Frequently Asked Questions¶
- Table of contents
- Frequently Asked Questions
- SnoopSnitch v2.0 overview
- SnoopSnitch app v2.0
- Compatibility - SnoopSnitch app v2.0
- Does SnoopSnitch require root privileges?
- Can you implement a mode that does not require root privileges?
- Does SnoopSnitch run on my phone?
- Which custom kernel can I use to make SnoopSnitch work with my stock ROM?
- Does SnoopSnitch run on custom ROMs like CyanogenMod or LineageOS?
- How do I grant root permissions on CyanogenMod/LineageOS?
- On CyanogenMod when starting SnoopSnitch it immediately tells me it can't su
- My device works, but is not in the compatibility list
- Can I use an old Android phone running SnoopSnitch in addition to my normal phone?
- Are 64bit Qualcomm chipsets supported?
- Can you make SnoopSnitch run on my non-Qualcomm device, e.g. the Fairphone?
- What information is uploaded by SnoopSnitch?
- Which information does SnoopSnitch store during mobile network security tests operation?
- Does SnoopSnitch encrypt its files/database/network traffic?
- Does SnoopSnitch use the Tor network for anonymity?
- What information is uploaded by SnoopSnitch for the mobile network security tests?
- What happens when "Upload suspicious activity" is pressed after a mobile network security test?
- What happens when "Upload pending files" is pressed?
- What is the "App ID"?
- What needs to be enabled in the Android kernel to make SnoopSnitch work?
- How can I check whether the DIAG driver is enabled
- Where does the initialization sequence for the DIAG device come from?
- How can I build and start developing SnoopSnitch?
- How can I build the binaries used by SnoopSnitch?
- Which IDE are you using to develop SnoopSnitch?
- How are radio messages processed?
- Is there a public bug tracker for SnoopSnitch?
- Topics regarding the Android patch level analysis
- How often should I run the Android level patch analysis tests?
- What do the patch level analysis results mean?
- How do I install patches the tests indicate as missing?
- Do missing patches mean my phone is going to be hacked right away?
- Why are there no tests for Android version X?
- What does "(certified)" mean?
- Why do I get different results when running the patch analysis at different times?
- Topics regarding the mobile network security tests
- Context - mobile network security tests
- Why do SnoopSnitch mobile network security tests require root privileges?
- Can you implement a mobile network security test mode that does not require root privileges?
- Is it legal to use SnoopSnitch for mobile network security tests?
- Does SnoopSnitch prevent or mitigate mobile network attacks?
- SnoopSnitch says may phone is incompatible for mobile network network security tests, but it's rooted and has a Qualcomm chipset
- SnoopSnitch says /dev/diag not found - what does that mean?
- How can I verify that SnoopSnitch's mobile network security tests work correctly?
- What are the timelines on the main screen good for?
- What do the graphs show?
- Does SnoopSnitch mobile network security testing support CDMA?
- Does SnoopSnitch mobile network security testing support LTE?
- What do I need to consider when hunting IMSI catchers using SnoopSnitch mobile network security testing?
- Does it make sense to use SIMs of multiple operators when hunting for IMSI catchers?
- How reliable is SnoopSnitch's mobile network security test detection?
- Operation - mobile network security tests
- IMSI Catcher/Stingray Detection
- I got an IMSI catcher alarm - where can I get more information?
- Are false positives possible?
- Are active tests needed for IMSI catcher detection?
- Are SRLabs servers required for catcher detection?
- Are security events or IMSI catchers collected on a website somewhere?
- Does a catcher alarm imply that my calls are wiretapped?
- Is a SIM card required to detect IMSI catchers?
- Has SnoopSnitch been tested with real IMSI catchers/Stingrays?
- How is the score calculated?
- What is the range of the IMSI catcher score?
- What does the location in catcher events mean?
- Why is no location information shown in my events?
- How accurate is the location information?
- Security Events - mobile network security tests
- What threats do SnoopSnitch mobile network security tests warn about?
- What is a silent SMS and what is it used for?
- What is a binary SMS and what is it used for?
- Which legitimate applications of binary SMS can cause false positives?
- What is an empty paging?
- In which situations can empty pagings be false positives?
- What should I do when a mobile network security event is detected?
- How are mobile network security events detected?
- Does SnoopSnitch detect silent SMS sent by HushSMS?
- Does SnoopSnitch block binary or silent SMS?
- Does SnoopSnitch take countermeasures to security events?
- What is the difference to AIMSICD, mICC or Darshak?
- Mobile network security metrics
- When I press "Test" the phone places a lot of calls and get called by a US number. What's going on?
- How often should I run the active tests?
- Are active tests needed for the network security metrics?
- Will I get charged for active tests?
- How can I disable outgoing SMS to save money?
- How can I change the number test SMS are sent to?
- How long does the incoming test call ring?
- I got banned, what now?
- Why do I never receive incoming SMS during active test?
- What does the message "Test 2G and 3G networks" mean?
- How can I switch between network modes (GSM/UMTS/LTE) easily?
- Where can I find active test results?
- What do the Intercept and Impersonation charts mean?
- Why is the Tracking score missing in SnoopSnitch?
- Why does my local measurement differ from https://gsmmap.org results?
- How long does it take to update https://gsmmap.org?
- I don't see my measurements reflected in https://gsmmap.org?
- Collected Data - mobile network security tests
- How can I access or export the data used for (IMSI Catcher) analysis?
- Which logs exist on the phone an what do they contain?
- How can I access raw radio information?
- How can I analyze radio data?
- How can I extract radio traces in PCAP/GSMTAP format?
- How can I check what was uploaded or still needs to be uploaded?
- The name of my network operator is wrong
- My country is unknown
- Why do security events disappear after a while?
- I cannot upload radio data, as the Upload button is replaced by "No data"
- Why is the cell ID "0" in the Network Info screen?
- How many people are using SnoopSnitch in <my_favorite_location>?
- What does the Cell ID mean?
- Context - mobile network security tests
SnoopSnitch v2.0 overview¶
SnoopSnitch app v2.0¶
What does SnoopSnitch do?¶
SnoopSnitch offers users several tests they can use to assess the overall security of their mobile devices. These tests are focused on two areas:
First, SnoopSnitch offers analysis on whether the testing device’s build of the Android mobile operating system is missing security patches. The primary goal of this test is to identify if any patches are missing relative to the device’s current security patch level date. Our secondary goal is to provide a fact-based incentive to device vendors to further improve their patching processes.
Second, SnoopSnitch offers tests to assess whether a device is exposed to attacks or surveillance from the mobile network. Here, the primary goal is to help mobile users detect network originated attacks, such as via SS7, SMS, or ISMI catchers. Our secondary goal is to provide a fact-based incentive to Mobile Network Operators to better improve the security of their networks.
Where can I download SnoopSnitch?¶
Do you accept donations?¶
What was updated in the 2.0 release?¶
The 2.0 update added the Android patch level analysis test feature set to the app. It also included a lot of UI improvements.
Compatibility - SnoopSnitch app v2.0¶
Does SnoopSnitch require root privileges?¶
PARTIALLY. Some SnoopSnitch security tests require root and superuser access to function. However, the app can still be installed and some security tests will function without that level of access.
Android patch level analysis does not require root access to function.
Mobile network security tests require root access to function.
Please refer to the different sections of the FAQ for greater details about topics related to the two different security testing feature sets.
Can you implement a mode that does not require root privileges?¶
As noted above, tests for Android patch level analysis do not require root access. SnSn can be downloaded, installed, and used for Android patch level analysis without granting it root access.
As discussed in the FAQ section "Topics regarding mobile network security testing", we explain in greater details why these tests require root access.
Does SnoopSnitch run on my phone?¶
SnoopSnitch will work on Android OS > 4.1.2 phones only. SnoopSnitch does not work on any non Android device e.g. Apple devices.
The patch analysis feature will work on all Android devices.
To use the mobile network testing and attack detection features, your phone must be rooted and it must have a Qualcomm chipset.
For devices reported to support all features of SnoopSnitch have a look at the list here: https://opensource.srlabs.de/projects/snoopsnitch/wiki/DeviceList .
See http://www.xda-developers.com/root/ for a description of what "rooting" means and for instructions on how to root your device. The website http://www.gsmarena.com/ offers extensive information for many phone models, including the chipsets used.
Which custom kernel can I use to make SnoopSnitch work with my stock ROM?¶
Have a look at the comment column in the non exhaustive 'known supported device list' here: https://opensource.srlabs.de/projects/snoopsnitch/wiki/DeviceList
Does SnoopSnitch run on custom ROMs like CyanogenMod or LineageOS?¶
That depends on the particular build of your custom ROM. SnoopSnitch and the mobile network security tests should work if the maintainer of your devices ROM enabled the Qualcomm DIAG driver in the Android kernel. If you find SnoopSnitch complaining about a missing /dev/diag device, ask your maintainer to include that driver in future version of your ROM.
Many versions of LineageOS are known to work properly with SnoopSnitch.
How do I grant root permissions on CyanogenMod/LineageOS?¶
You need to enable root access for apps in the developers menu or grant the permission in the popup dialogs when running SnoopSnitch.
On CyanogenMod when starting SnoopSnitch it immediately tells me it can't su¶
You need to enable root access for apps in the developers menu.
My device works, but is not in the compatibility list¶
Send mail to email@example.com containing the device brand and model, including the model number from the "About phone" menu. Please also tell the Android version, whether you are using a custom ROM or special kernel and any other specifics you find worth mentioning. We are happy to add you device to the list.
Can I use an old Android phone running SnoopSnitch in addition to my normal phone?¶
Sure, as long as it is compatible. This works for hunting IMSI catchers in identification mode, but naturally you'll not be warned about attacks or tapping against your main phone.
Are 64bit Qualcomm chipsets supported?¶
We don't expect many changes in the debug interface we are using. However, we don't know whether anybody has successfully tried SnoopSnitch on any 64bit Qualcomm SoC.
Can you make SnoopSnitch run on my non-Qualcomm device, e.g. the Fairphone?¶
This is very unlikely, as it is a huge amount of work to get any different chipset supported. Most importantly, information on how to get raw radio data or debug traces out of those chipsets must be available, the respective interfaces need to be available to the application processor and someone has to develop the tools and services to support it.
For additional information on this topic please refer to our Privacy_Policy page
What information is uploaded by SnoopSnitch?¶
For Android patch level analysis, after manually triggering a test, the anonymous analysis results and firmware build details are collected and uploaded to our server.
For mobile network security tests, the user may choose to upload detailed event logs, which are encrypted by default. These logs may contain some personally identifiable information, such as phone numbers, GPS locations, IMEI, IMSI or other mobile network data, even though we have implemented methods to remove such information.
Which information does SnoopSnitch store during mobile network security tests operation?¶
In the default configuration radio traces are stored on the device encrypted with our public key. Additionally, parsed radio data are stored in a database locally on the device. This database contains metadata of the transactions your phone performed, including timestamps, cell IDs, your IMSI, your IMEI, phone numbers of communication partners and SMS user data in its original binary form. A debug log is constantly written to a file on the device. If configured in the settings your location is periodically stored in the same database.
As soon as one event is marked for upload, the whole database content is anonymized to prevent private identities and communications disclosure.
This involves shortening IMSI, IMEI and phone numbers to at most 6 digits, and deleting all the SMS payloads that are not considered suspicious.
By default, metadata is purged after one month and raw traces, location data and debug logs are cleaned after one day.
Does SnoopSnitch encrypt its files/database/network traffic?¶
Files like debug logs, radio traces or database dumps are stored on the device encrypted with our public key. For upload of those files to our servers HTTPS is used with certificate pinning. For downloading GSMmap data from gsmmap.org HTTPS is used.
Does SnoopSnitch use the Tor network for anonymity?¶
SnoopSnitch is not modified to use Tor. However, as your device must be rooted to work with SnoopSnitch you can simple install Orbot and configure it to transparently anonymize all connections made by SnoopSnitch.
What information is uploaded by SnoopSnitch for the mobile network security tests?¶
When you press the "Upload" button for an event, the raw radio data for that event are uploaded. Raw radio data is split into chunks of 10 minutes. For each event at most 2 of those files, i.e. at most 20 minutes of radio data, are uploaded. In the recent versions of the app, metadata information corresponding to the time window of the event is also uploaded.
What happens when "Upload suspicious activity" is pressed after a mobile network security test?¶
Raw radio traces and a database dump for the last hour is uploaded.
What happens when "Upload pending files" is pressed?¶
mobile network security test related files you submitted for upload earlier are uploaded. This is useful if you had no connectivity when pressing "Upload" or "Upload suspicious activity" and you want to upload the data later. This currently does not trigger uploading the patch analysis information though.
What is the "App ID"?¶
The App ID allows us to connect user-submitted screenshots and other feedback to test results that were uploaded to our servers via the app. Make sure to include it whenever you message us about specific events or issues with the app.
What needs to be enabled in the Android kernel to make SnoopSnitch work?¶
The kernel needs to have the DIAG_CHAR device driver enabled and the /dev/diag character device must be present. The driver can be found under drivers/char/diag/ in the MSM kernel source.
How can I check whether the DIAG driver is enabled¶
Check whether a kernel driver named 'dia' is found in /proc/devices:
$ grep dia$ /proc/devices 247 dia
Then check whether a character device /dev/diag with a corresponding major number (it may differ from the value 247 in this example) exists:
$ ls -l /dev/diag crw-rw---- system qcom_diag 247, 0 1970-02-02 03:25 diag
Where does the initialization sequence for the DIAG device come from?¶
It is snooped from the communication between the QXDM tool and the mobile device.
How can I build and start developing SnoopSnitch?¶
Check out the source repository by:
$ git clone --recursive https://opensource.srlabs.de/git/snoopsnitch.git
and in the ./SnoopSnitch directory do:
$ ./gradlew build
How can I build the binaries used by SnoopSnitch?¶
You do not have to as we always ship some prebuilt binaries.
If you want to do it anyway, please check out the README file in the ./contrib folder.
It contains information on how to use the shipped compile.sh script (from the same folder) to build and integrate all the necessary binaries automatically.
Which IDE are you using to develop SnoopSnitch?¶
We use Gradle and Android Studio to develop SnoopSnitch.
How are radio messages processed?¶
Thats a small binary binary proxying data between the App and the Qualcomm DIAG interface. It is invoked in SnoopSnitch/src/de/srlabs/snoopsnitch/qdmon/MsdService.java and there are two threads (FromDiagThread and ToDiagThread) that pass data back and forth.
2. GSM parser
Another native binary started by MsdService. The source is in contrib/gsm-parser/diag_import.c. That binary takes the diag data, parses it and sends back SQL statements to the App, resulting in metadata to be inserted into the local Sqlite database.
3. The actual analysis (including SS7 and IMSI catchers) is done in SnoopSnitch/src/de/srlabs/snoopsnitch/qdmon/MsdServiceAnalysis.java using the SQL scripts in SnoopSnitch/assets.
Is there a public bug tracker for SnoopSnitch?¶
No, to report bugs please mail to firstname.lastname@example.org
Can you translate SnoopSnitch in my language?¶
SnoopSnitch is being maintained in English and German. We do not have the capacity to create and maintain any other translations. If you want to contribute and maintain a translation to another language, please contact email@example.com. Note, that maintaining a translation involves regular work to adapt to upstream changes.
Topics regarding the Android patch level analysis¶
This section covers topics specific to the Android patch level analysis testing feature set.
How often should I run the Android level patch analysis tests?¶
You only need to run the patch level analysis tests once initially, and then each time your device receives a firmware security patch level update. Running multiple tests while your device is on the same security patch level date will not offer different results.
SnoopSnitch has a helpful reminder feature: the app will detect when a new security patch level update is installed on a device and, on the next reboot, offer a prompt for the user to run a new round of patch level analysis tests.
What do the patch level analysis results mean?¶
|Patched||firmware includes a patch to fix the listed CVE|
|Patch missing||Missing a patch for a CVE that should be included based the firmware’s patch level date.|
|after claimed patch level||Your device is missing a patch. However, the patch is included in a update that is after the latest security patch level date for your device. For example, if your device patch level date is October 2017, then unpatched CVEs found from November 2017 and onwards will be marked as “after claimed patch level”|
|test inconclusive||Our tests did not produce a conclusive test result and might e.g. be a false positive, that is to say we can not be sure about the result|
|not affected||Your current firmware is not affected by this CVE|
How do I install patches the tests indicate as missing?¶
Unfortunately there is not much an individual user can do on their own regarding missed patches that SnoopSnitch detects. Android security updates are a process impacted by chipset, device, and mobile network vendors. One of our goals with SnoopSnitch Android patch level analysis is to provide a fact-based incentive to device vendors to further improve their patching processes. Therefore, any specific questions or concerns about missing patches should be directed to your device vendor.
Do missing patches mean my phone is going to be hacked right away?¶
Probably not. A missing patch would have to be part of complex exploit chain in order for a device to be properly hacked. In our view a mobile device is much more likely to be compromised by a user installing a malicious app.
You can also review our Hack in the Box conference talk Mind the Gap - Uncovering the Android Patch Gap Through Binary-Only Patch Level Analysis where we introduce and discuss our Android patch level analysis.
Why are there no tests for Android version X?¶
Writing tests for new patch levels and new Android OS versions takes time. We strive to release new tests as often as we are able.
What does "(certified)" mean?¶
We use Google's "SafetyNet Attestation API" to check whether the running firmware build was certified by Google ("ctsProfileMatch" must be true). We display the "(certified)" note only if we receive a conclusive result from the API.
Why do I get different results when running the patch analysis at different times?¶
We are continuously re-evaluating which tests should be applied to which devices based on new information we receive.
Topics regarding the mobile network security tests¶
This section covers topics specific to the mobile network security testing feature set.
Context - mobile network security tests¶
Why do SnoopSnitch mobile network security tests require root privileges?¶
Mobile network security tests require root access to function.
These tests collect data directly from the radio diagnostics interface, they require your phone to be rooted and ask for root permission using Superuser (SU) access. This is required for the mobile security tests to function as the Android API does not provide enough network details for the analysis to be performed. This permission is not a standard Android system permission and is ignored by normal Android devices. It is an informal standard developed by the Android developer community. It allows a program to indicate that it would like to acquire super-user permission. SnoopSnitch does nothing else with this permission. It simply asks for the permission in order to allow command-line tools to run as root. The "su" command is an example of a command that will use this permission.
SnoopSnitch will run tools as root, which are necessary to open the diagnostic device /dev/diag. This device is an Android kernel interface to debug messages from the Qualcomm baseband chip. It can be used to retrieve debug information, including raw radio messages.
Access to the DIAG interface is crucial for the analysis SnoopSnitch needs to perform. The Android OS and all apps are execute on the so-called application processor whereas all interactions with the mobile network are performed on the baseband processor independently. The baseband takes care of details like measuring the signal strengths of neighboring cells, performing transitions to other cells or passing binary SMS to the SIM card. Only certain details are exposed to the application processor through official interfaces.
To detect traces of IMSI catchers, to recognize silent SMS and binary SMS and to calculate the network security score, access to information is necessary that is normally handled by the baseband internally. The only way we know to accomplish that is through the DIAG interface which requires root access.
Can you implement a mobile network security test mode that does not require root privileges?¶
No, not without dropping SnoopSnitch’s core functionality of detection mobile abuse.
During development of SnoopSnitch we tried to gather information for IMSI catcher and special SMS detection on the application processor. We invested a lot of time and effort to instrument and analyze Androids radio interface layer (RIL) just to recognize that binary and silent SMS are handled inside the baseband processor completely, even though there is an Android API that suggested the opposite.
Furthermore, when comparing serving cell information and neighboring cell information presented by official Android APIs to the GSM traces we recorded through the Qualcomm diagnostic interface, we had to realize that those tend to be inaccurate, if present at all.
We do not see a way to build any decent threat detection using non-root interfaces on Android.
Is it legal to use SnoopSnitch for mobile network security tests?¶
SnoopSnitch mobile network security tests record and analyze only your own transactions that are processed by your baseband chip. It does not intercept traffic of other mobile subscribers. While this should normally be legal, we cannot give you advice on whether this is lawful in your jurisdiction.
Does SnoopSnitch prevent or mitigate mobile network attacks?¶
No. SnoopSnitch is a tool for detecting mobile network-base attacks using diagnostic information from the baseband chip. As it has no control over the baseband chip, it cannot block or prevent attacks.
SnoopSnitch says may phone is incompatible for mobile network network security tests, but it's rooted and has a Qualcomm chipset¶
Your phone may be missing the DIAG device driver in the kernel or the /dev/diag device node.
SnoopSnitch says /dev/diag not found - what does that mean?¶
Either your ROM does not have the DIAG driver compiled into the kernel or at least the respective device does not exist.
How can I verify that SnoopSnitch's mobile network security tests work correctly?¶
If you do not get the error "No baseband message received" after an active test your setup works fine. A comparable error message is also displayed in the dashboard if SnoopSnitch recognizes that something is wrong.
What are the timelines on the main screen good for?¶
The upper half of the dashboard shows potential attacks such as silent SMS and IMSI catchers for the last hour, the last day, the last week (w) and the last month (m). A detailed view is available by tapping the timeline.
What do the graphs show?¶
The two bar charts in the center of the dashboard screen indicate the general protection capabilities of the current network (colored dot surrounded by a circle) compared to the other networks in a country (colored, filled circles). The network scores do not indicate concrete threats like IMSI catchers.
While colored circles in the bar chart indicate values obtained from https://gsmmap.org, white circles designate results of local measurements on your device.
Tapping on this section will display the gsmmap for the country you are in.
The chart in the lower part of the dashboard screen display recent found network attacks, split into SMS/SS7 and IMSI catcher events, you can tap these to gain more details on the recognized events and upload related logs.
Does SnoopSnitch mobile network security testing support CDMA?¶
No. (We may add support for CDMA data collection in one of the next versions.)
Does SnoopSnitch mobile network security testing support LTE?¶
You can collect and upload LTE radio traces in the active network test if you have LTE enabled to support our security research. There is no LTE security score or any mobile threat detection for that technology, yet.
What do I need to consider when hunting IMSI catchers using SnoopSnitch mobile network security testing?¶
Not much. You may want to activate GPS location tracking within SnoopSnitch. Furthermore, you can change all cleanup intervals to "never" to avoid losing any data. If the app detects something, press the upload button for all events and send a brief email to firstname.lastname@example.org describing the circumstances of your discovery (place, network technology, signal strength, etc.) and your App ID.
If you know you had contact with an IMSI catcher, but nothing was detected, you press "Upload suspicious activity" in the menu and also send an email to email@example.com describing what you observed and what your App ID was at that time.
Does it make sense to use SIMs of multiple operators when hunting for IMSI catchers?¶
Sometimes. IMSI catchers in identification mode would typically collect IMSIs of all operators in the target area. Having an alarm for different networks in the same place at the same time is an even stronger indication for an IMSI catcher.
How reliable is SnoopSnitch's mobile network security test detection?¶
While we are pretty confident about SnoopSnitch's capabilities, keep in mind that it uses a heuristic which may fail. The reason is that networks may behave strangely or characteristics we have not foreseen when designing the analysis model.
Operation - mobile network security tests¶
What does "No baseband messages" mean?¶
It means that SnoopSnitch successfully initialized the diagnostics interface of your Qualcomm-based phone, but never received any radio messages afterwards.
This can happen if your operator uses the CDMA standard which is unsupported by SnoopSnitch; or if you are out of coverage of your network.
If you encounter this message and you are using GSM, UMTS, or LTE network, please send mail to firstname.lastname@example.org providing your App ID, the SnoopSnitch version and the following details from the "About phone" dialog:
- Model name * Android version * (alternative ROM version) * Baseband version * Kernel version
Also press "Upload debug logs". If you could also provide the output of "logcat -v time" from the moment you started SnoopSnitch to the occurrence of the error message, that could be very helpful, too.
SnoopSnitch mobile network security testing seemed to work, but now it does not update anymore¶
It seems like the diagnostic interface sometimes hangs and does not deliver (certain) radio messages anymore. We'll look into resetting it in a future version. For the time being, a phone restart is the only workaround we know of.
What does "w" and "m" mean in the timeline on the dashboard?¶
Last week and the last month.
Are dual-SIM phones supported by SnoopSnitch?¶
It will work if you manually select on SIM, but there is no way of selecting the SIM to be used for SnoopSnitch. Some people also report increased battery consumption on dual-SIM devices. Battery consumption is higher when you switch on SnoopSnitch’s GPS tracking.
Where can I find the version string?¶
In the first line of the About screen.
IMSI Catcher/Stingray Detection¶
I got an IMSI catcher alarm - where can I get more information?¶
Please upload detection events using the "Upload" button in the event list.
Please also send an e-mail to email@example.com describing what happened - we will look into your data and give you feedback on whether this was a real event. Don't forget your App ID!
Are false positives possible?¶
As SnoopSnitch uses heuristics to detect IMSI catchers and we cannot test the app on every mobile network in the world, false positives are well possible. This is true especially in situations with poor coverage or when traveling at high speeds.
Events with scores >= 5.0 are most probably real catchers.
Are active tests needed for IMSI catcher detection?¶
No, IMSI catcher detection is independent of active tests. SnoopSnitch can be used passively without ever running an active test.
Are SRLabs servers required for catcher detection?¶
No. We do not upload your data to our servers unless you press the upload button for an event. The continuous analysis does not required any server or even Internet connectivity.
Are security events or IMSI catchers collected on a website somewhere?¶
Does a catcher alarm imply that my calls are wiretapped?¶
Not necessarily. Some IMSI catchers only collect IDs of devices passing by to locate or track them. Those devices don't intercept calls or SMS.
Is a SIM card required to detect IMSI catchers?¶
Yes, a valid SIM card is required.
Has SnoopSnitch been tested with real IMSI catchers/Stingrays?¶
How is the score calculated?¶
See IMSI Catcher Score for details.
What is the range of the IMSI catcher score?¶
Only scores above 2.0 are displayed. The score can be greater than 10.0 with IMSI catcher in identification mode (that we tested) having a score of around 9.0.
What does the location in catcher events mean?¶
It shows the location of your phone when the event occurred. It does not give you the location of the IMSI catcher.
Why is no location information shown in my events?¶
That location information only works if the location service is activated in your OS settings and in the SnoopSnitch settings.
How accurate is the location information?¶
We sample the location of the phone once per minute and correlate that the time of a security event. Hence, this is only an approximation which may be inaccurate especially when traveling at high speeds.
Turning on GPS location leads to a much higher accuracy than network-based location.
Security Events - mobile network security tests¶
What threats do SnoopSnitch mobile network security tests warn about?¶
The app detects threats in mobile networks, such as fake base stations (aka. IMSI catchers or Stingrays), silent SMS, and binary SMS. It also detects some artifacts of user tracking using the SS7 network.
What is a silent SMS and what is it used for?¶
Silent messages are used to refresh location information in databases police departments sometimes have access to. A silent SMS is a text message that is neither stored on the phone nor displayed to the user when received. Standard-compliant phones will send a delivery notification upon arrival. They can be used to validate that a phone is switched on and to generate metadata that allows to determine the rough position of a subscriber.
What is a binary SMS and what is it used for?¶
Binary SMS carry data dedicated to the SIM card, the baseband processor or the application processor. They are typically used to perform updates to the SIM card over the air (OTA), but also for voice mail notification, device configuration, MMS or custom applications. As silent SMS, the user normally is not notified about the reception of a binary SMS.
Binary SMS can be misused to update your phone with malware or to exploit weaknesses in your phones software stack.
Which legitimate applications of binary SMS can cause false positives?¶
You often receive one or two binary SMS when roaming: Your home network updates the list of preferred networks when first connecting to a foreign network. Depending on the size of this list you will receive multiple binary SMS when you are traveling and crossing the boarder. See this list post for details.
Users also reported mobile authentication systems for online banking to use binary SMS.
What is an empty paging?¶
It is an artifact we observed during our SS7 attack research. It is a regular paging that gets aborted, i.e. there is no useful transaction like a call or SMS happening afterwards. It could be a sign of SS7-based tracking if it happens regularly.
In which situations can empty pagings be false positives?¶
Users reported empty paging alarms when using so-called Multi-SIMs. In this setup two SIMs are reachable under the same number. The user can configure which phone takes precedence when both phones are turned on and a call or SMS arrives. The phone with lower priority may observe null paging alarms.
Received calls that are hung up by the caller such that your phone got paged, but the call was not set up yet may also result in a false positive. This pattern may also happen in situations with poor reception where only parts of a transaction are received.
What should I do when a mobile network security event is detected?¶
Keep calm. Skim through the above FAQ entries and check whether any of the causes for false positives apply to you. Think about other actions you performed with your phone that may be related to the alarm.
If you see no good reason for an alarm, you can send email to firstname.lastname@example.org asking for an analysis of your data. You need to upload every relevant incidents using the 'upload' button in the detail view and provide us with your App ID. Please also include a description of what you did when the alarm was triggered.
How are mobile network security events detected?¶
SnoopSnitch uses the diagnostic interfaces of Qualcomm chipsets to gather raw radio data. This data is parsed, GSM and UMTS messages are extracted and stored as transaction metadata in a local database on the device. The SnoopSnitch background service regularly runs an event detection filter on that database and notifies the user if an event was detected since the last analysis.
Does SnoopSnitch detect silent SMS sent by HushSMS?¶
It does. However, some network operators apply filters to block silent SMS or transform them into regular SMS.
Does SnoopSnitch block binary or silent SMS?¶
No. SnoopSnitch has no control over the baseband processor which is handling these messages independently.
Does SnoopSnitch take countermeasures to security events?¶
No. Given the amount of legitimate reasons for receiving those messages we did not implement that. There may be a configuration option in future versions to enable such a feature (e.g. switch to airplane mode).
What is the difference to AIMSICD, mICC or Darshak?¶
mICC as well as AIMSICD are apps for IMSI catcher detection using non-rooted Android devices. In addition, AIMSICD strives for detecting silent SMS and other threats without requiring root privileges.
The idea of not requiring root privileges is very attractive as it allows for a less complicated and much more widespread use of an app. However, as regular Android APIs provide only limited information about the radio network, those app potentially have a less accurate detection and a higher false-positive rate. Silent SMS, binary SMS and most network security characteristics cannot be detected without access to low-level data, which on Android implies root privileges.
Darshak is an app for Samsung Galaxy S3 phone with stock Android 4.1.2 firmware requiring root privileges. According to the project docs it performs a security estimation comparable to SnoopSnitch's network score and detects silent SMS. Furthermore, a non-published IMSI catcher detection scheme seems to exist.
Mobile network security metrics¶
When I press "Test" the phone places a lot of calls and get called by a US number. What's going on?¶
This is normal and expected. The active test will generate 3 rounds of incoming/outgoing calls and incoming/outgoing SMS in the default configuration. This is to generate a defined set of transaction necessary for calculating the network scores.
Make sure not to pick up or reject any of the calls, otherwise you'll get blocked.
How often should I run the active tests?¶
One or two times per month are sufficient per location and network technology (GSM, UMTS, LTE) and every time you are abroad.
Are active tests needed for the network security metrics?¶
No, the score will also be calculated based on the radio data you produce when using the phone normally. However, running the active tests improves the quality of the score by creating all transactions necessary for that calculation.
Will I get charged for active tests?¶
You shouldn't. However, some users reported they got billed for the outgoing SMS we send to an invalid number (4 by default) during active test. You should have have an eye on your phone bill / balance when running active tests regularly. If you notice your are billed for those outgoing SMS, you can either disable outgoing SMS completely or configure a different number in the settings.
How can I disable outgoing SMS to save money?¶
Check the "Disable outgoing SMS" box in the settings.
How can I change the number test SMS are sent to?¶
Enter a free-of-charge number in the "Outgoing SMS number" dialog in the settings.
How long does the incoming test call ring?¶
The server rings for 15 seconds. You should disable or reconfigure your mailbox if it picks up the call earlier than that.
I got banned, what now?¶
Why do I never receive incoming SMS during active test?¶
We suppress incoming SMS for networks users have already contributed enough data; for example Germany.
What does the message "Test 2G and 3G networks" mean?¶
It just means that you should test all the network technologies available, i.e. GSM, UMTS and maybe LTE.
How can I switch between network modes (GSM/UMTS/LTE) easily?¶
Due to limitations in Android this cannot be done from within the App or by SnoopSnitch automatically. You need to change this in your Android settings, typically under "Mobile network settings" > "Preferred network type".
Where can I find active test results?¶
They are represented as white circles in the bar charts on the lower half of the dashboard.
What do the Intercept and Impersonation charts mean?¶
These are scores estimating the risk of having a connection intercepted or impersonated in a certain network. See the report for your country for details. If there is no report available for your country, have a look at the report for Germany for an explanation.
Why is the Tracking score missing in SnoopSnitch?¶
Tracking is a global value for your operator which has nothing to do with your particular devices. As it would essentially be a static value we decided to leave it out to safe screen space.
Why does my local measurement differ from https://gsmmap.org results?¶
The values on GSMmap are averaged over many samples for a network contributed by different users in different locations. The location, the type of SIM used or the current load of the network are factors that influence the score. For the reason your local measurement may differ significantly from the GSMmap score.
How long does it take to update https://gsmmap.org?¶
We update it once per month, as all scores are calculated on a per-month basis.
I don't see my measurements reflected in https://gsmmap.org?¶
The map is not updated in real time. It may take as long as a month to have your values incorporated into GSMmap.
Collected Data - mobile network security tests¶
How can I access or export the data used for (IMSI Catcher) analysis?¶
The analysis results and meta data is stored in a SQLite database. You can use a third-party tool like SQLiteManager to view and export the database. The database file on the device is
Which logs exist on the phone an what do they contain?¶
Encrypted Qualcomm DIAG traces:
Unencrypted Qualcomm DIAG traces (to be enabled in the development settings):
Encrypted SnoopSnitch debug log:
Unencrypted SnoopSnitch debug log (to be enabled in the development settings):
How can I access raw radio information?¶
Enable unencrypted radio data in the development settings. You can pull the unencrypted radio traces from
How can I analyze radio data?¶
You can use the same GSM parser used in the app on your Linux or OS X machine. In the SnoopSnitch code base it can be found under ./contrib/gsm-parser (or in its separate repository: http://opensource.srlabs.de/git/gsm-parser.git). The compile.sh script in the SnoopSnitch repo can build that for Linux or OS X:
$ cd contrib $ ./compile.sh -t host
The resulting parser binary is in contrib/gsm-parser/diag_import. To analyze the log files diag_import on the raw traces you pulled from the device and parse the results into an SQLite database. On the host the sqlite3 binary is required to do this:
(cat \ contrib/gsm-parser/cell_info.sql \ contrib/gsm-parser/si.sql \ contrib/gsm-parser/sms.sql \ | sed -e 's/\/\*.*//g' contrib/gsm-parser/diag_import <your input files> | sed -ne 's/SQL://p' ) | sqlite3 result_db.sqlite
How can I extract radio traces in PCAP/GSMTAP format?¶
Add the parameter
to the diag_import call above.
How can I check what was uploaded or still needs to be uploaded?¶
Unfortunately you can't at the moment.
The name of my network operator is wrong¶
Send an email to email@example.com telling us the name of your country and network operator.
My country is unknown¶
Send an email to firstname.lastname@example.org telling us the name of your country and network operator.
Why do security events disappear after a while?¶
By default, all log files and metadata is cleaned up after a month (metadata) or a day (logs). When this happens, your events or the location recorded for them may disappear. You can change the period in the settings.
I cannot upload radio data, as the Upload button is replaced by "No data"¶
This means that you still have the metadata of some event in your database, but the respective radio data has been deleted in the meantime. Normally this should not happen, as files that potentially contain events are not removed on cleanup. However, if you upgrade to a later version of SnoopSnitch, a situation may arise where we improved the detection and now recognize events that were not detected in the past. In this case the raw data may already be deleted.
Why is the cell ID "0" in the Network Info screen?¶
This is a technical limitation currently present in SnoopSnitch's GSM parser. The sessions are still valid, we just don't know the cell ID.
How many people are using SnoopSnitch in <my_favorite_location>?¶
We can't tell. SnoopSnitch does not phone home to tell us who is using it. We only know where SnoopSnitch is used when people tell us by email or upload their results.
What does the Cell ID mean?¶
It is the unique identifier of cell tower comprising of MCC/MNC/LAC/CID.