📝 SummarXiv

Abstract

The rapid evolution of mobile security protocols and limited availability of current datasets constrains research in app traffic analysis. This paper presents PARROT, a reproducible and portable traffic capture system for systematic app traffic collection using Android Virtual Devices. The system provides automated environment setup, configurable Android versions, traffic recording management, and labeled captures extraction with human-in-the-loop app interaction. PARROT integrates mitmproxy for optional traffic decryption with automated SSL/TLS key extraction, supporting flexible capture modes with or without traffic interception. We collected a dataset of 80 apps selected from the MAppGraph dataset list, providing traffic captures with corresponding SSL keys for decryption analysis. Our comparative analysis between the MAppGraph dataset (2021) and our dataset (2025) reveals app traffic pattern evolution across 50 common apps. Key findings include migration from TLSv1.2 to TLSv1.3 protocol, with TLSv1.3 comprising 90.0\% of TCP encrypted traffic in 2025 compared to 6.7\% in 2021. QUIC protocol adoption increased substantially, with all 50 common apps generating QUIC traffic under normal network conditions compared to 30 apps in 2021. DNS communications evolved from predominantly unencrypted Do53 protocol (91.0\% in 2021) to encrypted DoT protocol (81.1\% in 2025). The open-source PARROT system enables reproducible app traffic capture for research community adoption and provides insights into app security protocol evolution.