FAQ » History » Version 1
Alex, 05/13/2015 05:44 PM
1 | 1 | Alex | h1. Frequently Asked Questions |
---|---|---|---|
2 | |||
3 | {{>toc}} |
||
4 | |||
5 | h2. General |
||
6 | |||
7 | h3. Where can I download SnoopSnitch? |
||
8 | |||
9 | It is available from "Google Play":https://play.google.com/store/apps/details?id=de.srlabs.snoopsnitch, from "F-Droid":https://f-droid.org/repository/browse/?fdid=de.srlabs.snoopsnitch or directly from the "project website":https://opensource.srlabs.de/projects/snoopsnitch. |
||
10 | |||
11 | h3. Is it legal to use SnoopSnitch? |
||
12 | |||
13 | SnoopSnitch records and analyzes only your own transactions that are processed by your baseband chip. It does not intercept traffic of other mobile subscribers. While this should normally be legal, we cannot give you advice on whether this is lawful in your jurisdiction. |
||
14 | |||
15 | h3. Does SnoopSnitch prevent or mitigate attacks? |
||
16 | |||
17 | No. SnoopSnitch is a tool for detecting attacks using diagnostic information from the baseband chip. As it has no control over the baseband chip, it cannot block or prevent attacks. |
||
18 | |||
19 | h3. What are the timelines on the main screen good for? |
||
20 | |||
21 | The upper half of the dashboard shows potential attacks such as silent SMS and IMSI catchers for the last hour, the last day, the last week (w) and the last month (m). A detailed view is available by tapping the timeline. |
||
22 | |||
23 | h3. What do the graphs show? |
||
24 | |||
25 | The two bar charts on the lower half of the screen indicate the general protection capabilities of the current network (colored dot surrounded by a circle) compared to the other networks in a country (colored, filled circles). The network scores do not indicate concrete threats like IMSI catchers. |
||
26 | |||
27 | While colored circles in the bar chart indicate values obtained from https://gsmmap.org, white circles designate results of local measurements on your device. |
||
28 | |||
29 | h3. Why does SnoopSnitch require root privileges? |
||
30 | |||
31 | Root privileges are necessary to open the diagnostic device /dev/diag. This device is an Android kernel interface to debug messages from the Qualcomm baseband chip. It can be used to retrieve debug information, including raw radio messages. |
||
32 | |||
33 | Access to the DIAG interface is crucial for the analysis SnoopSnitch needs to perform. The Android OS and all apps are execute on the so-called application processor whereas all interactions with the mobile network are performed on the baseband processor independently. The baseband takes care of details like measuring the signal strengths of neighboring cells, performing transitions to other cells or passing binary SMS to the SIM card. Only certain details are exposed to the application processor through official interfaces. |
||
34 | |||
35 | To detect traces of IMSI catchers, to recognize silent SMS and binary SMS and to calculate the network security score, access to information is necessary that is normally handled by the baseband internally. The only way we know to accomplish that is through the DIAG interface which requires root access. |
||
36 | |||
37 | h3. Can you implement a mode that does not require root privileges? |
||
38 | |||
39 | No, not without dropping SnoopSnitch’s core functionality of detection mobile abuse. |
||
40 | |||
41 | During development of SnoopSnitch we tried to gather information for IMSI catcher and special SMS detection on the application processor. We invested a lot of time and effort to instrument and analyze Androids radio interface layer (RIL) just to recognize that binary and silent SMS are handled inside the baseband processor completely, even though there is an Android API that suggested the opposite. |
||
42 | |||
43 | Furthermore, when comparing serving cell information and neighboring cell information presented by official Android APIs to the GSM traces we recorded through the Qualcomm diagnostic interface, we had to realize that those tend to be inaccurate, if present at all. |
||
44 | |||
45 | We do not see a way to build any decent threat detection using non-root interfaces on Android. |
||
46 | |||
47 | h3. Does SnoopSnitch support CDMA? |
||
48 | |||
49 | No. (We may add support for CDMA data collection in one of the next versions.) |
||
50 | |||
51 | h3. Does SnoopSnitch support LTE? |
||
52 | |||
53 | You can collect and upload LTE radio traces in the active network test if you have LTE enabled to support our security research. There is no LTE security score or any mobile threat detection for that technology, yet. |
||
54 | |||
55 | h3. Can I buy devices with SnoopSnitch pre-installed? |
||
56 | |||
57 | Not that we know of. |
||
58 | |||
59 | h3. Do you accept donations? |
||
60 | |||
61 | No. |
||
62 | |||
63 | h3. What do I need to consider when hunting IMSI catchers using SnoopSnitch? |
||
64 | |||
65 | Not much. You may want to activate GPS location tracking within SnoopSnitch. Furthermore, you can change all cleanup intervals to "never" to avoid losing any data. If the app detects something, press the upload button for all events and send a brief email to snoopsnitch@srlabs.de describing the circumstances of your discovery (place, network technology, signal strength, etc.) and your App ID. |
||
66 | |||
67 | If you know you had contact with an IMSI catcher, but nothing was detected, you press "Upload suspicious activity" in the menu and also send an email to snoopsnitch@srlabs.de describing what you observed and what your App ID was at that time. |
||
68 | |||
69 | h3. Does it make sense to use SIMs of multiple operators when hunting for IMSI catchers? |
||
70 | |||
71 | Sometimes. IMSI catchers in identification mode would typically collect IMSIs of all operators in the target area. Having an alarm for different networks in the same place at the same time is an even stronger indication for an IMSI catcher. |
||
72 | |||
73 | h3. How reliable is SnoopSnitch's detection? |
||
74 | |||
75 | While we are pretty confident about SnoopSnitch's capabilities, keep in mind that it uses a heuristic which may fail. The reason is that networks may behave strangely or characteristics we have not foreseen when designing the analysis model. |
||
76 | |||
77 | h2. Operation |
||
78 | |||
79 | h3. What does "No baseband messages" mean? |
||
80 | |||
81 | It means that SnoopSnitch successfully initialized the diagnostics interface of your Qualcomm-based phone, but never received any radio messages afterwards. |
||
82 | |||
83 | This can happen if your operator uses the CDMA standard which is unsupported by SnoopSnitch; or if you are out of coverage of your network. |
||
84 | |||
85 | If you encounter this message and you are using GSM, UMTS, or LTE network, please send mail to snoopsnitch@srlabs.de providing your App ID, the SnoopSnitch version and the following details from the "About phone" dialog: |
||
86 | |||
87 | * Model name |
||
88 | * Android version |
||
89 | * (alternative ROM version) |
||
90 | * Baseband version |
||
91 | * Kernel version |
||
92 | |||
93 | Also press "Upload debug logs". If you could also provide the output of "logcat -v time" from the moment you started SnoopSnitch to the occurrence of the error message, that could be very helpful, too. |
||
94 | |||
95 | h3. SnoopSnitch seemed to work, but now it does not update anymore |
||
96 | |||
97 | It seems like the diagnostic interface sometimes hangs and does not deliver (certain) radio messages anymore. We'll look into resetting it in a future version. For the time being, a phone restart is the only workaround we know of. |
||
98 | |||
99 | h3. What does "w" and "m" mean in the timeline on the dashboard? |
||
100 | |||
101 | Last *w*<notextile></notextile>eek and the last *m*<notextile></notextile>onth. |
||
102 | |||
103 | h3. How much is battery consumption increased by SnoopSnitch? |
||
104 | |||
105 | On our test phones we observe a moderate battery consumption of 1%-4%. However, some users report a dramatic increase of battery consumption especially in conjunction with dual-SIM devices. |
||
106 | |||
107 | h3. Are dual-SIM phones supported by SnoopSnitch? |
||
108 | |||
109 | It will work if you manually select on SIM, but there is no way of selecting the SIM to be used for SnoopSnitch. Some people also report increased battery consumption on dual-SIM devices. Battery consumption is higher when you switch on SnoopSnitch’s GPS tracking. |
||
110 | |||
111 | h3. Where can I find the version string? |
||
112 | |||
113 | In the first line of the About screen. |
||
114 | |||
115 | h2. IMSI Catcher/Stingray Detection |
||
116 | |||
117 | h3. I got an IMSI catcher alarm - where can I get more information? |
||
118 | |||
119 | Please upload detection events using the "Upload" button in the event list. |
||
120 | |||
121 | Please also send an e-mail to snoopsnitch@srlabs.de describing what happened - we will look into your data and give you feedback on whether this was a real event. Don't forget your App ID! |
||
122 | |||
123 | h3. Are false positives possible? |
||
124 | |||
125 | As SnoopSnitch uses heuristics to detect IMSI catchers and we cannot test the app on every mobile network in the world, false positives are well possible. This is true especially in situations with poor coverage or when traveling at high speeds. |
||
126 | |||
127 | Events with scores >= 5.0 are most probably real catchers. |
||
128 | |||
129 | h3. Are active tests needed for IMSI catcher detection? |
||
130 | |||
131 | No, IMSI catcher detection is independent of active tests. SnoopSnitch can be used passively without ever running an active test. |
||
132 | |||
133 | h3. Are SRLabs servers required for catcher detection? |
||
134 | |||
135 | No. We do not upload your data to our servers unless you press the upload button for an event. The continuous analysis does not required any server or even Internet connectivity. |
||
136 | |||
137 | h3. Are security events or IMSI catchers collected on a website somewhere? |
||
138 | |||
139 | No. |
||
140 | |||
141 | h3. Does a catcher alarm imply that my calls are wiretapped? |
||
142 | |||
143 | Not necessarily. Some IMSI catchers only collect IDs of devices passing by to locate or track them. Those devices don't intercept calls or SMS. |
||
144 | |||
145 | h3. Is a SIM card required to detect IMSI catchers? |
||
146 | |||
147 | Yes, a valid SIM card is required. |
||
148 | |||
149 | h3. Has SnoopSnitch been tested with real IMSI catchers/Stingrays? |
||
150 | |||
151 | Yes. |
||
152 | |||
153 | h3. How is the score calculated? |
||
154 | |||
155 | See [[IMSI Catcher Score]] for details. |
||
156 | |||
157 | h3. What is the range of the IMSI catcher score? |
||
158 | |||
159 | Only scores above 2.0 are displayed. The score can be greater than 10.0 with IMSI catcher in identification mode (that we tested) having a score of around 9.0. |
||
160 | |||
161 | h3. What does the location in catcher events mean? |
||
162 | |||
163 | It shows the location of your *phone* when the event occurred. It does not give you the location of the IMSI catcher. |
||
164 | |||
165 | h3. Why is no location information shown in my events? |
||
166 | |||
167 | That location information only works if the location service is activated in your OS settings *and* in the SnoopSnitch settings. |
||
168 | |||
169 | h3. How accurate is the location information? |
||
170 | |||
171 | We sample the location of the phone once per minute and correlate that the time of a security event. Hence, this is only an approximation which may be inaccurate especially when traveling at high speeds. |
||
172 | |||
173 | Turning on GPS location leads to a much higher accuracy than network-based location. |
||
174 | |||
175 | h2. Security Events |
||
176 | |||
177 | h3. What threats does SnoopSnitch warn about? |
||
178 | |||
179 | The app detects threats in mobile networks, such as fake base stations (aka. IMSI catchers or Stingrays), silent SMS, and binary SMS. It also detects some artifacts of user tracking using the SS7 network. |
||
180 | |||
181 | h3. What is a silent SMS and what is it used for? |
||
182 | |||
183 | Silent messages are used to refresh location information in databases police departments sometimes have access to. A silent SMS is a text message that is neither stored on the phone nor displayed to the user when received. Standard-compliant phones will send a delivery notification upon arrival. They can be used to validate that a phone is switched on and to generate metadata that allows to determine the rough position of a subscriber. |
||
184 | |||
185 | h3. What is a binary SMS and what is it used for? |
||
186 | |||
187 | Binary SMS carry data dedicated to the SIM card, the baseband processor or the application processor. They are typically used to perform updates to the SIM card over the air (OTA), but also for voice mail notification, device configuration, MMS or custom applications. As silent SMS, the user normally is not notified about the reception of a binary SMS. |
||
188 | |||
189 | Binary SMS can be misused to update your phone with malware or to exploit weaknesses in your phones software stack. |
||
190 | |||
191 | h3. Which legitimate applications of binary SMS can cause false positives? |
||
192 | |||
193 | You often receive one or two binary SMS when roaming: Your home network updates the list of preferred networks when first connecting to a foreign network. Depending on the size of this list you will receive multiple binary SMS when you are traveling and crossing the boarder. See "this list post":https://lists.srlabs.de/pipermail/gsmmap/2015-March/001247.html for details. |
||
194 | |||
195 | Users also reported mobile authentication systems for online banking to use binary SMS. |
||
196 | |||
197 | h3. What is an empty paging? |
||
198 | |||
199 | It is an artifact we observed during our SS7 attack research. It is a regular paging that gets aborted, i.e. there is no useful transaction like a call or SMS happening afterwards. It could be a sign of SS7-based tracking if it happens regularly. |
||
200 | |||
201 | h3. In which situations can empty pagings be false positives? |
||
202 | |||
203 | Users reported empty paging alarms when using so-called Multi-SIMs. In this setup two SIMs are reachable under the same number. The user can configure which phone takes precedence when both phones are turned on and a call or SMS arrives. The phone with lower priority may observe null paging alarms. |
||
204 | |||
205 | Received calls that are hung up by the caller such that your phone got paged, but the call was not set up yet may also result in a false positive. This pattern may also happen in situations with poor reception where only parts of a transaction are received. |
||
206 | |||
207 | h3. What should I do when a security event is detected? |
||
208 | |||
209 | Keep calm. Skim through the above FAQ entries and check whether any of the causes for false positives apply to you. Think about other actions you performed with your phone that may be related to the alarm. |
||
210 | |||
211 | If you see no good reason for an alarm, you can send email to snoopsnitch@srlabs.de asking for an analysis of your data. You need to upload every relevant incidents using the 'upload' button in the detail view and provide us with your App ID. Please also include a description of what you did when the alarm was triggered. |
||
212 | |||
213 | h3. How are security events detected? |
||
214 | |||
215 | SnoopSnitch uses the diagnostic interfaces of Qualcomm chipsets to gather raw radio data. This data is parsed, GSM and UMTS messages are extracted and stored as transaction metadata in a local database on the device. The SnoopSnitch background service regularly runs an event detection filter on that database and notifies the user if an event was detected since the last analysis. |
||
216 | |||
217 | h3. Does SnoopSnitch detect silent SMS sent by HushSMS? |
||
218 | |||
219 | It does. However, some network operators apply filters to block silent SMS or transform them into regular SMS. |
||
220 | |||
221 | h3. Does SnoopSnitch block binary or silent SMS? |
||
222 | |||
223 | No. SnoopSnitch has no control over the baseband processor which is handling these messages independently. |
||
224 | |||
225 | h3. Does SnoopSnitch take countermeasures to security events? |
||
226 | |||
227 | No. Given the amount of legitimate reasons for receiving those messages we did not implement that. There may be a configuration option in future versions to enable such a feature (e.g. switch to airplane mode). |
||
228 | |||
229 | h3. What is the difference to AIMSICD, mICC or Darshak? |
||
230 | |||
231 | mICC as well as AIMSICD are apps for IMSI catcher detection using non-rooted Android devices. In addition, AIMSICD strives for detecting silent SMS and other threats without requiring root privileges. |
||
232 | |||
233 | The idea of not requiring root privileges is very attractive as it allows for a less complicated and much more widespread use of an app. However, as regular Android APIs provide only limited information about the radio network, those app potentially have a less accurate detection and a higher false-positive rate. Silent SMS, binary SMS and most network security characteristics cannot be detected without access to low-level data, which on Android implies root privileges. |
||
234 | |||
235 | Darshak is an app for Samsung Galaxy S3 phone with stock Android 4.1.2 firmware requiring root privileges. According to the project docs it performs a security estimation comparable to SnoopSnitch's network score and detects silent SMS. Furthermore, a non-published IMSI catcher detection scheme seems to exist. |
||
236 | |||
237 | h2. Network security metrics |
||
238 | |||
239 | h3. When I press "Test" the phone places a lot of calls and get called by a US number. What's going on? |
||
240 | |||
241 | This is normal and expected. The active test will generate 3 rounds of incoming/outgoing calls and incoming/outgoing SMS in the default configuration. This is to generate a defined set of transaction necessary for calculating the network scores. |
||
242 | |||
243 | Make sure not to pick up or reject any of the calls, otherwise you'll get blocked. |
||
244 | |||
245 | h3. How often should I run the active tests? |
||
246 | |||
247 | One or two times per month are sufficient per location and network technology (GSM, UMTS, LTE) and every time you are abroad. |
||
248 | |||
249 | h3. Are active tests needed for the network security metrics? |
||
250 | |||
251 | No, the score will also be calculated based on the radio data you produce when using the phone normally. However, running the active tests improves the quality of the score by creating all transactions necessary for that calculation. |
||
252 | |||
253 | h3. Will I get charged for active tests? |
||
254 | |||
255 | You shouldn't. However, some users reported they got billed for the outgoing SMS we send to an invalid number (*4* by default) during active test. You should have have an eye on your phone bill / balance when running active tests regularly. If you notice your are billed for those outgoing SMS, you can either disable outgoing SMS completely or configure a different number in the settings. |
||
256 | |||
257 | h3. How can I disable outgoing SMS to save money? |
||
258 | |||
259 | Check the "Disable outgoing SMS" box in the settings. |
||
260 | |||
261 | h3. How can I change the number test SMS are sent to? |
||
262 | |||
263 | Enter a free-of-charge number in the "Outgoing SMS number" dialog in the settings. |
||
264 | |||
265 | h3. How long does the incoming test call ring? |
||
266 | |||
267 | The server rings for 15 seconds. You should disable or reconfigure your mailbox if it picks up the call earlier than that. |
||
268 | |||
269 | h3. I got banned, what now? |
||
270 | |||
271 | See [[Banned]]. |
||
272 | |||
273 | h3. Why do I never receive incoming SMS during active test? |
||
274 | |||
275 | We suppress incoming SMS for networks users have already contributed enough data; for example Germany. |
||
276 | |||
277 | h3. What does the message "Test 2G and 3G networks" mean? |
||
278 | |||
279 | It just means that you should test all the network technologies available, i.e. GSM, UMTS and maybe LTE. |
||
280 | |||
281 | h3. How can I switch between network modes (GSM/UMTS/LTE) easily? |
||
282 | |||
283 | Due to limitations in Android this cannot be done from within the App or by SnoopSnitch automatically. You need to change this in your Android settings, typically under "Mobile network settings" > "Preferred network type". |
||
284 | |||
285 | h3. Where can I find active test results? |
||
286 | |||
287 | They are represented as white circles in the bar charts on the lower half of the dashboard. |
||
288 | |||
289 | h3. What do the Intercept and Impersonation charts mean? |
||
290 | |||
291 | These are scores estimating the risk of having a connection intercepted or impersonated in a certain network. See the report for your country for details. If there is no report available for your country, have a look at the "report for Germany":http://gsmmap.org/assets/pdfs/gsmmap.org-country_report-Germany-2015-02.pdf for an explanation. |
||
292 | |||
293 | h3. Why is the Tracking score missing in SnoopSnitch? |
||
294 | |||
295 | Tracking is a global value for your operator which has nothing to do with your particular devices. As it would essentially be a static value we decided to leave it out to safe screen space. |
||
296 | |||
297 | h3. Why does my local measurement differ from https://gsmmap.org results? |
||
298 | |||
299 | The values on GSMmap are averaged over many samples for a network contributed by different users in different locations. The location, the type of SIM used or the current load of the network are factors that influence the score. For the reason your local measurement may differ significantly from the GSMmap score. |
||
300 | |||
301 | h3. How long does it take to update https://gsmmap.org? |
||
302 | |||
303 | We update it once per month, as all scores are calculated on a per-month basis. |
||
304 | |||
305 | h3. I don't see my measurements reflected in https://gsmmap.org? |
||
306 | |||
307 | The map is not updated in real time. It may take as long as a month to have your values incorporated into GSMmap. |
||
308 | |||
309 | h2. Compatibility |
||
310 | |||
311 | h3. Does SnoopSnitch run on my phone? |
||
312 | |||
313 | Your phone must be rooted *and* it must have a Qualcomm chipset. See http://www.xda-developers.com/root/ for a description of what "rooting" means and for instructions on how to root your device. The website http://www.gsmarena.com/ offers extensive information for many phone models, |
||
314 | including the chipsets used. |
||
315 | |||
316 | For devices reported to work with SnoopSnitch have a look at our [[DeviceList|device compatibility list]. |
||
317 | |||
318 | h3. Does SnoopSnitch run on my Nexus 3/4/5? |
||
319 | |||
320 | As Google seems to have excluded the Qualcomm DIAG driver from all their production devices, SnoopSnitch does *not* work on Nexus devices with stock ROM. However, many users reported that they got SnoopSnitch working on a Nexus device with CyanogenMod or a custom kernel. See the TODO:REF device list for details on supported custom kernels. |
||
321 | |||
322 | h3. Which custom kernel can I use to make SnoopSnitch work with my stock ROM? |
||
323 | |||
324 | Have a look at the comment column in the [[DeviceList|device compatibility list]. |
||
325 | |||
326 | h3. Which Android versions does SnoopSnitch run on? |
||
327 | |||
328 | The app requires at least Android 4.1.2 (API level 16). |
||
329 | |||
330 | h3. Why are Android versions below 4.1.2 (API level 16) unsupported? |
||
331 | |||
332 | To support Android 5 (Lollipop) an app with native executable like SnoopSnitch necessarily breaks support for Android versions below 4.1. The reason is that on Lollipop position independent executables (PIEs) are mandatory while they are unsupported (and crash) on Android version older than 4.1. |
||
333 | |||
334 | h3. Does SnoopSnitch run on Android 5 (Lollipop)? |
||
335 | |||
336 | Yes. However, many vendors like Samsung or HTC seem to have changed their policy regarding the Qualcomm DIAG driver. Devices like the Samsung S5 do not include this driver anymore when being updated to Lollipop and are thus incompatible. |
||
337 | |||
338 | We have indications that some vendors delete the respective device node in their device specific init script (e.g. init.mako.rc for the Nexus 4). The device node could be recreated on such systems if the driver is built into the kernel. See TODO:Ref on how to check the existence of the driver. |
||
339 | |||
340 | If you updated your compatible device to Android 5 and SnoopSnitch starts complaining that it is not compatible anymore, you have the following options: |
||
341 | |||
342 | * Perform a downgrade to Android 4.x |
||
343 | * Use a custom kernel |
||
344 | * Install a custom ROM |
||
345 | |||
346 | h3. Does SnoopSnitch run on custom ROMs like CyanogenMod? |
||
347 | |||
348 | That depends on the particular build of your custom ROM. SnoopSnitch should work if the maintainer of your devices ROM enabled the Qualcomm DIAG driver in the Android kernel (cf. TODO - what needs to be enabled). If you find SnoopSnitch complaining about a missing /dev/diag device, ask your maintainer to include that driver in future version of your ROM. |
||
349 | |||
350 | h3. How can I verify that SnoopSnitch works correctly? |
||
351 | |||
352 | If you do not get the error "No baseband message received" after an active test your setup works fine. A comparable error message is also displayed in the dashboard after while if something is wrong. |
||
353 | |||
354 | h3. How do I grant root permissions on CyanogenMod? |
||
355 | |||
356 | You need to enable root access for apps in the developers menu. |
||
357 | |||
358 | h3. On CyanogenMod when starting SnoopSnitch it immediately tells me it can't su |
||
359 | |||
360 | You need to enable root access for apps in the developers menu. |
||
361 | |||
362 | h3. My device works, but is not in the compatibility list |
||
363 | |||
364 | Send mail to snoopsnitch@srlabs.de containing the device brand and model, including the model number from the "About phone" menu. Please also tell the Android version, whether you are using a custom ROM or special kernel and any other specifics you find worth mentioning. We are happy to add you device to the list. |
||
365 | |||
366 | h3. Which phone do you recommend? |
||
367 | |||
368 | We tested a lot with the "Motorola Moto E":https://people.torproject.org/~ioerror/skunkworks/moto_e/. It is relatively cheap, seems to work well and is a pretty good phone for that price. Note, that we did not test try the current (2015) version of the Moto E. |
||
369 | |||
370 | h3. Can I use an old Android phone running SnoopSnitch in addition to my normal phone? |
||
371 | |||
372 | Sure, as long as it is compatible. This works for hunting IMSI catchers in identification mode, but naturally you'll not be warned about attacks or tapping against your main phone. |
||
373 | |||
374 | h3. Are 64bit Qualcomm chipsets supported? |
||
375 | |||
376 | We don't expect many changes in the debug interface we are using. However, we don't know whether anybody has successfully tried SnoopSnitch on any 64bit Qualcomm SoC. |
||
377 | |||
378 | h3. Will there be a SnoopSnitch version for iPhone/Blackberry/Windows Phone...? |
||
379 | |||
380 | For the time being, SnoopSnitch will run on rooted Android phones with Qualcomm chipset exclusively. Even if the device does have a Qualcomm chipset like some Blackberry 10 models, we do not have permissions to access radio data there and rooting those devices pose a much greater challenge than on Android. |
||
381 | |||
382 | h3. Can you make SnoopSnitch run on my non-Qualcomm device, e.g. the Fairphone? |
||
383 | |||
384 | This is very unlikely, as it is a huge amount of work to get any different chipset supported. Most importantly, information on how to get raw radio data or debug traces out of those chipsets must be available, the respective interfaces need to be available to the application processor and someone has to develop the tools and services to support it. |
||
385 | |||
386 | h3. Does SnoopSnitch run on Jolla/Sailfish OS? |
||
387 | |||
388 | No. Given that Sailfish OS has an Android emulation and the Jolla device has a Qualcomm chipset, it is at least imaginable to implement support for it. |
||
389 | |||
390 | h3. SnoopSnitch says may phone is incompatible, but it's rooted and has a Qualcomm chipset |
||
391 | |||
392 | Your phone may be missing the DIAG device driver in the kernel or the /dev/diag device node. |
||
393 | |||
394 | h3. SnoopSnitch says /dev/diag not found - what does that mean? |
||
395 | |||
396 | Either your ROM does not have the DIAG driver compiled into the kernel or at least the respective device does not exist. |
||
397 | |||
398 | h2. Privacy and Security |
||
399 | |||
400 | h3. Which information does SnoopSnitch store during operation? |
||
401 | |||
402 | In the default configuration radio traces are stored on the device encrypted with our public key. Additionally, parsed radio data are stored in a database locally on the device. This database contains metadata of the transactions your phone performed, including timestamps, cell IDs, your IMSI, your IMEI, phone numbers of communication partners and SMS user data in its original binary form. A debug log is constantly written to a file on the device. If configured in the settings your location is periodically stored in the same database. |
||
403 | |||
404 | As soon as one event is marked for upload, the whole database content is anonymized to prevent private identities and communications disclosure. |
||
405 | This involves shortening IMSI, IMEI and phone numbers to at most 6 digits, and deleting all the SMS payloads that are not considered suspicious. |
||
406 | |||
407 | By default, metadata is purged after one month and raw traces, location data and debug logs are cleaned after one day. |
||
408 | |||
409 | h3. Does SnoopSnitch encrypt its files/database/network traffic? |
||
410 | |||
411 | Files like debug logs, radio traces or database dumps are stored on the device encrypted with our public key. For upload of those files to our servers HTTPS is used with certificate pinning. For downloading GSMmap data from gsmmap.org HTTPS is used. |
||
412 | |||
413 | h3. Does SnoopSnitch use the Tor network for anonymity? |
||
414 | |||
415 | SnoopSnitch is not modified to use Tor. However, as your device must be rooted to work with SnoopSnitch you can simple install Orbot and configure it to transparently anonymize all connections made by SnoopSnitch. |
||
416 | |||
417 | h3. What information is uploaded by SnoopSnitch? |
||
418 | |||
419 | When you press the "Upload" button for an event, the raw radio data for that event are uploaded. Raw radio data is split into chunks of 10 minutes. For each event at most 2 of those files, i.e. at most 20 minutes of radio data, are uploaded. In the recent versions of the app, metadata information corresponding to the time window of the event is also uploaded. |
||
420 | |||
421 | h3. What happens when "Upload suspicious activity" is pressed? |
||
422 | |||
423 | Raw radio traces and a database dump for the last hour is uploaded. |
||
424 | |||
425 | h3. What happens when "Upload pending files" is pressed? |
||
426 | |||
427 | All files you submitted for upload earlier are uploaded. This is useful if you had no connectivity when pressing "Upload" or "Upload suspicious activity" and you want to upload the data later. |
||
428 | |||
429 | h2. Translation |
||
430 | |||
431 | h3. Can you translate SnoopSnitch in my language |
||
432 | |||
433 | SnoopSnitch has been translated to English, German and Dutch. We do not have the capacity to create and maintain any other translations. If you want to contribute *and* maintain a translation to another language, please contact snoopsnitch@srlabs.de. Note, that maintaining a translation involves regular work to adapt to upstream changes. |
||
434 | |||
435 | h2. Collected Data |
||
436 | |||
437 | h3. How can I access or export the data used for (IMSI Catcher) analysis? |
||
438 | |||
439 | The analysis results and meta data is stored in a SQLite database. You can use a third-party tool like SQLiteManager to view and export the database. The database file on the device is |
||
440 | |||
441 | <pre> |
||
442 | /data/data/de.srlabs.snoopsnitch/databases/msd.db |
||
443 | </pre> |
||
444 | |||
445 | h3. Which logs exist on the phone an what do they contain? |
||
446 | |||
447 | Encrypted Qualcomm DIAG traces: |
||
448 | |||
449 | <pre> |
||
450 | /data/data/de.srlabs.snoopsnitch/files/qdmon_*.gz.smime |
||
451 | </pre> |
||
452 | |||
453 | Unencrypted Qualcomm DIAG traces (to be enabled in the development settings): |
||
454 | |||
455 | <pre> |
||
456 | /data/data/de.srlabs.snoopsnitch/files/qdmon_*.gz |
||
457 | </pre> |
||
458 | |||
459 | Encrypted SnoopSnitch debug log: |
||
460 | |||
461 | <pre> |
||
462 | /data/data/de.srlabs.snoopsnitch/files/debug_*.gz.smime |
||
463 | </pre> |
||
464 | |||
465 | Unencrypted SnoopSnitch debug log (to be enabled in the development settings): |
||
466 | |||
467 | <pre> |
||
468 | /data/data/de.srlabs.snoopsnitch/files/debug_*.gz |
||
469 | </pre> |
||
470 | |||
471 | h3. How can I access raw radio information? |
||
472 | |||
473 | Enable unencrypted radio data in the development settings. You can pull the unencrypted radio traces from |
||
474 | |||
475 | <pre> |
||
476 | /data/data/de.srlabs.snoopsnitch/files/qdmon_*.gz |
||
477 | </pre> |
||
478 | |||
479 | h3. How can I analyze radio data? |
||
480 | |||
481 | You can use the same GSM parser used in the app on your Linux or OS X machine. In the SnoopSnitch code base it can be found under ./contrib/gsm-parser (or in its separate repository: http://opensource.srlabs.de/git/gsm-parser.git). The compile.sh script in the SnoopSnitch repo can build that for Linux or OS X: |
||
482 | |||
483 | <pre> |
||
484 | $ cd contrib |
||
485 | $ ./compile.sh -t host |
||
486 | </pre> |
||
487 | |||
488 | The resulting parser binary is in contrib/gsm-parser/diag_import. To analyze the log files diag_import on the raw traces you pulled from the device and parse the results into an SQLite database. On the host the sqlite3 binary is required to do this: |
||
489 | |||
490 | <pre> |
||
491 | (cat \ |
||
492 | contrib/gsm-parser/cell_info.sql \ |
||
493 | contrib/gsm-parser/si.sql \ |
||
494 | contrib/gsm-parser/sms.sql \ |
||
495 | | sed -e 's/\/\*.*//g' |
||
496 | |||
497 | contrib/gsm-parser/diag_import <your input files> | sed -ne 's/SQL://p' |
||
498 | |||
499 | ) | sqlite3 result_db.sqlite |
||
500 | </pre> |
||
501 | |||
502 | h3. How can I extract radio traces in PCAP/GSMTAP format? |
||
503 | |||
504 | Add the parameter |
||
505 | |||
506 | -g output.pcap |
||
507 | |||
508 | to the diag_import call above. |
||
509 | |||
510 | h3. How can I check what was uploaded or still needs to be uploaded? |
||
511 | |||
512 | Unfortunately you can't at the moment. |
||
513 | |||
514 | h3. The name of my network operator is wrong |
||
515 | |||
516 | Send an email to snoopsnitch@srlabs.de telling us the name of your country and network operator. |
||
517 | |||
518 | h3. My country is unknown |
||
519 | |||
520 | Send an email to snoopsnitch@srlabs.de telling us the name of your country and network operator. |
||
521 | |||
522 | h3. Why do security events disappear after a while? |
||
523 | |||
524 | By default, all log files and metadata is cleaned up after a month (metadata) or a day (logs). When this happens, your events or the location recorded for them may disappear. You can change the period in the settings. |
||
525 | |||
526 | h3. I cannot upload radio data, as the Upload button is replaced by "No data" |
||
527 | |||
528 | This means that you still have the metadata of some event in your database, but the respective radio data has been deleted in the meantime. Normally this should not happen, as files that potentially contain events are not removed on cleanup. However, if you upgrade to a later version of SnoopSnitch, a situation may arise where we improved the detection and now recognize events that were not detected in the past. In this case the raw data may already be deleted. |
||
529 | |||
530 | h3. Why is the cell ID "0" in the Network Info screen? |
||
531 | |||
532 | This is a technical limitation currently present in SnoopSnitch's GSM parser. The sessions are still valid, we just don't know the cell ID. |
||
533 | |||
534 | h3. How many people are using SnoopSnitch in <my_favorite_location>? |
||
535 | |||
536 | We can't tell. SnoopSnitch does not phone home to tell us who is using it. We only know where SnoopSnitch is used when people tell us by email or upload their results. |
||
537 | |||
538 | h3. What does the Cell ID mean? |
||
539 | |||
540 | It is the unique identifier of cell tower comprising of MCC/MNC/LAC/CID. |
||
541 | |||
542 | h2. Development |
||
543 | |||
544 | h3. What needs to be enabled in the Android kernel to make SnoopSnitch work? |
||
545 | |||
546 | The kernel needs to have the DIAG_CHAR device driver enabled and the /dev/diag character device must be present. The driver can be found under drivers/char/diag/ in the MSM kernel source. |
||
547 | |||
548 | h3. How can I check whether the DIAG driver is enabled |
||
549 | |||
550 | Check whether a kernel driver named 'dia' is found in /proc/devices: |
||
551 | |||
552 | <pre> |
||
553 | $ grep dia$ /proc/devices |
||
554 | 247 dia |
||
555 | </pre> |
||
556 | |||
557 | Then check whether a character device /dev/diag with a corresponding major number (it may differ from the value 247 in this example) exists: |
||
558 | |||
559 | <pre> |
||
560 | $ ls -l /dev/diag |
||
561 | crw-rw---- system qcom_diag 247, 0 1970-02-02 03:25 diag |
||
562 | </pre> |
||
563 | |||
564 | h3. Where does the initialization sequence for the DIAG device come from? |
||
565 | |||
566 | It is snooped from the communication between the QXDM tool and the mobile device. |
||
567 | |||
568 | h3. I cannot check out the Git repository under Windows |
||
569 | |||
570 | When cloning the repository under Windows the following error occurs: |
||
571 | |||
572 | <pre> |
||
573 | Cloning into 'snoopsnitch'... |
||
574 | |||
575 | fatal: unable to access 'https://opensource.srlabs.de/git/snoopsnitch.git/': error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure |
||
576 | </pre> |
||
577 | |||
578 | Some people reported that issue, but we don't know exactly what the problem is. Checkout and build of SnoopSnitch works under Linux as well as OS X. If you have a solution to this problem (other than using Linux or OS X ;-) please mail to snoopsnitch@srlabs.de. |
||
579 | |||
580 | h3. How can I build SnoopSnitch? |
||
581 | |||
582 | Check out the source repository and in the ./SnoopSnitch directory do |
||
583 | |||
584 | <pre> |
||
585 | $ ant debug |
||
586 | </pre> |
||
587 | |||
588 | h3. Which IDE are you using to develop SnoopSnitch? |
||
589 | |||
590 | We are using Eclipse together with the ADT plugin. Note, that a single 'ant debug' build on the command line is necessary as described. The reason is that the asset directory of the app is populated using a custom ant script. This will not work from within Eclipse. |
||
591 | |||
592 | h3. Can I build SnoopSnitch in Android Studio? |
||
593 | |||
594 | No. |
||
595 | |||
596 | h3. How are radio messages processed? |
||
597 | |||
598 | 1. SnoopSnitch/jni/diag-helper.c |
||
599 | |||
600 | Thats a small binary binary proxying data between the App and the Qualcomm DIAG interface. It is invoked in SnoopSnitch/src/de/srlabs/snoopsnitch/qdmon/MsdService.java and there are two threads (FromDiagThread and ToDiagThread) that pass data back and forth. |
||
601 | |||
602 | 2. GSM parser |
||
603 | |||
604 | Another native binary started by MsdService. The source is in contrib/gsm-parser/diag_import.c. That binary takes the diag data, parses it and sends back SQL statements to the App, resulting in metadata to be inserted into the local Sqlite database. |
||
605 | |||
606 | 3. The actual analysis (including SS7 and IMSI catchers) is done in SnoopSnitch/src/de/srlabs/snoopsnitch/qdmon/MsdServiceAnalysis.java using the SQL scripts in SnoopSnitch/assets. |
||
607 | |||
608 | h3. Is there a public bug tracker for SnoopSnitch? |
||
609 | |||
610 | No, to report bugs please mail to snoopsnitch@srlabs.de |