To address the tension between the rapid evolution of mobile security protocols and the scarcity of high-quality encrypted traffic datasets, this paper proposes a reproducible, portable Android application traffic collection system built on Android Virtual Devices (AVDs). The system innovatively integrates mitmproxy with automated SSL/TLS key extraction, enabling dual-mode capture—with and without man-in-the-middle decryption—and incorporates QUIC/TLS protocol parsing alongside DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) analysis. We collected traffic from 80 mainstream Android applications and publicly release the first open dataset accompanied by complete session decryption keys. Empirical analysis reveals that, as of 2025, TLS 1.3 accounts for 90% of TLS connections, QUIC adoption reaches 100%, and DoT has become the dominant DNS encryption mechanism. This work provides critical empirical data and a methodological framework for studying encrypted protocol evolution in mobile environments.

The rapid evolution of mobile security protocols and limited availability of current datasets constrains research in app traffic analysis. This paper presents PARROT, a reproducible and portable traffic capture system for systematic app traffic collection using Android Virtual Devices. The system provides automated environment setup, configurable Android versions, traffic recording management, and labeled captures extraction with human-in-the-loop app interaction. PARROT integrates mitmproxy for optional traffic decryption with automated SSL/TLS key extraction, supporting flexible capture modes with or without traffic interception. We collected a dataset of 80 apps selected from the MAppGraph dataset list, providing traffic captures with corresponding SSL keys for decryption analysis. Our comparative analysis between the MAppGraph dataset (2021) and our dataset (2025) reveals app traffic pattern evolution across 50 common apps. Key findings include migration from TLSv1.2 to TLSv1.3 protocol, with TLSv1.3 comprising 90.0% of TCP encrypted traffic in 2025 compared to 6.7% in 2021. QUIC protocol adoption increased substantially, with all 50 common apps generating QUIC traffic under normal network conditions compared to 30 apps in 2021. DNS communications evolved from predominantly unencrypted Do53 protocol (91.0% in 2021) to encrypted DoT protocol (81.1% in 2025). The open-source PARROT system enables reproducible app traffic capture for research community adoption and provides insights into app security protocol evolution.