Encrypted tunnels degrade application fingerprinting performance due to feature obfuscation from tunnel encapsulation. To address this, we propose a dual-decoupling semantic enhancement framework: first, leveraging TLS traffic semantics as anchors to strengthen application-layer feature representation; second, employing a feature-decoupling network to disentangle tunnel-invariant application semantics from tunnel-specific confounding features, thereby mitigating re-encapsulation-induced ambiguity. Our end-to-end deep neural architecture integrates semantic anchoring, contrastive learning, feature decoupling, and multi-tunnel joint modeling. Extensive experiments across five mainstream encrypted tunnels—including Shadowsocks and Trojan—demonstrate that our method significantly outperforms state-of-the-art approaches, achieving a 12.6% accuracy gain under strong obfuscation conditions. The framework exhibits robust generalization across diverse tunnel configurations and maintains practical deployability in real-world network environments.

Due to the growing demand for privacy protection, encrypted tunnels have become increasingly popular among mobile app users, which brings new challenges to app fingerprinting (AF)-based network management. Existing methods primarily transfer traditional AF methods to encrypted tunnels directly, ignoring the core obfuscation and re-encapsulation mechanism of encrypted tunnels, thus resulting in unsatisfactory performance. In this paper, we propose DecETT, a dual decouple-based semantic enhancement method for accurate AF under encrypted tunnels. Specifically, DecETT improves AF under encrypted tunnels from two perspectives: app-specific feature enhancement and irrelevant tunnel feature decoupling.Considering the obfuscated app-specific information in encrypted tunnel traffic, DecETT introduces TLS traffic with stronger app-specific information as a semantic anchor to guide and enhance the fingerprint generation for tunnel traffic. Furthermore, to address the app-irrelevant tunnel feature introduced by the re-encapsulation mechanism, DecETT is designed with a dual decouple-based fingerprint enhancement module, which decouples the tunnel feature and app semantic feature from tunnel traffic separately, thereby minimizing the impact of tunnel features on accurate app fingerprint extraction. Evaluation under five prevalent encrypted tunnels indicates that DecETT outperforms state-of-the-art methods in accurate AF under encrypted tunnels, and further demonstrates its superiority under tunnels with more complicated obfuscation. extit{Project page: href{https://github.com/DecETT/DecETT}{https://github.com/DecETT/DecETT}}