Project

General

Profile

FAQ » History » Version 1

Alex, 05/13/2015 05:44 PM

1 1 Alex
h1. Frequently Asked Questions
2
3
{{>toc}}
4
5
h2. General
6
7
h3. Where can I download SnoopSnitch?
8
9
It is available from "Google Play":https://play.google.com/store/apps/details?id=de.srlabs.snoopsnitch, from "F-Droid":https://f-droid.org/repository/browse/?fdid=de.srlabs.snoopsnitch or directly from the "project website":https://opensource.srlabs.de/projects/snoopsnitch.
10
11
h3. Is it legal to use SnoopSnitch?
12
13
SnoopSnitch records and analyzes only your own transactions that are processed by your baseband chip. It does not intercept traffic of other mobile subscribers. While this should normally be legal, we cannot give you advice on whether this is lawful in your jurisdiction.
14
15
h3. Does SnoopSnitch prevent or mitigate attacks?
16
17
No. SnoopSnitch is a tool for detecting attacks using diagnostic information from the baseband chip. As it has no control over the baseband chip, it cannot block or prevent attacks.
18
19
h3. What are the timelines on the main screen good for?
20
21
The upper half of the dashboard shows potential attacks such as silent SMS and IMSI catchers for the last hour, the last day, the last week (w) and the last month (m). A detailed view is available by tapping the timeline.
22
23
h3. What do the graphs show?
24
25
The two bar charts on the lower half of the screen indicate the general protection capabilities of the current network (colored dot surrounded by a circle) compared to the other networks in a country (colored, filled circles). The network scores do not indicate concrete threats like IMSI catchers.
26
27
While colored circles in the bar chart indicate values obtained from https://gsmmap.org, white circles designate results of local measurements on your device.
28
29
h3. Why does SnoopSnitch require root privileges?
30
31
Root privileges are necessary to open the diagnostic device /dev/diag. This device is an Android kernel interface to debug messages from the Qualcomm baseband chip. It can be used to retrieve debug information, including raw radio messages.
32
33
Access to the DIAG interface is crucial for the analysis SnoopSnitch needs to perform. The Android OS and all apps are execute on the so-called application processor whereas all interactions with the mobile network are performed on the baseband processor independently. The baseband takes care of details like measuring the signal strengths of neighboring cells, performing transitions to other cells or passing binary SMS to the SIM card. Only certain details are exposed to the application processor through official interfaces.
34
35
To detect traces of IMSI catchers, to recognize silent SMS and binary SMS and to calculate the network security score, access to information is necessary that is normally handled by the baseband internally. The only way we know to accomplish that is through the DIAG interface which requires root access.
36
37
h3. Can you implement a mode that does not require root privileges?
38
39
No, not without dropping SnoopSnitch’s core functionality of detection mobile abuse.
40
41
During development of SnoopSnitch we tried to gather information for IMSI catcher and special SMS detection on the application processor. We invested a lot of time and effort to instrument and analyze Androids radio interface layer (RIL) just to recognize that binary and silent SMS are handled inside the baseband processor completely, even though there is an Android API that suggested the opposite.
42
43
Furthermore, when comparing serving cell information and neighboring cell information presented by official Android APIs to the GSM traces we recorded through the Qualcomm diagnostic interface, we had to realize that those tend to be inaccurate, if present at all.
44
45
We do not see a way to build any decent threat detection using non-root interfaces on Android.
46
47
h3. Does SnoopSnitch support CDMA?
48
49
No. (We may add support for CDMA data collection in one of the next versions.)
50
51
h3. Does SnoopSnitch support LTE?
52
53
You can collect and upload LTE radio traces in the active network test if you have LTE enabled to support our security research. There is no LTE security score or any mobile threat detection for that technology, yet.
54
55
h3. Can I buy devices with SnoopSnitch pre-installed?
56
57
Not that we know of.
58
59
h3. Do you accept donations?
60
61
No.
62
63
h3. What do I need to consider when hunting IMSI catchers using SnoopSnitch?
64
65
Not much. You may want to activate GPS location tracking within SnoopSnitch. Furthermore, you can change all cleanup intervals to "never" to avoid losing any data. If the app detects something, press the upload button for all events and send a brief email to snoopsnitch@srlabs.de describing the circumstances of your discovery (place, network technology, signal strength, etc.) and your App ID.
66
67
If you know you had contact with an IMSI catcher, but nothing was detected, you press "Upload suspicious activity" in the menu and also send an email to snoopsnitch@srlabs.de describing what you observed and what your App ID was at that time.
68
69
h3. Does it make sense to use SIMs of multiple operators when hunting for IMSI catchers?
70
71
Sometimes. IMSI catchers in identification mode would typically collect IMSIs of all operators in the target area. Having an alarm for different networks in the same place at the same time is an even stronger indication for an IMSI catcher.
72
73
h3. How reliable is SnoopSnitch's detection?
74
75
While we are pretty confident about SnoopSnitch's capabilities, keep in mind that it uses a heuristic which may fail. The reason is that networks may behave strangely or characteristics we have not foreseen when designing the analysis model.
76
77
h2. Operation
78
79
h3. What does "No baseband messages" mean?
80
81
It means that SnoopSnitch successfully initialized the diagnostics interface of your Qualcomm-based phone, but never received any radio messages afterwards.
82
83
This can happen if your operator uses the CDMA standard which is unsupported by SnoopSnitch; or if you are out of coverage of your network.
84
85
If you encounter this message and you are using GSM, UMTS, or LTE network, please send mail to snoopsnitch@srlabs.de providing your App ID, the SnoopSnitch version and the following details from the "About phone" dialog:
86
87
	* Model name
88
	* Android version
89
	* (alternative ROM version) 
90
	* Baseband version
91
	* Kernel version
92
93
Also press "Upload debug logs". If you could also provide the output of "logcat -v time" from the moment you started SnoopSnitch to the occurrence of the error message, that could be very helpful, too.
94
95
h3. SnoopSnitch seemed to work, but now it does not update anymore
96
97
It seems like the diagnostic interface sometimes hangs and does not deliver (certain) radio messages anymore. We'll look into resetting it in a future version. For the time being, a phone restart is the only workaround we know of.
98
99
h3. What does "w" and "m" mean in the timeline on the dashboard?
100
101
Last *w*<notextile></notextile>eek and the last *m*<notextile></notextile>onth.
102
103
h3. How much is battery consumption increased by SnoopSnitch?
104
105
On our test phones we observe a moderate battery consumption of 1%-4%. However, some users report a dramatic increase of battery consumption especially in conjunction with dual-SIM devices.
106
107
h3. Are dual-SIM phones supported by SnoopSnitch?
108
109
It will work if you manually select on SIM, but there is no way of selecting the SIM to be used for SnoopSnitch. Some people also report increased battery consumption on dual-SIM devices. Battery consumption is higher when you switch on SnoopSnitch’s GPS tracking.
110
111
h3. Where can I find the version string?
112
113
In the first line of the About screen.
114
115
h2. IMSI Catcher/Stingray Detection
116
117
h3. I got an IMSI catcher alarm - where can I get more information?
118
119
Please upload detection events using the "Upload" button in the event list.
120
121
Please also send an e-mail to snoopsnitch@srlabs.de describing what happened - we will look into your data and give you feedback on whether this was a real event. Don't forget your App ID!
122
123
h3. Are false positives possible?
124
125
As SnoopSnitch uses heuristics to detect IMSI catchers and we cannot test the app on every mobile network in the world, false positives are well possible. This is true especially in situations with poor coverage or when traveling at high speeds.
126
127
Events with scores >= 5.0 are most probably real catchers.
128
129
h3. Are active tests needed for IMSI catcher detection?
130
131
No, IMSI catcher detection is independent of active tests. SnoopSnitch can be used passively without ever running an active test.
132
133
h3. Are SRLabs servers required for catcher detection?
134
135
No. We do not upload your data to our servers unless you press the upload button for an event. The continuous analysis does not required any server or even Internet connectivity.
136
137
h3. Are security events or IMSI catchers collected on a website somewhere?
138
139
No.
140
141
h3. Does a catcher alarm imply that my calls are wiretapped?
142
143
Not necessarily. Some IMSI catchers only collect IDs of devices passing by to locate or track them. Those devices don't intercept calls or SMS.
144
145
h3. Is a SIM card required to detect IMSI catchers?
146
147
Yes, a valid SIM card is required.
148
149
h3. Has SnoopSnitch been tested with real IMSI catchers/Stingrays?
150
151
Yes.
152
153
h3. How is the score calculated?
154
155
See [[IMSI Catcher Score]] for details.
156
157
h3. What is the range of the IMSI catcher score?
158
159
Only scores above 2.0 are displayed. The score can be greater than 10.0 with IMSI catcher in identification mode (that we tested) having a score of around 9.0.
160
161
h3. What does the location in catcher events mean?
162
163
It shows the location of your *phone* when the event occurred. It does not give you the location of the IMSI catcher.
164
165
h3. Why is no location information shown in my events?
166
167
That location information only works if the location service is activated in your OS settings *and* in the SnoopSnitch settings.
168
169
h3. How accurate is the location information?
170
171
We sample the location of the phone once per minute and correlate that the time of a security event. Hence, this is only an approximation which may be inaccurate especially when traveling at high speeds.
172
173
Turning on GPS location leads to a much higher accuracy than network-based location.
174
175
h2. Security Events
176
177
h3. What threats does SnoopSnitch warn about?
178
179
The app detects threats in mobile networks, such as fake base stations (aka. IMSI catchers or Stingrays), silent SMS, and binary SMS. It also detects some artifacts of user tracking using the SS7 network.
180
181
h3. What is a silent SMS and what is it used for?
182
183
Silent messages are used to refresh location information in databases police departments sometimes have access to. A silent SMS is a text message that is neither stored on the phone nor displayed to the user when received. Standard-compliant phones will send a delivery notification upon arrival. They can be used to validate that a phone is switched on and to generate metadata that allows to determine the rough position of a subscriber.
184
185
h3. What is a binary SMS and what is it used for?
186
187
Binary SMS carry data dedicated to the SIM card, the baseband processor or the application processor. They are typically used to perform updates to the SIM card over the air (OTA), but also for voice mail notification, device configuration, MMS or custom applications. As silent SMS, the user normally is not notified about the reception of a binary SMS.
188
189
Binary SMS can be misused to update your phone with malware or to exploit weaknesses in your phones software stack.
190
191
h3. Which legitimate applications of binary SMS can cause false positives?
192
193
You often receive one or two binary SMS when roaming: Your home network updates the list of preferred networks when first connecting to a foreign network. Depending on the size of this list you will receive multiple binary SMS when you are traveling and crossing the boarder. See "this list post":https://lists.srlabs.de/pipermail/gsmmap/2015-March/001247.html for details.
194
195
Users also reported mobile authentication systems for online banking to use binary SMS.
196
197
h3. What is an empty paging?
198
199
It is an artifact we observed during our SS7 attack research. It is a regular paging that gets aborted, i.e. there is no useful transaction like a call or SMS happening afterwards. It could be a sign of SS7-based tracking if it happens regularly.
200
201
h3. In which situations can empty pagings be false positives?
202
203
Users reported empty paging alarms when using so-called Multi-SIMs. In this setup two SIMs are reachable under the same number. The user can configure which phone takes precedence when both phones are turned on and a call or SMS arrives. The phone with lower priority may observe null paging alarms.
204
205
Received calls that are hung up by the caller such that your phone got paged, but the call was not set up yet may also result in a false positive. This pattern may also happen in situations with poor reception where only parts of a transaction are received.
206
207
h3. What should I do when a security event is detected?
208
209
Keep calm. Skim through the above FAQ entries and check whether any of the causes for false positives apply to you. Think about other actions you performed with your phone that may be related to the alarm.
210
211
If you see no good reason for an alarm, you can send email to snoopsnitch@srlabs.de asking for an analysis of your data. You need to upload every relevant incidents using the 'upload' button in the detail view and provide us with your App ID. Please also include a description of what you did when the alarm was triggered.
212
213
h3. How are security events detected?
214
215
SnoopSnitch uses the diagnostic interfaces of Qualcomm chipsets to gather raw radio data. This data is parsed, GSM and UMTS messages are extracted and stored as transaction metadata in a local database on the device. The SnoopSnitch background service regularly runs an event detection filter on that database and notifies the user if an event was detected since the last analysis.
216
217
h3. Does SnoopSnitch detect silent SMS sent by HushSMS?
218
219
It does. However, some network operators apply filters to block silent SMS or transform them into regular SMS.
220
221
h3. Does SnoopSnitch block binary or silent SMS?
222
223
No. SnoopSnitch has no control over the baseband processor which is handling these messages independently.
224
225
h3. Does SnoopSnitch take countermeasures to security events?
226
227
No. Given the amount of legitimate reasons for receiving those messages we did not implement that. There may be a configuration option in future versions to enable such a feature (e.g. switch to airplane mode).
228
229
h3. What is the difference to AIMSICD, mICC or Darshak?
230
231
mICC as well as AIMSICD are apps for IMSI catcher detection using non-rooted Android devices. In addition, AIMSICD strives for detecting silent SMS and other threats without requiring root privileges.
232
233
The idea of not requiring root privileges is very attractive as it allows for a less complicated and much more widespread use of an app. However, as regular Android APIs provide only limited information about the radio network, those app potentially have a less accurate detection and a higher false-positive rate. Silent SMS, binary SMS and most network security characteristics cannot be detected without access to low-level data, which on Android implies root privileges.
234
235
Darshak is an app for Samsung Galaxy S3 phone with stock Android 4.1.2 firmware requiring root privileges. According to the project docs it performs a security estimation comparable to SnoopSnitch's network score and detects silent SMS. Furthermore, a non-published IMSI catcher detection scheme seems to exist.
236
237
h2. Network security metrics
238
239
h3. When I press "Test" the phone places a lot of calls and get called by a US number. What's going on?
240
241
This is normal and expected. The active test will generate 3 rounds of incoming/outgoing calls and incoming/outgoing SMS in the default configuration. This is to generate a defined set of transaction necessary for calculating the network scores.
242
243
Make sure not to pick up or reject any of the calls, otherwise you'll get blocked. 
244
245
h3. How often should I run the active tests?
246
247
One or two times per month are sufficient per location and network technology (GSM, UMTS, LTE) and every time you are abroad.
248
249
h3. Are active tests needed for the network security metrics?
250
251
No, the score will also be calculated based on the radio data you produce when using the phone normally. However, running the active tests improves the quality of the score by creating all transactions necessary for that calculation.
252
253
h3. Will I get charged for active tests?
254
255
You shouldn't. However, some users reported they got billed for the outgoing SMS we send to an invalid number (*4* by default) during active test. You should have have an eye on your phone bill / balance when running active tests regularly. If you notice your are billed for those outgoing SMS, you can either disable outgoing SMS completely or configure a different number in the settings.
256
257
h3. How can I disable outgoing SMS to save money?
258
259
Check the "Disable outgoing SMS" box in the settings.
260
261
h3. How can I change the number test SMS are sent to?
262
263
Enter a free-of-charge number in the "Outgoing SMS number" dialog in the settings.
264
265
h3. How long does the incoming test call ring?
266
267
The server rings for 15 seconds. You should disable or reconfigure your mailbox if it picks up the call earlier than that.
268
269
h3. I got banned, what now?
270
271
See [[Banned]].
272
273
h3. Why do I never receive incoming SMS during active test?
274
275
We suppress incoming SMS for networks users have already contributed enough data; for example Germany.
276
277
h3. What does the message "Test 2G and 3G networks" mean?
278
279
It just means that you should test all the network technologies available, i.e. GSM, UMTS and maybe LTE.
280
281
h3. How can I switch between network modes (GSM/UMTS/LTE) easily?
282
283
Due to limitations in Android this cannot be done from within the App or by SnoopSnitch automatically. You need to change this in your Android settings, typically under "Mobile network settings" > "Preferred network type".
284
285
h3. Where can I find active test results?
286
287
They are represented as white circles in the bar charts on the lower half of the dashboard.
288
289
h3. What do the Intercept and Impersonation charts mean?
290
291
These are scores estimating the risk of having a connection intercepted or impersonated in a certain network. See the report for your country for details. If there is no report available for your country, have a look at the "report for Germany":http://gsmmap.org/assets/pdfs/gsmmap.org-country_report-Germany-2015-02.pdf for an explanation.
292
293
h3. Why is the Tracking score missing in SnoopSnitch?
294
295
Tracking is a global value for your operator which has nothing to do with your particular devices. As it would essentially be a static value we decided to leave it out to safe screen space.
296
297
h3. Why does my local measurement differ from https://gsmmap.org results?
298
299
The values on GSMmap are averaged over many samples for a network contributed by different users in different locations. The location, the type of SIM used or the current load of the network are factors that influence the score. For the reason your local measurement may differ significantly from the GSMmap score.
300
301
h3. How long does it take to update https://gsmmap.org?
302
303
We update it once per month, as all scores are calculated on a per-month basis.
304
305
h3. I don't see my measurements reflected in https://gsmmap.org?
306
307
The map is not updated in real time. It may take as long as a month to have your values incorporated into GSMmap.
308
309
h2. Compatibility
310
311
h3. Does SnoopSnitch run on my phone?
312
313
Your phone must be rooted *and* it must have a Qualcomm chipset. See http://www.xda-developers.com/root/ for a description of what "rooting" means and for instructions on how to root your device. The website http://www.gsmarena.com/ offers extensive information for many phone models,
314
including the chipsets used.
315
316
For devices reported to work with SnoopSnitch have a look at our [[DeviceList|device compatibility list].
317
318
h3. Does SnoopSnitch run on my Nexus 3/4/5?
319
320
As Google seems to have excluded the Qualcomm DIAG driver from all their production devices, SnoopSnitch does *not* work on Nexus devices with stock ROM. However, many users reported that they got SnoopSnitch working on a Nexus device with CyanogenMod or a custom kernel. See the TODO:REF device list for details on supported custom kernels.
321
322
h3. Which custom kernel can I use to make SnoopSnitch work with my stock ROM?
323
324
Have a look at the comment column in the [[DeviceList|device compatibility list].
325
326
h3. Which Android versions does SnoopSnitch run on?
327
328
The app requires at least Android 4.1.2 (API level 16).
329
330
h3. Why are Android versions below 4.1.2 (API level 16) unsupported?
331
332
To support Android 5 (Lollipop) an app with native executable like SnoopSnitch necessarily breaks support for Android versions below 4.1. The reason is that on Lollipop position independent executables (PIEs) are mandatory while they are unsupported (and crash) on Android version older than 4.1.
333
334
h3. Does SnoopSnitch run on Android 5 (Lollipop)?
335
336
Yes. However, many vendors like Samsung or HTC seem to have changed their policy regarding the Qualcomm DIAG driver. Devices like the Samsung S5 do not include this driver anymore when being updated to Lollipop and are thus incompatible.
337
338
We have indications that some vendors delete the respective device node in their device specific init script (e.g. init.mako.rc for the Nexus 4). The device node could be recreated on such systems if the driver is built into the kernel. See TODO:Ref on how to check the existence of the driver.
339
340
If you updated your compatible device to Android 5 and SnoopSnitch starts complaining that it is not compatible anymore, you have the following options:
341
342
* Perform a downgrade to Android 4.x
343
* Use a custom kernel
344
* Install a custom ROM
345
346
h3. Does SnoopSnitch run on custom ROMs like CyanogenMod?
347
348
That depends on the particular build of your custom ROM. SnoopSnitch should work if the maintainer of your devices ROM enabled the Qualcomm DIAG driver in the Android kernel (cf. TODO - what needs to be enabled). If you find SnoopSnitch complaining about a missing /dev/diag device, ask your maintainer to include that driver in future version of your ROM.
349
350
h3. How can I verify that SnoopSnitch works correctly?
351
352
If you do not get the error "No baseband message received" after an active test your setup works fine. A comparable error message is also displayed in the dashboard after while if something is wrong.
353
354
h3. How do I grant root permissions on CyanogenMod?
355
356
You need to enable root access for apps in the developers menu.
357
358
h3. On CyanogenMod when starting SnoopSnitch it immediately tells me it can't su
359
360
You need to enable root access for apps in the developers menu.
361
362
h3. My device works, but is not in the compatibility list
363
364
Send mail to snoopsnitch@srlabs.de containing the device brand and model, including the model number from the "About phone" menu. Please also tell the Android version, whether you are using a custom ROM or special kernel and any other specifics you find worth mentioning. We are happy to add you device to the list.
365
366
h3. Which phone do you recommend?
367
368
We tested a lot with the "Motorola Moto E":https://people.torproject.org/~ioerror/skunkworks/moto_e/. It is relatively cheap, seems to work well and is a pretty good phone for that price. Note, that we did not test try the current (2015) version of the Moto E.
369
370
h3. Can I use an old Android phone running SnoopSnitch in addition to my normal phone?
371
372
Sure, as long as it is compatible. This works for hunting IMSI catchers in identification mode, but naturally you'll not be warned about attacks or tapping against your main phone.
373
374
h3. Are 64bit Qualcomm chipsets supported?
375
376
We don't expect many changes in the debug interface we are using. However, we don't know whether anybody has successfully tried SnoopSnitch on any 64bit Qualcomm SoC.
377
378
h3. Will there be a SnoopSnitch version for iPhone/Blackberry/Windows Phone...?
379
380
For the time being, SnoopSnitch will run on rooted Android phones with Qualcomm chipset exclusively. Even if the device does have a Qualcomm chipset like some Blackberry 10 models, we do not have permissions to access radio data there and rooting those devices pose a much greater challenge than on Android.
381
382
h3. Can you make SnoopSnitch run on my non-Qualcomm device, e.g. the Fairphone?
383
384
This is very unlikely, as it is a huge amount of work to get any different chipset supported. Most importantly, information on how to get raw radio data or debug traces out of those chipsets must be available, the respective interfaces need to be available to the application processor and someone has to develop the tools and services to support it.
385
386
h3. Does SnoopSnitch run on Jolla/Sailfish OS?
387
388
No. Given that Sailfish OS has an Android emulation and the Jolla device has a Qualcomm chipset, it is at least imaginable to implement support for it.
389
390
h3. SnoopSnitch says may phone is incompatible, but it's rooted and has a Qualcomm chipset
391
392
Your phone may be missing the DIAG device driver in the kernel or the /dev/diag device node.
393
394
h3. SnoopSnitch says /dev/diag not found - what does that mean?
395
396
Either your ROM does not have the DIAG driver compiled into the kernel or at least the respective device does not exist.
397
398
h2. Privacy and Security
399
400
h3. Which information does SnoopSnitch store during operation?
401
402
In the default configuration radio traces are stored on the device encrypted with our public key. Additionally, parsed radio data are stored in a database locally on the device. This database contains metadata of the transactions your phone performed, including timestamps, cell IDs, your IMSI, your IMEI, phone numbers of communication partners and SMS user data in its original binary form. A debug log is constantly written to a file on the device. If configured in the settings your location is periodically stored in the same database.
403
404
As soon as one event is marked for upload, the whole database content is anonymized to prevent private identities and communications disclosure.
405
This involves shortening IMSI, IMEI and phone numbers to at most 6 digits, and deleting all the SMS payloads that are not considered suspicious.
406
407
By default, metadata is purged after one month and raw traces, location data and debug logs are cleaned after one day.
408
409
h3. Does SnoopSnitch encrypt its files/database/network traffic?
410
411
Files like debug logs, radio traces or database dumps are stored on the device encrypted with our public key. For upload of those files to our servers HTTPS is used with certificate pinning. For downloading GSMmap data from gsmmap.org HTTPS is used.
412
413
h3. Does SnoopSnitch use the Tor network for anonymity?
414
415
SnoopSnitch is not modified to use Tor. However, as your device must be rooted to work with SnoopSnitch you can simple install Orbot and configure it to transparently anonymize all connections made by SnoopSnitch.
416
417
h3. What information is uploaded by SnoopSnitch?
418
419
When you press the "Upload" button for an event, the raw radio data for that event are uploaded. Raw radio data is split into chunks of 10 minutes. For each event at most 2 of those files, i.e. at most 20 minutes of radio data, are uploaded. In the recent versions of the app, metadata information corresponding to the time window of the event is also uploaded.
420
421
h3. What happens when "Upload suspicious activity" is pressed?
422
423
Raw radio traces and a database dump for the last hour is uploaded.
424
425
h3. What happens when "Upload pending files" is pressed?
426
427
All files you submitted for upload earlier are uploaded. This is useful if you had no connectivity when pressing "Upload" or "Upload suspicious activity" and you want to upload the data later.
428
429
h2. Translation
430
431
h3. Can you translate SnoopSnitch in my language
432
433
SnoopSnitch has been translated to English, German and Dutch. We do not have the capacity to create and maintain any other translations. If you want to contribute *and* maintain a translation to another language, please contact snoopsnitch@srlabs.de. Note, that maintaining a translation involves regular work to adapt to upstream changes.
434
435
h2. Collected Data
436
437
h3. How can I access or export the data used for (IMSI Catcher) analysis?
438
439
The analysis results and meta data is stored in a SQLite database. You can use a third-party tool like SQLiteManager to view and export the database. The database file on the device is
440
441
<pre>
442
/data/data/de.srlabs.snoopsnitch/databases/msd.db
443
</pre>
444
445
h3. Which logs exist on the phone an what do they contain?
446
447
Encrypted Qualcomm DIAG traces:
448
449
<pre>
450
/data/data/de.srlabs.snoopsnitch/files/qdmon_*.gz.smime
451
</pre>
452
453
Unencrypted Qualcomm DIAG traces (to be enabled in the development settings):
454
455
<pre>
456
/data/data/de.srlabs.snoopsnitch/files/qdmon_*.gz
457
</pre>
458
459
Encrypted SnoopSnitch debug log:
460
461
<pre>
462
/data/data/de.srlabs.snoopsnitch/files/debug_*.gz.smime
463
</pre>
464
465
Unencrypted SnoopSnitch debug log (to be enabled in the development settings):
466
467
<pre>
468
/data/data/de.srlabs.snoopsnitch/files/debug_*.gz
469
</pre>
470
471
h3. How can I access raw radio information?
472
473
Enable unencrypted radio data in the development settings. You can pull the unencrypted radio traces from
474
475
<pre>
476
/data/data/de.srlabs.snoopsnitch/files/qdmon_*.gz
477
</pre>
478
479
h3. How can I analyze radio data?
480
481
You can use the same GSM parser used in the app on your Linux or OS X machine. In the SnoopSnitch code base it can be found under ./contrib/gsm-parser (or in its separate repository: http://opensource.srlabs.de/git/gsm-parser.git). The compile.sh script in the SnoopSnitch repo can build that for Linux or OS X:
482
483
<pre>
484
$ cd contrib
485
$ ./compile.sh -t host
486
</pre>
487
488
The resulting parser binary is in contrib/gsm-parser/diag_import. To analyze the log files diag_import on the raw traces you pulled from the device and parse the results into an SQLite database. On the host the sqlite3 binary is required to do this:
489
490
<pre>
491
(cat \
492
        contrib/gsm-parser/cell_info.sql \
493
        contrib/gsm-parser/si.sql \
494
        contrib/gsm-parser/sms.sql \
495
        | sed -e 's/\/\*.*//g'
496
497
    contrib/gsm-parser/diag_import <your input files> | sed -ne 's/SQL://p'
498
499
) | sqlite3 result_db.sqlite
500
</pre>
501
502
h3. How can I extract radio traces in PCAP/GSMTAP format?
503
504
Add the parameter
505
506
	-g output.pcap
507
508
to the diag_import call above.
509
510
h3. How can I check what was uploaded or still needs to be uploaded?
511
512
Unfortunately you can't at the moment.
513
514
h3. The name of my network operator is wrong
515
516
Send an email to snoopsnitch@srlabs.de telling us the name of your country and network operator.
517
518
h3. My country is unknown
519
520
Send an email to snoopsnitch@srlabs.de telling us the name of your country and network operator.
521
522
h3. Why do security events disappear after a while?
523
524
By default, all log files and metadata is cleaned up after a month (metadata) or a day (logs). When this happens, your events or the location recorded for them may disappear. You can change the period in the settings.
525
526
h3. I cannot upload radio data, as the Upload button is replaced by "No data"
527
528
This means that you still have the metadata of some event in your database, but the respective radio data has been deleted in the meantime. Normally this should not happen, as files that potentially contain events are not removed on cleanup. However, if you upgrade to a later version of SnoopSnitch, a situation may arise where we improved the detection and now recognize events that were not detected in the past. In this case the raw data may already be deleted.
529
530
h3. Why is the cell ID "0" in the Network Info screen?
531
532
This is a technical limitation currently present in SnoopSnitch's GSM parser. The sessions are still valid, we just don't know the cell ID.
533
534
h3. How many people are using SnoopSnitch in <my_favorite_location>?
535
536
We can't tell. SnoopSnitch does not phone home to tell us who is using it. We only know where SnoopSnitch is used when people tell us by email or upload their results.
537
538
h3. What does the Cell ID mean?
539
540
It is the unique identifier of cell tower comprising of MCC/MNC/LAC/CID.
541
542
h2. Development
543
544
h3. What needs to be enabled in the Android kernel to make SnoopSnitch work?
545
546
The kernel needs to have the DIAG_CHAR device driver enabled and the /dev/diag character device must be present. The driver can be found under drivers/char/diag/ in the MSM kernel source.
547
548
h3. How can I check whether the DIAG driver is enabled
549
550
Check whether a kernel driver named 'dia' is found in /proc/devices:
551
552
<pre>
553
$ grep dia$ /proc/devices
554
247 dia
555
</pre>
556
557
Then check whether a character device /dev/diag with a corresponding major number (it may differ from the value 247 in this example) exists:
558
559
<pre>
560
$ ls -l /dev/diag
561
crw-rw---- system   qcom_diag 247,   0 1970-02-02 03:25 diag
562
</pre>
563
564
h3. Where does the initialization sequence for the DIAG device come from?
565
566
It is snooped from the communication between the QXDM tool and the mobile device.
567
568
h3. I cannot check out the Git repository under Windows
569
570
When cloning the repository under Windows the following error occurs:
571
572
<pre>
573
Cloning into 'snoopsnitch'...
574
575
fatal: unable to access 'https://opensource.srlabs.de/git/snoopsnitch.git/': error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
576
</pre>
577
578
Some people reported that issue, but we don't know exactly what the problem is. Checkout and build of SnoopSnitch works under Linux as well as OS X. If you have a solution to this problem (other than using Linux or OS X ;-) please mail to snoopsnitch@srlabs.de.
579
580
h3. How can I build SnoopSnitch?
581
582
Check out the source repository and in the ./SnoopSnitch directory do
583
584
<pre>
585
$ ant debug
586
</pre>
587
588
h3. Which IDE are you using to develop SnoopSnitch?
589
590
We are using Eclipse together with the ADT plugin. Note, that a single 'ant debug' build on the command line is necessary as described. The reason is that the asset directory of the app is populated using a custom ant script. This will not work from within Eclipse.
591
592
h3. Can I build SnoopSnitch in Android Studio?
593
594
No.
595
596
h3. How are radio messages processed?
597
598
1. SnoopSnitch/jni/diag-helper.c
599
600
Thats a small binary binary proxying data between the App and the Qualcomm DIAG interface. It is invoked in SnoopSnitch/src/de/srlabs/snoopsnitch/qdmon/MsdService.java and there are two threads (FromDiagThread and ToDiagThread) that pass data back and forth.
601
602
2. GSM parser
603
604
Another native binary started by MsdService. The source is in contrib/gsm-parser/diag_import.c. That binary takes the diag data, parses it and sends back SQL statements to the App, resulting in metadata to be inserted into the local Sqlite database.
605
606
3. The actual analysis (including SS7 and IMSI catchers) is done in SnoopSnitch/src/de/srlabs/snoopsnitch/qdmon/MsdServiceAnalysis.java using the SQL scripts in SnoopSnitch/assets.
607
608
h3. Is there a public bug tracker for SnoopSnitch?
609
610
No, to report bugs please mail to snoopsnitch@srlabs.de