, we have carefully analyzed mobile app traffic (mainly including Domain Name System, Hypertext Transfer Protocol, and encrypted traffic such as Secure Sockets Layer and Transport Layer Security) and observed that (1) the sets of server hostnames queried by different apps are distinguishable; (2) mobile apps may query multiple server hostnames simultaneously, that is, apps may send several Domain Name System lookups within a short time interval; and (3) the encrypted traffic may be similar to various other network flows generated by the same app. Based on these three observations, in this article, we propose a novel app identification methodology for encrypted network flows. To be specific, temporal, lexical, and metadata similarity are investigated to select correlated traffic and information retrieving techniques are adopted to identify apps. We ran a thorough set of experiments to assess the performance of the proposed approaches. The experimental results show that the identification accuracy can be as high as 95%, and the proposed methods have low storage requirements as well as fast training speeds.

computer science, information systems,telecommunications

Che Li,Yue Zhou,Shuang Li,Yaru Deng,Meng Zhang,Kanghui Wang

DOI: https://doi.org/10.1109/ICIS51600.2021.9516873

2021-06-23

Abstract:Privacy protection is a vital part of information security. However, the excessive collections and uses of personal information have intensified in the area of mobile apps (applications). To comprehend the current situation of APP personal information security problem of APP, this paper uses a combined approach of static analysis technology, dynamic analysis technology, and manual review to detect and analyze the installed file of mobile apps. 40 mobile apps are detected as experimental samples. The results demonstrate that this combined approach can effectively detect various issues of personal information security problem in mobile apps. Statistics analysis of the experimental results demonstrate that mobile apps have outstanding problems in some aspects of personal information security such as privacy policy, permission application, information collection, data storage, etc.

Computer Science

Jianlin Xu,Yifan Yu,Zhen Chen,Bin Cao,Wenyu Dong,Yu Guo,Junwei Cao

DOI: https://doi.org/10.1109/tst.2013.6574680

2013-01-01

Tsinghua Science & Technology

Abstract:With the explosive increase in mobile apps, more and more threats migrate from traditional PC client to mobile device. Compared with traditional Win+Intel alliance in PC, Android+ARM alliance dominates in Mobile Internet, the apps replace the PC client software as the major target of malicious usage. In this paper, to improve the security status of current mobile apps, we propose a methodology to evaluate mobile apps based on cloud computing platform and data mining. We also present a prototype system named MobSafe to identify the mobile app's virulence or benignancy. Compared with traditional method, such as permission pattern based method, MobSafe combines the dynamic and static analysis methods to comprehensively evaluate an Android app. In the implementation, we adopt Android Security Evaluation Framework (ASEF) and Static Android Analysis Framework (SAAF), the two representative dynamic and static analysis methods, to evaluate the Android apps and estimate the total time needed to evaluate all the apps stored in one mobile app market. Based on the real trace from a commercial mobile app market called AppChina, we can collect the statistics of the number of active Android apps, the average number apps installed in one Android device, and the expanding ratio of mobile apps. As mobile app market serves as the main line of defence against mobile malwares, our evaluation results show that it is practical to use cloud computing platform and data mining to verify all stored apps routinely to filter out malware apps from mobile app markets. As the future work, MobSafe can extensively use machine learning to conduct automotive forensic analysis of mobile apps based on the generated multifaceted data in this stage.

Yiguo Pu,Xiaojun Chen,Xu Cui,Jinqiao Shi,Li Guo,Cheng Qi

DOI: https://doi.org/10.1016/j.procs.2013.05.106

2013-01-01

Procedia Computer Science

Abstract:It is well known that data loss caused by data stolen Trojans is huge as it could upload privacy or secret data to hackers who controls it remotely. Most of current security tools monitor Trojans by scanning the signature code that is distinguished from normal software. However, this method can only recognize known Trojan except up-to-date malicious software that has unknown signature code. Some other security tools requiring preinstalled on hosts detects Trojans by program behaviors. This paper proposes a novel medel to detect data stolen Trojans based on their network behaviors. It consists of three detectors: 1) keep-alive detector detects keep-alive packets or connections; 2) master-slave-connection detector tries to find master and slave connections and 3) mistake detector analyses the rate of download vs. upload and connection time for different protocol. The experiments show that this method is efficient in recognizing data stolen Trojans. This protyped system proves the possibility of detection Trojans from network. (C) 2013 The Authors. Published by Elsevier B.V.

Ding Li,Wenzhong Li,Xiaoliang Wang,Cam-Tu Nguyen,Sanglu Lu

DOI: https://doi.org/10.1016/j.comnet.2020.107372

IF: 5.493

2020-01-01

Computer Networks

Abstract:Despite the increasing popularity of mobile applications and the widespread adoption of encryption techniques, mobile devices are still susceptible to security and privacy risks. In this paper, we propose ActiveTracker, a new type of sniffing attack that can reveal the fine-grained trajectory of userâs mobile app usage from a sniffed encrypted Internet traffic stream. It firstly adopts a sliding window based approach to divide the encrypted traffic stream into a sequence of segments corresponding to different app activities. Then each traffic segment is represented by a normalized temporal-spacial traffic matrix and a traffic spectrum vector. Based on the normalized representation, a deep neural network (DNN) model which consists of an app filter and an activity classifier is developed to extract comprehensive features from the input and uncover the crucial app usage trajectory conducted by the user. By extensive experiments on real-world app usage traffic collected from volunteers and on our synthetic traffic data, we show that the proposed approach achieves up to 79.65% accuracy in recognizing app trajectory over encrypted traffic streams.

Cheng Zhenyu,Yun Xiaochun,Li Shuhao,Geng Jinbu,Qin Rui,Fan Li

DOI: https://doi.org/10.1007/978-3-031-08751-6_25

2022-01-01

Abstract:The emergence of information theft poses a serious threat to mobile users. Short message service (SMS), as a mainstream communication medium, is usually used by attackers to implement propagation, command and control. The previous detection works are based on the local perspective of terminals, and it is difficult to find all the victims and covert attackers for a theft event. In order to address this problem, we propose DITA-NCG, a method that globally detects information theft attacks based on node communication graph (NCG). The communication behavior of a NCG's node is expressed by both call detail record (CDR) vectors and network flow vectors. Firstly, we use CDR vectors to implement social subgraph division and find suspicious subgraphs with SMS information entropy. Secondly, we use network flow vectors to distinguish information theft attack graphs from suspicious subgraphs, which help us to identify information theft attack. Finally, we evaluate DITA-NCG by using real world network flows and CDRs , and the result shows that DITA-NCG can effectively and globally detect information theft attack in mobile network.

Junming Liu,Yanjie Fu,Jingci Ming,Yong Ren,Leilei Sun,Hui Xiong

DOI: https://doi.org/10.1145/3097983.3098049

2017-01-01

Abstract:The mobile in-App service analysis, aiming at classifying mobile internet traffic into different types of service usages, has become a challenging and emergent task for mobile service providers due to the increasing adoption of secure protocols for in-App services. While some efforts have been made for the classification of mobile internet traffic, existing methods rely on complex feature construction and large storage cache, which lead to low processing speed, and thus not practical for online real-time scenarios. To this end, we develop an iterative analyzer for classifying encrypted mobile traffic in a real-time way. Specifically, we first select an optimal set of most discriminative features from raw features extracted from traffic packet sequences by a novel M aximizing I nner activity similarity and M inimizing D ifferent activity similarity (MIMD) measurement. To develop the online analyzer, we first represent a traffic flow with a series of time windows, which are described by the optimal feature vector and are updated iteratively at the packet level. Instead of extracting feature elements from a series of raw traffic packets, our feature elements are updated when a new traffic packet is observed and the storage of raw traffic packets is not required. The time windows generated from the same service usage activity are grouped by our proposed method, namely, recursive time continuity constrained KMeans clustering (rCKC). The feature vectors of cluster centers are then fed into a random forest classifier to identify corresponding service usages. Finally, we provide extensive experiments on real-world Internet traffic data from Wechat, Whatsapp, and Facebook to demonstrate the effectiveness and efficiency of our approach. The results show that the proposed analyzer provides high accuracy in real-world scenarios, and has low storage cache requirement as well as fast processing speed.

Jianfeng Li,Zheng Lin,Jian Qu,Shuohan Wu,Hao Zhou,Yangyang Liu,Xiaobo Ma,Ting Wang,Xiapu Luo,Xiaohong Guan

DOI: https://doi.org/10.1109/tnet.2024.3448621

2024-01-01

Abstract:Mobile apps have significantly transformed various aspects of modern life, leading to growing concerns about privacy risks. Despite widespread encrypted communication, app fingerprinting (AF) attacks threaten user privacy substantially. However, existing AF attacks, when targeted at wireless traffic, face four fundamental challenges, namely 1) sample inseparability; 2) app multiplexing; 3) signal attenuation; and 4) open-world recognition. In this paper, we advance a novel AF attack, dubbed, to recognize app user activities over the air in an open-world setting. We introduce two novel models, i.e., sequential XGBoost and hierarchical bag-of-words model, to tackle sample inseparability and enhance robustness against noise packets arising from app multiplexing. We also propose the environment-aware model enhancement to bolster ’s robustness in handling packet loss at the sniffer caused by signal attenuation. We conduct extensive experiments to evaluate the proposed attack in a series of challenging scenarios, including 1) open-world setting; 2) simultaneous use of different apps; 3) severe packet loss at the sniffer; and 4) cross-dataset recognition. The experimental results show that can accurately recognize app user activities. It achieves the average F1-score 0.947 for open-world app recognition and the average F1-score 0.959 for in-app user action recognition.