Profiling of Secure Chat and Calling Apps from
Encrypted Traffic
M.A.K.Sudozai, Shahzad Saleem
School of Electrical Engineering and Computer Science
National University of Sciences and Technology
Islamabad, Pakistan
{asad.khan,shahzad.saleem}@seecs.edu.pk
Abstract—Increased use of secure chat and voice/ video apps
has transformed the social life. While the benefits and facilitations
are seemingly limitless, so are the asscoiacted vulnerabilities
and threats. Besides ensuring confidentiality requirements for
common users, known facts of non-readable contents over the
network make these apps more attractive for criminals. Though
access to contents of cryptograhically secure sessions is not
possible, network forensics of secure apps can provide interesting
information which can be of great help during criminal invetiga-
tions. In this paper, we presented a novel framework of profiling
the secure chat and voice/ video calling apps which can be
employed to extract hidden patterns about the app, information
of involved parties, activities of chatting, voice/ video calls, status
indications and notifications while having no information of
communication protocol of the app and its security architecture.
Signatures of any secure app can be developed though our
framework and can become base of a large scale solution. Our
methodology is considered very important for different cases of
criminal investigations and bussiness intelligence solutions for
service provider networks. Our results are applicable to any
mobile platform of iOS, android and windows.
Index Terms—Confidentiality, cryptography, chat and voice/
video app, network forensic, iOS, android, windows.
I. I NTRODUCTION
T HE exponential use of secure chat and voice/ video call-
ing apps has emerged as an unprecedented phenomenon.
Remaining available anywhere, anytime and anyway through
smart phones and mobile devices has added new dimensions to
social lives [1]. The confidentiality requirements of users has
forced the designers of these apps to embed the strong security
architectures and proprietary communication protocols. Lately,
the concept of end-to-end encryption layers like Whatsapp [2]
has provided apparent confidence to users that even servers
have no visibility to the exchanged contents. The increasing
security strengths of social media apps seem very attractive
on one side however, their extensive usage by criminals have
raised serious concerns as well [3]. The level of criminal
investigations becomes complex when secure social media
apps are involved because access to actual contents is not
possible from the encrypted network traffic. This aspect has
attracted research community of forensics and information
security domains to carry out extensive study of secure social
media apps [4] and find out possible traces which can lead to
extract maximum information.
The study of secure social media apps can broadly be
categorized into two major dimensions, (i) study of on device
‹,(((
Authorized licensed use limited to: ULAKBIM-UASL - Abant Izzet Baysal Univ Library. Downloaded on November 18,2023 at7HFKQRORJ\
3URFHHGLQJVRIWK,QWHUQDWLRQDO%KXUEDQ&RQIHUHQFHRQ$SSOLHG6FLHQFHV
,VODPDEDG3DNLVWDQWK±WK-DQXDU\
stored contents (device forensics) [5] and (ii) study of network
traffic of these apps (network forensics) [6]. The study of
network traffic of these apps can further be classified into
two different perspectives, (i) to find vulnerabilities in the
security architecture of these apps (ii) by carrying out the
behaviour analysis of traffic, find out fixed patterns which
lead to draw useful information about the users and identify
different events. Breaking cryptographic primitives is indeed
a hard domain so as the underlying security protocols but
extensive studies of number of secure apps [7] have revealed
that quiet a useful information about the users and related
events can still be extracted from these apps.
In this paper, we presented a fundamental framework
comprising of number of techniques which can be used to
profile the social media apps from their encrypted contents
through extensive network traffic analysis. Our focus was
not to highlight the vulnerabilities of cryptographic primitives
used in different social media apps, rather we outlined the
combination of techniques which can characterize their unique
patterns based on which classification of different social media
apps can be made. Our results are based on study of traffic
behaviour of client server communications of secure apps
which are not public in almost all the cases. Profiling of
secure social media apps based on our methodology can be
of great help for investigations involving use of these apps by
criminals/ targets. The demonstration of our results has also
been carried out through minor events of Viber and IMO for
clarity of context.
The succeeding portion of this paper is organized as follows.
In Section II, we summarized the previous work done in
forensics analysis of secure chat and voice/ video calling apps.
Section III discusses the complexity of traffic analysis and its
classification techniques. Section IV discusses our proposed
methodology to profile the secure chat and voice/ video calling
apps. The paper is finally concluded in Section V.
II. R ELATED W ORK
With the advent of security in chat and calling apps, foresnic
community has given more focus to analyze the secure apps.
Besides the confidentiality for public, security of contents and
anonymity offered by these apps has always been exploited
by criminals. The reserach community therefore has given
consistent focus to analyze these secure apps and this field has
17:34:03 UTC from 
IEEE Xplore. Restrictions
,%&$67 apply.
 duly bridged the gaps between academia and law enforcement
agencies over a decade or so [8]. The digital forensics thus
became most important component of any crime investigation
in technological era [9], [10], [7]. For both the dimensions of
forensics, [4] presented the deep analysis for both scenarios
of device storage and network forensics of 20 famous social
media apps. For network analysis part, focus was on recon-
struction of traffic through that part of network traffic which is
observed as plain while encrypted traffic is discarded and not
analyzed. The analysis carried out in this paper was restricted
to Android only, however [11], [12] discussed the forensics
results of secure apps for Blackberry and iOS as well.
The focus of network forensics of secure apps is actu-
ally the exntensive traffic analysis of encrypted contents.
With no knowledge of communication protocol and security
architecture, useful information extraction has always been
challenging. A comprehensive account of traffic classification
and challenges which effect the correct identification of apps
and their events was summarized in [13]. Skype being the
leading secure app attained the most focus and number of
vulnerabilities were highlighted related to its protocol and
security architecture [14], [15]. Similarly, specific forensic
studies have been carried out on other individual secure apps
but device forensic hosting these apps was primarily the
focus and very little has been done on network forensics of
individual secure apps. [16] covered the ChatSecure, [17]
discussed the forensic study of WeChat and [18], [19], [20]
are few of the noteable accounts of studies carried out on
WhatsApp.
The techniques of network forensics of secure apps are
mostly limited to observed traffic over the network and classi-
fication is mostly done on the basis of tracking IP flows, TCP/
UDP ports, server and client port fixations while very little is
published on the behavioural analysis of Secure apps. [21],
[22] presented their results of Viber including the network
traffic analysis but their results are no more valid for securer
versions of Viber. Since 2015, Viber has undergone major
shift in its security architecture by incorporating Openwhisper
based strong cryptographic base [23]. Our recent work on net-
work forensics of Viber highlighted fixed patterns in encrypted
traffic which could lead to identify different events of Viber
including chat messages, voice/ video calls, notifications and
file sharing [24].
In this work, we presented a generic methodology of
profiling any secure chat and voice/ video calling app from
network traffic. Our focus was not to target vulnerabilities of
cryptographic functions, neither we discarded encrypted traffic
altogather. By intercepting the encrypted traffic flows between
servers and their secure app clients, we tried to draw possible
traces of correlation of different events through behavioural
analysis of SSL encapsulated packets. We consider our work
different from existing research on network forensic of secure
apps because we performed deep inspection of encrypted
traffic of number of secure apps and followed their flows in
a totally adaptive environment against the simulated events of
chat messages, voice calls, video calls, switch over between
voice and video, scenerios of file sharing and number of
notification messages.
3URFHHGLQJVRIWK,QWHUQDWLRQDO%KXUEDQ&RQIHUHQFHRQ$SSOLHG6FLHQFHV 7HFKQRORJ\ ,%&$67 
Authorized licensed use limited to: ULAKBIM-UASL - Abant Izzet Baysal Univ Library. Downloaded on November 18,2023 at 17:34:03 UTC from IEEE Xplore. Restrictions apply.
,VODPDEDG3DNLVWDQWK±WK-DQXDU\
Our methodology of traffic analysis is considered novel
because we presented the concept of stydying secure chat and
calling apps and their connectivity protocols in a controlled
environment by employing the hardware firewall to force the
client app to connect to its servers using all available options.
Hidden pattrens of communication protocols of number of
secure apps were explored which otherwise remain obscure in
normal connectivity scenerios. Though the exchanged contents
are encrypted over the network, identification of secure apps
and classification of their events is made through behaviour
analysis of encrypted packets. Based on our analysis of number
of secure chat and calling apps, a comprehensive framework
is proposed which can facilitate to identify user activities. Our
methodology can be applied to any OS of mobile platform and
coupled with research on IPv6 scanning [25], our techniques
of behavioural analysis of encrypted packets are considered
valid for IPv6 internet environment as well.
III. T RAFFIC C LASSIFICATION OF C HAT AND C ALLING
A PPS - A C OMPLEX PARADIGM
We discussed the ideology of traffic classification of secure
social media apps in this Section which is based on many un-
derlying factors. As the calling and instant messaging mobile
apps use variety of protocols for video, voice, chat and file
sharing services based on classical server client architecture,
study of different baseline protocols and their pecularities used
in mobile platforms is very essential to detect and classify the
apps from traffic analysis. The general understanding prevails
that services of server client communication, text chats and
file sharing are normally running on TCP and voice/ video
is provided on UDP. Within these major protocols, variety
of implementation flexibilities exist which make the traffic
behaviour of any calling/ chat social media app different from
others. To provide the services of voice, video and chat by any
social media VoIP app which incorporates the cryptographic
security, design of any app includes:
1) Text chat threads.
2) Voice call.
3) Video call.
4) Media file sharing requiring compression to reduce size.
5) Signalling.
6) Confidentiality and integrity.
7) Key establishment.
8) Update methodology.
9) Methodology for status indicators/ notifications.
10) User authentication mechanism.
11) Secure on-device storage.
For each of these items, number of options exist for designer
of chat and video/ voice apps which if considered during
the traffic analysis can be of advantage to characterize the
particular app and its behaviour. For instance, IMO chat is
using XMPP [26], [27], while Whatsapp is assumed to be
using customized XMPP protocol for chat texts. Decision
making for identification of the apps from network traffic
dumps would be based on different paremeters because of
XMPP and its customized implementation. Similarly Signal
[28] is using Google Cloud Messaging (GCM) [29] protocol

 but its usage with CopperheadOS [30] does not depend on
GCM. In these scenerios, traffic behaviour of Signal would be
entirely different for varying platforms.
To eleborate further, let us also analyze the case of voice
or video calling implementation scenerios. The most common
protocol being used is RTP with its secure version i.e. SRTP
as WhatsApp is using it for both voice and video calls.
However, implementation of this service may vary from design
to desig like Signal app is using LibJingle for P2P connectivity.
Another dimension, which adds complexity to traffic analysis
of chat and voice/ video call apps, is their desktop versions.
Variety of implementation options exist to achieve compata-
bility of desktop/ web versions with their mobile platform
versions. Skype, for example is using webRTC [31] which
facilitates web browsers to support voice and video chat and
peer-to-peer connections. Furthermore, baseline OS platforms
contribute a lot to impose peculiar limitations on the designers
of apps to follow particular set of rules of compatability.
During the study of number of secure chat and calling apps,
we observed that traffic flows of a particulat app on an Android
OS are quiet different to that of iOS and Windows platforms.
These multiple options of design implementations coupled
with non readable contents over the network (encrypted traffic)
make the traffic analysis of mesaging and calling apps a
challenging area. In next Section, a framework is presented
which if implemented in different combinations can extract
information of any secure app from network traffic without
knowing the details of hidden communication protocol and
layers of security architecture.
IV. P ROPOSED F RAMEWORK OF T RAFFIC C LASSIFICATION
OF C HAT / C ALLING A PPS
Information on the networks can be guarded through num-
ber of techniques. Generally, encryption is assumed to provide
both the desireables of obfuscation and confidentiality over
the internet. It is very important to notify that encryption
alone does not mean that something over the network is
undetectable or unidentifiable. As encryption mostly relies on
TLS or IPSEC over the internet, their detection is even possible
through commonly available traffic/ protocol analyzers like
Wireshark. Along with encryption, obfuscation measures are
widely employed to avoid identification and detection through
traffic analysis and to reduce the efficacy of simple pattern
recognition algorithms. In this scenerio of profiling secure
apps and extract maximum possible information from available
network traffic, let us list the extents of our problem domain
before we present our methodology:
1) The communication protocol of the target app is not
known.
2) Communication between the target app client to its
servers is encrypted.
3) The security architecture is not public.
4) Only access to overall network traffic is available.
5) Underlying platforms and used protocols are not known.
With these limitations in focus, we discuss the step wise
methodology of profiling a particular app. Our proposed
technique is outcome of extensive research which we carried
3URFHHGLQJVRIWK,QWHUQDWLRQDO%KXUEDQ&RQIHUHQFHRQ$SSOLHG6FLHQFHV 7HFKQRORJ\ ,%&$67 
Authorized licensed use limited to: ULAKBIM-UASL - Abant Izzet Baysal Univ Library. Downloaded on November 18,2023 at 17:34:03 UTC from IEEE Xplore. Restrictions apply.
,VODPDEDG3DNLVWDQWK±WK-DQXDU\
Fig. 1. Traffic Sniffing Setup
out on number of secure chat and calling mobile apps. The
methdology can be extended to any OS of mobile platform like
iOS, Android and windows or their securer variants and can be
used in different combinations to derive important results. Our
traffic analysis scenerio can be built in any small scale network
lab and based on these results, a deployable solution of
profiling secure social media apps can be developed to classify
the network traffic of intent. We tried to summarize our
findings in discrete steps; however analysis of any particular
app will require different combination of these techniques
applicable to the peculair design and traffic behaviour of the
app.
A. Setting up the Experimental Setup for Traffic Classification
We start with description of experimental setup which is first
brick in the foundation of traffic analysis. As we need to profile
a chat or calling secure app, our first requirement is to have an
access to the traffic originated from the mobile phone hosting
the client of the app. We establish the network as shown
in Figure 1. A wireless acccces point/router is connected to
the Layer 3 switch with internet connectivity terminated on
one of the ports as shown. The target mobile is connected
to the wireless router and a mirroring port of the switch is
configured to collect the entire traffic of the port to which the
wireless router was connected. The data of mirroring port is
then fed to our protocol analyzer module to analyze the traffic
of the mobile. Any commonly available traffic analyzer like
Wireshark can be used to sniff and analyze the traffic entering
in or exiting out from the mobile device. Traffic dumps must
be saved as pcap-files for detailed analysis during the study
for building correlations, where necessary.
B. Traffic Control Policy Implementation
After the successful traffic capturing, it is usually observed
that lot of traffic is originated from mobile device including
OS related backups, different updates, notifications etc. The
first step would be to identify the connections of target app
client to its servers. Initiation of sessions by opening and
closing/ stopping the app on mobile device and their sync with
packet captures through traffic analyzer can be correlated to
define connection estabishment with the target app servers.
One can generally trigger repeated events of messaging, voice
and video calls or file sharing to analyze the traffic captures
against these events but this would be a very basic level

 analysis. Normally, the designers of chat and calling apps keep
flexibilities of connectivity between servers and their clients
distributed geographically around the globe and number of
alternate mechanisms are embedded in their designs to ensure
obfuscation. For instance, a client establishing the connection
to its server may be observed to use 2 to 3 fixed TCP ports. It
is very likely that developers of app have kept more range of
TCP ports for server-client connectivity and their prioritization
is designed on few other parameters/ scenerios. Behaviour
analysis through traffic captures is always a very probabilistic
model and decision making may involve questionable ratio of
false positives.
After carrying out extensive study of secure apps, we
propose a noval technique of network forensics of secure apps
which is aimed to establish reliable model of decision making
through traffic analysis. To implement strict traffic control
policy for network forensic experimmental setup, a hardware
firewall as shown in Figure 1 ensures to analyze the traffic
in a purely controlled environment. Through controls on the
firewall, client to server connectivity and even peer to peer
scenerios can be forced to shift to alternates avilable in the
designs.
Now, we consider a case study of profiling Viber voice call
and demonstrate the usability of firewall in the traffic sniffing
environment for Viber app. Our initial captures of voice call
showed that Viber client established the connection to it’s
server on destination UDP port of 7985 as shown in Figure 2.
Fig. 2. Viber Connection on Server UDP port 7985
After observing repeated connections on UDP port 7985,
we imposed restrictions on UDP port 7985 through firewall.
This rule on firewall forced the viber server-client connectivity
mechanism to shift to alternate ports kept in the deisgn. We
observed that the Viber client established the connection with
its server on new destination UDP port of 7987 now as shown
in Figure 3. Through this method, we verified that viber
Fig. 3. Viber Connection on Server UDP port 7987
establishes the voice calls on UDP ports of 7985, 7987 , 5243
and 9785.
Step wise triggering the events like messaging, voice calls,
video calls, group activities and file sharing followed by
recording the progressive flow of observations can help to
define the firewall rule sets. The progressive flow of firewall
rule sets in relation to Viber traffic sniffing scenerio is outlined
3URFHHGLQJVRIWK,QWHUQDWLRQDO%KXUEDQ&RQIHUHQFHRQ$SSOLHG6FLHQFHV 7HFKQRORJ\ ,%&$67 
Authorized licensed use limited to: ULAKBIM-UASL - Abant Izzet Baysal Univ Library. Downloaded on November 18,2023 at 17:34:03 UTC from IEEE Xplore. Restrictions apply.
,VODPDEDG3DNLVWDQWK±WK-DQXDU\
in Table I for elaboration. This methodology forces the target
app to switch over to all possible designs of connectivity. Our
novel technique of using firewall in network forensic study
of secure apps has proven to be very useful method to reveal
hidden patterns of designs which are normally implemented
to bypass the network policy management.
C. Identification of Server Ranges
Any secure chat or calling app has to use SSL/ TLS
layer [32] to achieve intended requirements of security. A
secure app client is always designed to initiate connections
with its servers geographically located in that region or central
servers located in the host country. Triggering the events of
connections from target app to its servers, server ranges can
be determined. Using the firewall, subnets of server ranges can
be blocked to force the target app to try connnections on all
available options embedded in its design. Secure apps using
the cloud services can also be tested through this mechanism to
switch over to alternate options. During our research, number
of apps were observed which maintained parallel session with
their servers of different ranges while using any one of the
connection as primary. Determining the server ranges for any
app is thus fundamental step to profile a secure chat/calling
app.
Another important aspect in this case is that apps host
different servers for maintaining chat and voice/video services
separately and this may vary from app to app. This leads to
further analyze the traffic flows between client and different
servers and identify different patterns of services. Geograph-
ical location of analysis setup is also important to consider
while maintaining complete profile of few apps. For instance,
cluster of Viber servers is hetereoneously scattered around the
world and ranges may vary according to the locations [22].
Similarly, new design of Skype incorporates phenomenon of
shifting traffic loads from servers to few of the users declared
as super nodes which are having better bandwidth available
with them [33].
D. Identification of User IPs in Peer to Peer Scenerio
A very important finding of traffic analysis of chat and
calling apps is determination of involved parties through their
IPs. Knowing the server ranges of a particular app as discussed
in Section IV-C, one can identify one user atleast from tarffic
analysis activity. Let we re-consider the case study of profiling
Viber voice call as discussed in Section IV-B, it is evident
from Figure 2 that IP of one user is clearly identifiable. For
voice/ video calls, it was observed that multiple sessions are
attempted from server to client in parallel to get the traffic off-
loaded from servers. This feature seems logical for facilitating
real time processing, however P2P connections are attempted
depending upon few conditions of bandwidth capacity of the
client. This phenemenon is very common in many of the secure
chat and voice/ video calling apps. During the study of their
traffic dumps, IPs of both the calling and caller parties can be
identifed. This can be a very critical finding for any criminal
investigation where both the involved parties are identified.
For our case study of Viber voice call, Figure 4 demonstrates

 Step Protocol Source Port Dest Port Action Observation
I Any Any Any Any Server UDP port connections on 7985
II UDP 7985 Any Block
UDP Any 7985 Block UDP port connections on 7987
III UDP 7985, 7987 Any Block
UDP Any 7985, 7987 Block UDP port connection on 5243
IV UDP 7985, 7987, 5243 Any Block
UDP Any 7985, 7987,5243 Block UDP port connection on 9785
V UDP 7985, 7987, 5243, 9785 Any Block
UDP Any 7985, 7987, 5243, 9785 Block UDP connection failed

TABLE I
P ROGRESSIVE FIREWALL RULE SETS FOR V IBER

the multiple P2P connectins which were attempted by Viber

client.

Fig. 5. IMO - Connection on TCP port 5228

Fig. 4. Viber - P2P connection requests

F. Traffic Behaviour Analysis

E. Identification of Source and Destination Ports
Coupled with server ranges and user IPs, determining source
and destination TCP or UDP ports is very important. In some
scenerios of peer to peer connectivity, assigned ports to clients
do not change through out the established sessions and thus
become the base of analysis. Profiling secure chat/ calling
apps though server ranges and TCP/ UDP ports is known in
literature for years [34]. However, use of firewall to determine
all possible ports being used by an app is very innteresting
and brings new dimension of analysis. For instance, one may
declare through results of initial sessions that a secure chat app
is using XMPP (Extensible Messaging and Presence Protocol)
which communicates on standard TCP ports of 5222 and 5223
(XMPP over SSL) [35]. Blocking these ports on firewall will
highlight hidden design flexibilities which may become base
to draw more inferences about the obsfucation techniques
employed in the design of the app. Let we explain this fact
through one of the scenerio of our another case study in
which IMO Chat events were being profiled. Initially, it was
observed that IMO established connections on TCP ports of
5222 and 5223. Once we blocked these ports on firewall, study
of dumps of IMO client-server chat communication revealed
that IMO client app then switched over to TCP port of 5228
for establishing the connection with its servers as shown in
Figure 5.
Drilling in the flexibility of usable ports by a secure
app also facilitates to determine used protocols for diferent
services. However, the trend of protocol obfuscation by using
randomized ports has increased manifolds over the recent
years due to deployment of monitoring and blocking solutions
by government agencies. In this situation, randomized ports
used by secure chat and calling apps hinder their absolute
identification from network traffic. Therefore, profiling of such
secure apps requires deep inspection of traffic patterns being
exchanged between the servers and their clients.
3URFHHGLQJVRIWK,QWHUQDWLRQDO%KXUEDQ&RQIHUHQFHRQ$SSOLHG6FLHQFHV 7HFKQRORJ\ ,%&$67 
Authorized licensed use limited to: ULAKBIM-UASL - Abant Izzet Baysal Univ Library. Downloaded on November 18,2023 at 17:34:03 UTC from IEEE Xplore. Restrictions apply.
,VODPDEDG3DNLVWDQWK±WK-DQXDU\
Server ranges and source/ destination ports determined
through controlled policy enforcement managed via firewall
easily segregate the traffic of target app from network traffic.
Next step is to identify different events of user activities of
chat, call and file sharing. Moreover, trend of status sharing
and different notifications is also very common in almost all
the chat and calling apps. However, identification of all these
events from network traffic is very difficult in a scenerio when
all the contents are encrypted and detail of communication
protocol and security architecture are not known. Extensive
behaviour analysis conducted on traffic dumps of chat, calling
and notification events etc. can help to identify these events.
Before the study of traffic dumps against the events, it is
important to list possible events which are applicable to most
of the secure chat and voice/calling apps. For clarity of context,
we list few of the possible events against which traffic must
be captured and analyzed to profile a secure chat and calling
app.
1) User opens up the app.
2) User opens up the chat thread.
3) User starts writing and indication is appeared on chat
screen of other user.
4) User is shown off-line/ online.
5) User A sends the message to user B.
6) User B reads the message.
7) Message is transmitted by User A but User B is off-line.
8) Message is delivered to User B who did not read it.
9) In some apps, self destruction mechanism is imple-
mented according to set time. In this case, messages
are exchanged for self destruction actions.
10) Call initiated from User A.
11) Call initiated from User B.
12) Group messaging scenerios.
13) Voice calls.
14) Video calls.
15) Voice call is converted to video call and vise-versa.

 Fig. 6. Framework of profiling secure chat/ calling app

16) File sharing scenerio of different sizes, for example
images of different sizes, voice and video transmissions.
17) User closes the app.
After listing the possible events against different services
offered by secure chat and voice/ video calling apps, one must
trigger each of the event in a controlled setup as described
in Section IV-B and analyze the traffic behaviour. To carry
out this extensive work of deep traffic analysis and point out
fixed patterns, many techniques are applied as a standalone
or in combination with others depending upon the observed
patterns of the target app. Starting with observing the general
patterns of traffic flows, increased reliability and accuracy can
be achieved by carrying out behaviour analysis of exchanged
bytes in consonance to triggered events. Based on our research
on number of secure chat and voice/ video calling apps, few of
the techniques are listed which can be employed in number of
different combinations depending upon the designs of target
apps:
1) Inspection of byte patterns is carried out by repeating
the forced events in a firewalled controlled scenerio.
2) Frequency of bytes exchanged for different events.
3) Acks and responses between server and client.
4) Payload sizes for different services and their uniqueness
with respect to different events.
5) Tracking/ monitoring the state changes within control
and data traffic for different triggered events to extract
useful information which can leas to correct identifica-
tion of a particular event.
6) Duration of voice and video calls vs bytes being ex-
changed with their sizes and frequency measurements.
7) Byte patterns during the events of shifting from voice
to video or vise-versa and typing and sending the text
during the call.
8) Counts of events for each triggered service.
9) Following the flows of traffic through protocol analyzers
3URFHHGLQJVRIWK,QWHUQDWLRQDO%KXUEDQ&RQIHUHQFHRQ$SSOLHG6FLHQFHV 7HFKQRORJ\ ,%&$67 
Authorized licensed use limited to: ULAKBIM-UASL - Abant Izzet Baysal Univ Library. Downloaded on November 18,2023 at 17:34:03 UTC from IEEE Xplore. Restrictions apply.
,VODPDEDG3DNLVWDQWK±WK-DQXDU\
from server to client and from client to server for
different events. The fixed ports, if maintained during the
sessions, can be utilized to extract reliable information
through filtering the traffic flows.
The complete framework of profiling a secure chat/ calling
mobile app is depicted in a flow diagram as shown in Figure 6.
Starting from traffic capture after accessing the app, deter-
mining server ranges is done through employment of strict
policy control mechanism. This is then followed by source
and destination ports identification for chat and call events
again in a adaptive firewall environment. Analysis of peer to
peer connections and their used ports can lead to information
about the caller and calling parties. Finally, the number of
events of chat and calling services including their notifications
can be profiled by carrying out the extensive traffic behaviour
analysis.
Let we correlate the typical case scenerio of WhatsApp
with our framework of profiling it while the app provides end
to end encryption features over the network. Based on our
methodolgy, detection of WhatsApp traffic over the network
is possible due to step-wise determination of WhatsApp server
ranges, identification of IPs of possible cases of P2P and
finding out the UDP ports used during the voice/ video
calls. Further classification of activities of a WhatsApp user
can be established through intense behaviour analysis of
encrypted traffic. Against the possible events of WhatsApp
like chat, voice messages, voice calls, video calls, media and
file sharings, user status notifications including online and
last seen, message delivered and message read, group mes-
sages and their status, message deletion activities and location
sharing, complete signatures of WhatsApp can be developed.
Comprehensive account of our results on profiling WhatsApp
and IMO calling and chat applications are being published
separately. However, partial demonstration of application of
these techniques without the context of control policy enforced

 by firewall can be found in [24].
As each app has its peculiar design and underlying platform
with varied protocols used, the proposed methodology can be
employed to develop large scale solution to identify the events
and their respective apps on variety of network monitoring
scenerios. Moreover, solutions of bussiness intelligence can
also utilize our methodology to get hueristics of different apps
and improve the efficiency of their deployed solutions in terms
of network performance and optimizations.
V. C ONCLUSION
In this paper, we presented a framework of profiling the
secure chat and calling apps from encrypted contents which is
considered a facet of network forensics. Our methodology of
employing firewall in traffic sniffing and analysis applications
conducts different experiments in a controlled environment
and forces the client of target app to try all options of
connectivity with its servers. In this way, one can identify the
hidden patterns of communication protocol and extract useful
information about users and their activities. Starting from
correct detection of target app from encrypted network traffic,
our results of traffic behaviour classify different activities of
the users like messaging, stauts identifications, notifications,
file sharing ,voice and video calls. It is important to note
that our proposed techniques may be used in any combination
depending upon the design of the target app and its security
architecture. Solutions at large scale can be developed to
embed signatures of different apps and can be utilized in
criminal investigations and bussiness itelligence solutions for
networks. It is important to note that our methodology is
not only applicable to chat and voice/ video calling apps but
can be generalized to other social media applications with
slight variations for any mobile platform of Android, iOS and
windows.
R EFERENCES
[1] T. Barot and E. Oren, “Guide to chat apps,” Tow Center for Digital
Journalism, 2015.
[2] M. S. Melara, A. Blankstein, J. Bonneau, E. W. Felten, and M. J.
Freedman, “Coniks: Bringing key transparency to end users.” in USENIX
Security Symposium, 2015, pp. 383–398.
[3] T. B. Tan, “Rebalancing encrypted messaging apps,” 2016.
[4] D. Walnycky, I. Baggili, A. Marrington, J. Moore, and F. Breitinger,
“Network and device forensic analysis of android social-messaging
applications,” Digital Investigation, vol. 14, pp. S77–S84, 2015.
[5] F. Norouzizadeh Dezfouli, A. Dehghantanha, B. Eterovic-Soric, and K.-
K. R. Choo, “Investigating social networking applications on smart-
phones detecting facebook, twitter, linkedin and google+ artefacts on
android and ios platforms,” Australian journal of forensic sciences,
vol. 48, no. 4, pp. 469–488, 2016.
[6] T. V. Lillard, Digital forensics for network, Internet, and cloud comput-
ing: a forensic evidence guide for moving targets and data. Syngress
Publishing, 2010.
[7] J. Brunty, L. Miller, and K. Helenek, Social media investigation for law
enforcement. Routledge, 2014.
[8] R. W. Taylor, E. J. Fritsch, and J. Liederbach, Digital crime and digital
terrorism. Prentice Hall Press, 2014.
[9] K. C. Seigfried-Spellar and S. C. Leshney, “The intersection between so-
cial media, crime, and digital forensics:# whodunit?” Digital Forensics:
Threatscape and Best Practices, p. 59, 2015.
[10] M. Huber, M. Mulazzani, M. Leithner, S. Schrittwieser, G. Wondracek,
and E. Weippl, “Social snapshots: Digital forensics for online social
networks,” in Proceedings of the 27th annual computer security appli-
cations conference. ACM, 2011, pp. 113–122.
3URFHHGLQJVRIWK,QWHUQDWLRQDO%KXUEDQ&RQIHUHQFHRQ$SSOLHG6FLHQFHV 7HFKQRORJ\ ,%&$67 
Authorized licensed use limited to: ULAKBIM-UASL - Abant Izzet Baysal Univ Library. Downloaded on November 18,2023 at 17:34:03 UTC from IEEE Xplore. Restrictions apply.
,VODPDEDG3DNLVWDQWK±WK-DQXDU\
[11] N. Al Mutawa, I. Baggili, and A. Marrington, “Forensic analysis of
social networking applications on mobile devices,” Digital Investigation,
vol. 9, pp. S24–S33, 2012.
[12] Y.-C. Tso, S.-J. Wang, C.-T. Huang, and W.-J. Wang, “iphone social
networking for evidence investigations using itunes forensics,” in Pro-
ceedings of the 6th International Conference on Ubiquitous Information
Management and Communication. ACM, 2012, p. 62.
[13] A. Dainotti, A. Pescape, and K. C. Claffy, “Issues and future directions
in traffic classification,” IEEE network, vol. 26, no. 1, pp. 35–40, 2012.
[14] B. Dupasquier, S. Burschka, K. McLaughlin, and S. Sezer, “Analysis of
information leakage from encrypted skype conversations,” International
Journal of Information Security, vol. 9, no. 5, pp. 313–325, 2010.
[15] S. Molnár and M. Perényi, “On the identification and analysis of skype
traffic,” International Journal of communication systems, vol. 24, no. 1,
pp. 94–117, 2011.
[16] C. Anglano, M. Canonico, and M. Guazzone, “Forensic analysis of
the chatsecure instant messaging application on android smartphones,”
Digital Investigation, vol. 19, pp. 44–59, 2016.
[17] S. Wu, Y. Zhang, X. Wang, X. Xiong, and L. Du, “Forensic analysis of
wechat on android smartphones,” Digital Investigation, vol. 21, pp. 3 –
10, 2017.
[18] C. Anglano, “Forensic analysis of whatsapp messenger on android
smartphones,” Digital Investigation, vol. 11, no. 3, pp. 201–213, 2014.
[19] F. Karpisek, I. Baggili, and F. Breitinger, “Whatsapp network forensics:
Decrypting and understanding the whatsapp call signaling messages,”
Digital Investigation, vol. 15, pp. 110–118, 2015.
[20] A. Majeed, H. Zia, R. Imran, and S. Saleem, “Forensic analysis of three
social media apps in windows 10,” in High-Capacity Optical Networks
and Enabling/Emerging Technologies (HONET), 2015 12th International
Conference on. IEEE, 2015, pp. 1–5.
[21] M. Appelman, J. Bosma, and G. Veerman, “Viber communication
security,” System and network of engineering, university of Amsterdam,
Netherlands, 2011.
[22] R. Marik, P. Bezpalec, J. Kucerak, and L. Kencl, “Revealing viber
communication patterns to assess protocol vulnerability,” in 2015 In-
ternational Conference on Computing and Network Communications
(CoCoNet). IEEE, 2015, pp. 496–504.
[23] I. Rakuten, “Viber Encryption Overview,”
http://www.viber.com/en/security-overview, 1997 (accessed 30-August-
2016).
[24] M. Sudozai, N. Habib, S. Saleem, and A. Khan, “Signatures of viber
security traffic,” Journal of Digital Forensics, Security and Law, vol. 12,
no. 2, p. 11, 2017.
[25] O. Gasser, Q. Scheitle, S. Gebhard, and G. Carle, “Scanning
the ipv6 internet: towards a comprehensive hitlist,” arXiv preprint
arXiv:1607.05179, 2016.
[26] P. Saint-Andre, K. Smith, and R. Tronçon, XMPP: the definitive guide.
” O’Reilly Media, Inc.”, 2009.
[27] A. Hornsby and R. Walsh, “From instant messaging to cloud computing,
an xmpp review,” in Consumer Electronics (ISCE), 2010 IEEE 14th
International Symposium on. IEEE, 2010, pp. 1–6.
[28] K. Cohn-Gordon, C. Cremers, B. Dowling, L. Garratt, and D. Stebila, “A
formal security analysis of the signal messaging protocol,” in Security
and Privacy (EuroS&P), 2017 IEEE European Symposium on. IEEE,
2017, pp. 451–466.
[29] Y. S. Yilmaz, B. I. Aydin, and M. Demirbas, “Google cloud messaging
(gcm): An evaluation,” in Global Communications Conference (GLOBE-
COM), 2014 IEEE. IEEE, 2014, pp. 2807–2812.
[30] Y. Yang, J. Zhang, and T. Wang, “How to make android updating
securer?: A new android updating model,” in Proceedings of the 2016
International Conference on Communication and Information Systems.
ACM, 2016, pp. 69–72.
[31] C. Vogt, M. J. Werner, and T. C. Schmidt, “Leveraging webrtc for p2p
content distribution in web browsers,” in Network Protocols (ICNP),
2013 21st IEEE International Conference on. IEEE, 2013, pp. 1–2.
[32] E. Rescorla, SSL and TLS: designing and building secure systems.
Addison-Wesley Reading, 2001, vol. 1.
[33] S. C. Landers and M. D. Doyle, “Automated communications response
system,” Aug. 4 2015, uS Patent 9,100,465.
[34] A. Callado, C. Kamienski, G. Szabó, B. P. Gero, J. Kelner, S. Fernan-
des, and D. Sadok, “A survey on internet traffic identification,” IEEE
communications surveys & tutorials, vol. 11, no. 3, 2009.
[35] GitHub, “XMPP — Instant Messaging,” https://xmpp.org/uses/instant-
messaging.html, 2017 [accessed 3-june-2017].