Shaoqi Jiang (Concordia University), Mohammad Mannan (Concordia University)
The availability of modern proxy tools has enabled more detailed analysis of application-layer traffic. Existing research has shown that open-source tools like mitmproxy are effective in observing the inner content of on-the-fly traffic, especially in HTTP and HTTPS requests. However, with HTTP/3 being increasingly adopted in both apps and web services, new challenges are posed because QUIC, the foundational protocol for HTTP/3, lacks full support in widely-used open-source mitm-proxy versions, which significantly hinders comprehensive research on HTTP/3 traffic within mobile applications. To address this limitation, we develop QuicMitm, a specialized QUIC man-in-the-middle proxy. Our proxy can observe plaintext HTTP/3 based on QUIC and handle HTTP requests from Android mobile apps. Using QuicMitm, we tested 3,452 popular apps to observe their HTTP/3 traffic. Also, we compared the privacy-related information leakage of HTTP/3 and HTTP/2 in these apps. Our observations provide a glance of the real-world prevalence of QUIC usage across mobile applications. We hope that our tool can assist researchers in conducting large-scale, dedicated measurements and analysis of QUIC-transmitted content.