Research Article
On Reliability of JA3 Hashes for Fingerprinting Mobile Applications
@INPROCEEDINGS{10.1007/978-3-030-68734-2_1, author={Petr Matoušek and Ivana Burgetov\^{a} and Ondřej Ryšav\"{y} and Malombe Victor}, title={On Reliability of JA3 Hashes for Fingerprinting Mobile Applications}, proceedings={Digital Forensics and Cyber Crime. 11th EAI International Conference, ICDF2C 2020, Boston, MA, USA, October 15-16, 2020, Proceedings}, proceedings_a={ICDF2C}, year={2021}, month={2}, keywords={Mobile application TLS fingerprinting Network forensics JA3 hash Encrypted communication}, doi={10.1007/978-3-030-68734-2_1} }- Petr Matoušek
Ivana Burgetová
Ondřej Ryšavý
Malombe Victor
Year: 2021
On Reliability of JA3 Hashes for Fingerprinting Mobile Applications
ICDF2C
Springer
DOI: 10.1007/978-3-030-68734-2_1
Abstract
In recent years, mobile communication has become more secure due to TLS encapsulation. TLS enhances user security by encrypting transmitted data, on the other hand it limits network monitoring and data capturing which is important for digital forensics. When observing mobile traffic today most transmissions are encapsulated by TLS. Encrypted packets causes traditional methods to be obsolete for device fingerprinting that require visibility of protocol headers of HTTP, IMAP, SMTP, IM, etc. As a reaction to data encryption, new methods like TLS fingerprinting have been researched. These methods observe TLS parameters which are exchanged in an open form before the establishment of a secure channel. TLS parameters can be used for identification of a sending application. Nevertheless, with the constant evolution of TLS protocol suites, it is not easy to create a unique and stable TLS fingerprint for forensic purposes. This paper presents experiments with JA3 hashes on mobile apps. We focus especially on the stability, reliability and uniqueness of JA3 fingerprints for digital forensics.
