TLS Fingerprinting using JA3 for Android Application
Agarwal, Ashrika (2024)
2024
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2024091325095
https://urn.fi/URN:NBN:fi:amk-2024091325095
Tiivistelmä
TLS (Transport Layer Security) fingerprinting has developed as a response to increasing concerns around cybersecurity threats. To detect malicious activity in encrypted traffic between servers and clients without decrypting the data, a mechanism was needed. This has resulted in the creation of the JA3 methodology. Previous studies have used statistical, mathematical, and intelligent computing techniques to analyse network traffic. The focus of this research lies in querying the oddness and identity of what client fingerprints different versions across Android Releases would generate from different applications.
JA3 is a free open source SSL/TLS (Secure Socket Layer/Transport Layer (Definition of) Security) client fingerprinting with the ability to identify and categorize different classes of clients applications created via the unique features within your TLS/SSL packets. It works by inspecting the SSL/TLS handshake messages that a client and server exchange to establish an initial connection. SSL/TLS client app detection JA3 can be used to detect when unusual or suspicious SSL/TLS clients are being used, which in turn suggests a possible security risk. This means that, JA3 is easily identifiable and thus, it improves network security on our network environment. While JA3 has generally proven to be quite efficient at detecting SSL/TLS client applications in all environments, it may be considered too wide for network security. During the first connection of client-to-server you get the initial handshake message between SSL/TLS, which checks them against the packers of TLS/SSL by examining their unique characteristics to distinguish multiple applications. This is likely more relevant for us (i.e. using TLS client hello packet and fingerprint) for a good reason.A series of widely used applications is made they are executed on different versions of Android, and packets containing them are sniffed out. Finally, fingerprints are generated from these packets. The aim is to enable JA3 be used as a tool to find potential security risks by discovering when strange or suspicious SSL/TLS client applications are used. This process will help organisations to understand their network traffic better and implement measures that anticipate potential security threats.
JA3 is a free open source SSL/TLS (Secure Socket Layer/Transport Layer (Definition of) Security) client fingerprinting with the ability to identify and categorize different classes of clients applications created via the unique features within your TLS/SSL packets. It works by inspecting the SSL/TLS handshake messages that a client and server exchange to establish an initial connection. SSL/TLS client app detection JA3 can be used to detect when unusual or suspicious SSL/TLS clients are being used, which in turn suggests a possible security risk. This means that, JA3 is easily identifiable and thus, it improves network security on our network environment. While JA3 has generally proven to be quite efficient at detecting SSL/TLS client applications in all environments, it may be considered too wide for network security. During the first connection of client-to-server you get the initial handshake message between SSL/TLS, which checks them against the packers of TLS/SSL by examining their unique characteristics to distinguish multiple applications. This is likely more relevant for us (i.e. using TLS client hello packet and fingerprint) for a good reason.A series of widely used applications is made they are executed on different versions of Android, and packets containing them are sniffed out. Finally, fingerprints are generated from these packets. The aim is to enable JA3 be used as a tool to find potential security risks by discovering when strange or suspicious SSL/TLS client applications are used. This process will help organisations to understand their network traffic better and implement measures that anticipate potential security threats.