Bridging Devices and Apps: A Joint Analysis of IoT Privacy and Communication Carlotta Tagliaro, Martina Komsic, Gianluca Anselmi, Anna Maria Mandalari, and Martina Lindorfer Publication details and DOI will be added after publication.
This repository contains the analysis pipeline used to study the network behavior and privacy implications of consumer IoT devices and their Android companion apps.
The study compares app-side and device-side communication under matched user interactions and two network settings:
- WAN: the phone and IoT device are connected to different networks, emulating remote control;
- LAN: the phone and IoT device are connected to the same local network.
The analysis focuses on:
- differences between app-generated and device-generated traffic;
- changes in communication when local connectivity is available;
- contacted endpoints, countries, cloud providers, ports, and protocols;
- tracking and analytics communication;
- local communication;
- personal and device-associated identifiers visible in analyzable app traffic;
- consistency between observed traffic, privacy policies, and vendor data-access responses.
Device-vs-App-Analysis/
├── README.md
├── LICENSE
├── CITATION.cff
├── SECURITY.md
├── DATA_AVAILABILITY.md
├── requirements.txt
├── .gitignore
├── config/
│ ├── device_name_map.json
│ └── .env.example
├── scripts/
│ ├── collection/
│ ├── preprocessing/
│ ├── enrichment/
│ │ ├── dns/
│ │ ├── endpoints/
│ │ └── providers/
│ ├── analysis/
│ │ ├── categories/
│ │ ├── country/
│ │ ├── endpoints/
│ │ ├── local_communication/
│ │ ├── privacy/
│ │ ├── protocols/
│ │ ├── providers/
│ │ └── tracking/
│ └── plotting/
│ ├── local_communication/
│ └── tracking/
├── data/
│ ├── reference/
│ ├── processed/
│ └── results/
├── figures/
├── docs/
└── legacy/
scripts/collection/contains experiment orchestration and packet-capture extraction helpers.scripts/preprocessing/contains filtering, normalization, renaming, and format-conversion utilities.scripts/enrichment/contains DNS, hostname, endpoint, country, and provider enrichment steps.scripts/analysis/contains the analyses used to generate the paper results.scripts/plotting/contains scripts that generate the figures.data/reference/contains third-party lookup datasets, such as cloud-provider IP ranges and port mappings.data/processed/contains sanitized intermediate data required by later analysis steps.data/results/contains aggregate outputs reported in the paper.figures/contains generated plots.docs/contains reproducibility notes, data schemas, and third-party data documentation.legacy/contains unsupported historical scripts and may be removed in future versions.
The repository intentionally excludes sensitive raw data, including:
- raw PCAP and PCAPNG captures;
- TLS key logs and decrypted captures;
- complete HTTP URLs and request or response payloads.
Only sanitized intermediate data, aggregate results, and selected figures are included. Some endpoint labels are pseudonymized while preserving their consistency across files. For complete access to the data, please contact us.
The scripts support Python 3 and use external tools including Wireshark/TShark, editcap, Frida, mitmproxy, and the MonIoTr testbed.
Create an isolated Python environment:
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txtSome scripts require system-level dependencies, including:
- Wireshark/TShark;
editcap;- Android Debug Bridge;
- Frida;
- mitmproxy.
Optional scripts use external services such as IPinfo, Shodan, and DNSDB. Credentials must be supplied through environment variables and must not be committed to the repository.
Copy the example configuration:
cp config/.env.example .envExample variables:
IPINFO_TOKEN=
SHODAN_API_KEY=
DNSDB_API_KEY=
MONIOTR_WIFI_SSID=
MONIOTR_WIFI_PASS=
MONIOTR_PHONE_MAC=
MONIOTR_TAG_SCRIPT=
MONIOTR_TRAFFIC_DIR=Load the configuration before running scripts:
set -a
source .env
set +aAt a high level, it consists of the following stages.
Collection helpers are available in:
scripts/collection/
These scripts process PCAPs, DNS records, TLS key logs, and mitmproxy captures. Raw capture data is not included in the repository.
Preprocessing scripts normalize device names, summarize capture sizes, and convert raw tool output into structured formats:
scripts/preprocessing/
Endpoint enrichment includes:
- DNS and reverse-DNS resolution;
- TLS certificate hostname extraction;
- provider identification;
- country mapping;
- endpoint categorization.
scripts/enrichment/
The main analyses are grouped by topic:
scripts/analysis/categories/
scripts/analysis/country/
scripts/analysis/endpoints/
scripts/analysis/local_communication/
scripts/analysis/privacy/
scripts/analysis/protocols/
scripts/analysis/providers/
scripts/analysis/tracking/
Most scripts expose their arguments through:
python path/to/script.py --helpPlotting scripts are stored separately from the analysis code:
scripts/plotting/
Generated figures are written to:
figures/
This repository is a research artifact rather than a general-purpose traffic-analysis framework.
Some collection steps depend on:
- the MonIoTr testbed;
- Android devices configured for Frida and mitmproxy;
- the original experiment directory structure;
- access to third-party enrichment services.
To make the artifact useful without the original infrastructure, the repository includes sanitized aggregate results and the scripts needed to reproduce the analyses and figures from those results.
Please cite the associated paper when using this repository.
@inproceedings{tagliaro-device-app-analysis,
author = {Carlotta Tagliaro and Martina Komsic and Gianluca Anselmi and Anna Maria Mandalari and Martina Lindorfer},
title = {Bridging Devices and Apps: A Joint Analysis of IoT Privacy and Communication},
booktitle = {European Symposium on Research in Computer Security (ESORICS)},
year = {2026},
doi = {TBA}
}The code and released data may require different licenses.
See LICENSE before reusing or redistributing material from this repository.
For questions about the artifact, please contact carlotta@seclab.wien.