Project

General

Profile

FAQ » History » Version 2

Karsten, 10/08/2016 03:33 PM

1 2 Karsten
2
3 1 Alex
h1. Frequently Asked Questions
4
5 2 Karsten
{{toc}}
6 1 Alex
7
h2. General
8
9
h3. Where can I download SnoopSnitch?
10
11
It is available from "Google Play":https://play.google.com/store/apps/details?id=de.srlabs.snoopsnitch, from "F-Droid":https://f-droid.org/repository/browse/?fdid=de.srlabs.snoopsnitch or directly from the "project website":https://opensource.srlabs.de/projects/snoopsnitch.
12
13
h3. Is it legal to use SnoopSnitch?
14
15
SnoopSnitch records and analyzes only your own transactions that are processed by your baseband chip. It does not intercept traffic of other mobile subscribers. While this should normally be legal, we cannot give you advice on whether this is lawful in your jurisdiction.
16
17
h3. Does SnoopSnitch prevent or mitigate attacks?
18
19
No. SnoopSnitch is a tool for detecting attacks using diagnostic information from the baseband chip. As it has no control over the baseband chip, it cannot block or prevent attacks.
20
21
h3. What are the timelines on the main screen good for?
22
23
The upper half of the dashboard shows potential attacks such as silent SMS and IMSI catchers for the last hour, the last day, the last week (w) and the last month (m). A detailed view is available by tapping the timeline.
24
25
h3. What do the graphs show?
26
27
The two bar charts on the lower half of the screen indicate the general protection capabilities of the current network (colored dot surrounded by a circle) compared to the other networks in a country (colored, filled circles). The network scores do not indicate concrete threats like IMSI catchers.
28
29
While colored circles in the bar chart indicate values obtained from https://gsmmap.org, white circles designate results of local measurements on your device.
30
31
h3. Why does SnoopSnitch require root privileges?
32
33
Root privileges are necessary to open the diagnostic device /dev/diag. This device is an Android kernel interface to debug messages from the Qualcomm baseband chip. It can be used to retrieve debug information, including raw radio messages.
34
35
Access to the DIAG interface is crucial for the analysis SnoopSnitch needs to perform. The Android OS and all apps are execute on the so-called application processor whereas all interactions with the mobile network are performed on the baseband processor independently. The baseband takes care of details like measuring the signal strengths of neighboring cells, performing transitions to other cells or passing binary SMS to the SIM card. Only certain details are exposed to the application processor through official interfaces.
36
37
To detect traces of IMSI catchers, to recognize silent SMS and binary SMS and to calculate the network security score, access to information is necessary that is normally handled by the baseband internally. The only way we know to accomplish that is through the DIAG interface which requires root access.
38
39
h3. Can you implement a mode that does not require root privileges?
40
41
No, not without dropping SnoopSnitch’s core functionality of detection mobile abuse.
42
43
During development of SnoopSnitch we tried to gather information for IMSI catcher and special SMS detection on the application processor. We invested a lot of time and effort to instrument and analyze Androids radio interface layer (RIL) just to recognize that binary and silent SMS are handled inside the baseband processor completely, even though there is an Android API that suggested the opposite.
44
45
Furthermore, when comparing serving cell information and neighboring cell information presented by official Android APIs to the GSM traces we recorded through the Qualcomm diagnostic interface, we had to realize that those tend to be inaccurate, if present at all.
46
47
We do not see a way to build any decent threat detection using non-root interfaces on Android.
48
49
h3. Does SnoopSnitch support CDMA?
50
51
No. (We may add support for CDMA data collection in one of the next versions.)
52
53
h3. Does SnoopSnitch support LTE?
54
55
You can collect and upload LTE radio traces in the active network test if you have LTE enabled to support our security research. There is no LTE security score or any mobile threat detection for that technology, yet.
56
57
h3. Can I buy devices with SnoopSnitch pre-installed?
58
59
Not that we know of.
60
61
h3. Do you accept donations?
62
63
No.
64
65
h3. What do I need to consider when hunting IMSI catchers using SnoopSnitch?
66
67
Not much. You may want to activate GPS location tracking within SnoopSnitch. Furthermore, you can change all cleanup intervals to "never" to avoid losing any data. If the app detects something, press the upload button for all events and send a brief email to snoopsnitch@srlabs.de describing the circumstances of your discovery (place, network technology, signal strength, etc.) and your App ID.
68
69
If you know you had contact with an IMSI catcher, but nothing was detected, you press "Upload suspicious activity" in the menu and also send an email to snoopsnitch@srlabs.de describing what you observed and what your App ID was at that time.
70
71
h3. Does it make sense to use SIMs of multiple operators when hunting for IMSI catchers?
72
73
Sometimes. IMSI catchers in identification mode would typically collect IMSIs of all operators in the target area. Having an alarm for different networks in the same place at the same time is an even stronger indication for an IMSI catcher.
74
75
h3. How reliable is SnoopSnitch's detection?
76
77
While we are pretty confident about SnoopSnitch's capabilities, keep in mind that it uses a heuristic which may fail. The reason is that networks may behave strangely or characteristics we have not foreseen when designing the analysis model.
78
79
h2. Operation
80
81
h3. What does "No baseband messages" mean?
82
83
It means that SnoopSnitch successfully initialized the diagnostics interface of your Qualcomm-based phone, but never received any radio messages afterwards.
84
85
This can happen if your operator uses the CDMA standard which is unsupported by SnoopSnitch; or if you are out of coverage of your network.
86
87
If you encounter this message and you are using GSM, UMTS, or LTE network, please send mail to snoopsnitch@srlabs.de providing your App ID, the SnoopSnitch version and the following details from the "About phone" dialog:
88
89
	* Model name
90
	* Android version
91
	* (alternative ROM version) 
92
	* Baseband version
93
	* Kernel version
94
95
Also press "Upload debug logs". If you could also provide the output of "logcat -v time" from the moment you started SnoopSnitch to the occurrence of the error message, that could be very helpful, too.
96
97
h3. SnoopSnitch seemed to work, but now it does not update anymore
98
99
It seems like the diagnostic interface sometimes hangs and does not deliver (certain) radio messages anymore. We'll look into resetting it in a future version. For the time being, a phone restart is the only workaround we know of.
100
101
h3. What does "w" and "m" mean in the timeline on the dashboard?
102
103
Last *w*<notextile></notextile>eek and the last *m*<notextile></notextile>onth.
104
105
h3. How much is battery consumption increased by SnoopSnitch?
106
107
On our test phones we observe a moderate battery consumption of 1%-4%. However, some users report a dramatic increase of battery consumption especially in conjunction with dual-SIM devices.
108
109
h3. Are dual-SIM phones supported by SnoopSnitch?
110
111
It will work if you manually select on SIM, but there is no way of selecting the SIM to be used for SnoopSnitch. Some people also report increased battery consumption on dual-SIM devices. Battery consumption is higher when you switch on SnoopSnitch’s GPS tracking.
112
113
h3. Where can I find the version string?
114
115
In the first line of the About screen.
116
117
h2. IMSI Catcher/Stingray Detection
118
119
h3. I got an IMSI catcher alarm - where can I get more information?
120
121
Please upload detection events using the "Upload" button in the event list.
122
123
Please also send an e-mail to snoopsnitch@srlabs.de describing what happened - we will look into your data and give you feedback on whether this was a real event. Don't forget your App ID!
124
125
h3. Are false positives possible?
126
127
As SnoopSnitch uses heuristics to detect IMSI catchers and we cannot test the app on every mobile network in the world, false positives are well possible. This is true especially in situations with poor coverage or when traveling at high speeds.
128
129
Events with scores >= 5.0 are most probably real catchers.
130
131
h3. Are active tests needed for IMSI catcher detection?
132
133
No, IMSI catcher detection is independent of active tests. SnoopSnitch can be used passively without ever running an active test.
134
135
h3. Are SRLabs servers required for catcher detection?
136
137
No. We do not upload your data to our servers unless you press the upload button for an event. The continuous analysis does not required any server or even Internet connectivity.
138
139
h3. Are security events or IMSI catchers collected on a website somewhere?
140
141
No.
142
143
h3. Does a catcher alarm imply that my calls are wiretapped?
144
145
Not necessarily. Some IMSI catchers only collect IDs of devices passing by to locate or track them. Those devices don't intercept calls or SMS.
146
147
h3. Is a SIM card required to detect IMSI catchers?
148
149
Yes, a valid SIM card is required.
150
151
h3. Has SnoopSnitch been tested with real IMSI catchers/Stingrays?
152
153
Yes.
154
155
h3. How is the score calculated?
156
157
See [[IMSI Catcher Score]] for details.
158
159
h3. What is the range of the IMSI catcher score?
160
161
Only scores above 2.0 are displayed. The score can be greater than 10.0 with IMSI catcher in identification mode (that we tested) having a score of around 9.0.
162
163
h3. What does the location in catcher events mean?
164
165
It shows the location of your *phone* when the event occurred. It does not give you the location of the IMSI catcher.
166
167
h3. Why is no location information shown in my events?
168
169
That location information only works if the location service is activated in your OS settings *and* in the SnoopSnitch settings.
170
171
h3. How accurate is the location information?
172
173
We sample the location of the phone once per minute and correlate that the time of a security event. Hence, this is only an approximation which may be inaccurate especially when traveling at high speeds.
174
175
Turning on GPS location leads to a much higher accuracy than network-based location.
176
177
h2. Security Events
178
179
h3. What threats does SnoopSnitch warn about?
180
181
The app detects threats in mobile networks, such as fake base stations (aka. IMSI catchers or Stingrays), silent SMS, and binary SMS. It also detects some artifacts of user tracking using the SS7 network.
182
183
h3. What is a silent SMS and what is it used for?
184
185
Silent messages are used to refresh location information in databases police departments sometimes have access to. A silent SMS is a text message that is neither stored on the phone nor displayed to the user when received. Standard-compliant phones will send a delivery notification upon arrival. They can be used to validate that a phone is switched on and to generate metadata that allows to determine the rough position of a subscriber.
186
187
h3. What is a binary SMS and what is it used for?
188
189
Binary SMS carry data dedicated to the SIM card, the baseband processor or the application processor. They are typically used to perform updates to the SIM card over the air (OTA), but also for voice mail notification, device configuration, MMS or custom applications. As silent SMS, the user normally is not notified about the reception of a binary SMS.
190
191
Binary SMS can be misused to update your phone with malware or to exploit weaknesses in your phones software stack.
192
193
h3. Which legitimate applications of binary SMS can cause false positives?
194
195
You often receive one or two binary SMS when roaming: Your home network updates the list of preferred networks when first connecting to a foreign network. Depending on the size of this list you will receive multiple binary SMS when you are traveling and crossing the boarder. See "this list post":https://lists.srlabs.de/pipermail/gsmmap/2015-March/001247.html for details.
196
197
Users also reported mobile authentication systems for online banking to use binary SMS.
198
199
h3. What is an empty paging?
200
201
It is an artifact we observed during our SS7 attack research. It is a regular paging that gets aborted, i.e. there is no useful transaction like a call or SMS happening afterwards. It could be a sign of SS7-based tracking if it happens regularly.
202
203
h3. In which situations can empty pagings be false positives?
204
205
Users reported empty paging alarms when using so-called Multi-SIMs. In this setup two SIMs are reachable under the same number. The user can configure which phone takes precedence when both phones are turned on and a call or SMS arrives. The phone with lower priority may observe null paging alarms.
206
207
Received calls that are hung up by the caller such that your phone got paged, but the call was not set up yet may also result in a false positive. This pattern may also happen in situations with poor reception where only parts of a transaction are received.
208
209
h3. What should I do when a security event is detected?
210
211
Keep calm. Skim through the above FAQ entries and check whether any of the causes for false positives apply to you. Think about other actions you performed with your phone that may be related to the alarm.
212
213
If you see no good reason for an alarm, you can send email to snoopsnitch@srlabs.de asking for an analysis of your data. You need to upload every relevant incidents using the 'upload' button in the detail view and provide us with your App ID. Please also include a description of what you did when the alarm was triggered.
214
215
h3. How are security events detected?
216
217
SnoopSnitch uses the diagnostic interfaces of Qualcomm chipsets to gather raw radio data. This data is parsed, GSM and UMTS messages are extracted and stored as transaction metadata in a local database on the device. The SnoopSnitch background service regularly runs an event detection filter on that database and notifies the user if an event was detected since the last analysis.
218
219
h3. Does SnoopSnitch detect silent SMS sent by HushSMS?
220
221
It does. However, some network operators apply filters to block silent SMS or transform them into regular SMS.
222
223
h3. Does SnoopSnitch block binary or silent SMS?
224
225
No. SnoopSnitch has no control over the baseband processor which is handling these messages independently.
226
227
h3. Does SnoopSnitch take countermeasures to security events?
228
229
No. Given the amount of legitimate reasons for receiving those messages we did not implement that. There may be a configuration option in future versions to enable such a feature (e.g. switch to airplane mode).
230
231
h3. What is the difference to AIMSICD, mICC or Darshak?
232
233
mICC as well as AIMSICD are apps for IMSI catcher detection using non-rooted Android devices. In addition, AIMSICD strives for detecting silent SMS and other threats without requiring root privileges.
234
235
The idea of not requiring root privileges is very attractive as it allows for a less complicated and much more widespread use of an app. However, as regular Android APIs provide only limited information about the radio network, those app potentially have a less accurate detection and a higher false-positive rate. Silent SMS, binary SMS and most network security characteristics cannot be detected without access to low-level data, which on Android implies root privileges.
236
237
Darshak is an app for Samsung Galaxy S3 phone with stock Android 4.1.2 firmware requiring root privileges. According to the project docs it performs a security estimation comparable to SnoopSnitch's network score and detects silent SMS. Furthermore, a non-published IMSI catcher detection scheme seems to exist.
238
239
h2. Network security metrics
240
241
h3. When I press "Test" the phone places a lot of calls and get called by a US number. What's going on?
242
243
This is normal and expected. The active test will generate 3 rounds of incoming/outgoing calls and incoming/outgoing SMS in the default configuration. This is to generate a defined set of transaction necessary for calculating the network scores.
244
245
Make sure not to pick up or reject any of the calls, otherwise you'll get blocked. 
246
247
h3. How often should I run the active tests?
248
249
One or two times per month are sufficient per location and network technology (GSM, UMTS, LTE) and every time you are abroad.
250
251
h3. Are active tests needed for the network security metrics?
252
253
No, the score will also be calculated based on the radio data you produce when using the phone normally. However, running the active tests improves the quality of the score by creating all transactions necessary for that calculation.
254
255
h3. Will I get charged for active tests?
256
257
You shouldn't. However, some users reported they got billed for the outgoing SMS we send to an invalid number (*4* by default) during active test. You should have have an eye on your phone bill / balance when running active tests regularly. If you notice your are billed for those outgoing SMS, you can either disable outgoing SMS completely or configure a different number in the settings.
258
259
h3. How can I disable outgoing SMS to save money?
260
261
Check the "Disable outgoing SMS" box in the settings.
262
263
h3. How can I change the number test SMS are sent to?
264
265
Enter a free-of-charge number in the "Outgoing SMS number" dialog in the settings.
266
267
h3. How long does the incoming test call ring?
268
269
The server rings for 15 seconds. You should disable or reconfigure your mailbox if it picks up the call earlier than that.
270
271
h3. I got banned, what now?
272
273
See [[Banned]].
274
275
h3. Why do I never receive incoming SMS during active test?
276
277
We suppress incoming SMS for networks users have already contributed enough data; for example Germany.
278
279
h3. What does the message "Test 2G and 3G networks" mean?
280
281
It just means that you should test all the network technologies available, i.e. GSM, UMTS and maybe LTE.
282
283
h3. How can I switch between network modes (GSM/UMTS/LTE) easily?
284
285
Due to limitations in Android this cannot be done from within the App or by SnoopSnitch automatically. You need to change this in your Android settings, typically under "Mobile network settings" > "Preferred network type".
286
287
h3. Where can I find active test results?
288
289
They are represented as white circles in the bar charts on the lower half of the dashboard.
290
291
h3. What do the Intercept and Impersonation charts mean?
292
293
These are scores estimating the risk of having a connection intercepted or impersonated in a certain network. See the report for your country for details. If there is no report available for your country, have a look at the "report for Germany":http://gsmmap.org/assets/pdfs/gsmmap.org-country_report-Germany-2015-02.pdf for an explanation.
294
295
h3. Why is the Tracking score missing in SnoopSnitch?
296
297
Tracking is a global value for your operator which has nothing to do with your particular devices. As it would essentially be a static value we decided to leave it out to safe screen space.
298
299
h3. Why does my local measurement differ from https://gsmmap.org results?
300
301
The values on GSMmap are averaged over many samples for a network contributed by different users in different locations. The location, the type of SIM used or the current load of the network are factors that influence the score. For the reason your local measurement may differ significantly from the GSMmap score.
302
303
h3. How long does it take to update https://gsmmap.org?
304
305
We update it once per month, as all scores are calculated on a per-month basis.
306
307
h3. I don't see my measurements reflected in https://gsmmap.org?
308
309
The map is not updated in real time. It may take as long as a month to have your values incorporated into GSMmap.
310
311
h2. Compatibility
312
313
h3. Does SnoopSnitch run on my phone?
314
315
Your phone must be rooted *and* it must have a Qualcomm chipset. See http://www.xda-developers.com/root/ for a description of what "rooting" means and for instructions on how to root your device. The website http://www.gsmarena.com/ offers extensive information for many phone models,
316
including the chipsets used.
317
318
For devices reported to work with SnoopSnitch have a look at our [[DeviceList|device compatibility list].
319
320
h3. Does SnoopSnitch run on my Nexus 3/4/5?
321
322
As Google seems to have excluded the Qualcomm DIAG driver from all their production devices, SnoopSnitch does *not* work on Nexus devices with stock ROM. However, many users reported that they got SnoopSnitch working on a Nexus device with CyanogenMod or a custom kernel. See the TODO:REF device list for details on supported custom kernels.
323
324
h3. Which custom kernel can I use to make SnoopSnitch work with my stock ROM?
325
326
Have a look at the comment column in the [[DeviceList|device compatibility list].
327
328
h3. Which Android versions does SnoopSnitch run on?
329
330
The app requires at least Android 4.1.2 (API level 16).
331
332
h3. Why are Android versions below 4.1.2 (API level 16) unsupported?
333
334
To support Android 5 (Lollipop) an app with native executable like SnoopSnitch necessarily breaks support for Android versions below 4.1. The reason is that on Lollipop position independent executables (PIEs) are mandatory while they are unsupported (and crash) on Android version older than 4.1.
335
336
h3. Does SnoopSnitch run on Android 5 (Lollipop)?
337
338
Yes. However, many vendors like Samsung or HTC seem to have changed their policy regarding the Qualcomm DIAG driver. Devices like the Samsung S5 do not include this driver anymore when being updated to Lollipop and are thus incompatible.
339
340
We have indications that some vendors delete the respective device node in their device specific init script (e.g. init.mako.rc for the Nexus 4). The device node could be recreated on such systems if the driver is built into the kernel. See TODO:Ref on how to check the existence of the driver.
341
342
If you updated your compatible device to Android 5 and SnoopSnitch starts complaining that it is not compatible anymore, you have the following options:
343
344
* Perform a downgrade to Android 4.x
345
* Use a custom kernel
346
* Install a custom ROM
347
348
h3. Does SnoopSnitch run on custom ROMs like CyanogenMod?
349
350
That depends on the particular build of your custom ROM. SnoopSnitch should work if the maintainer of your devices ROM enabled the Qualcomm DIAG driver in the Android kernel (cf. TODO - what needs to be enabled). If you find SnoopSnitch complaining about a missing /dev/diag device, ask your maintainer to include that driver in future version of your ROM.
351
352
h3. How can I verify that SnoopSnitch works correctly?
353
354
If you do not get the error "No baseband message received" after an active test your setup works fine. A comparable error message is also displayed in the dashboard after while if something is wrong.
355
356
h3. How do I grant root permissions on CyanogenMod?
357
358
You need to enable root access for apps in the developers menu.
359
360
h3. On CyanogenMod when starting SnoopSnitch it immediately tells me it can't su
361
362
You need to enable root access for apps in the developers menu.
363
364
h3. My device works, but is not in the compatibility list
365
366
Send mail to snoopsnitch@srlabs.de containing the device brand and model, including the model number from the "About phone" menu. Please also tell the Android version, whether you are using a custom ROM or special kernel and any other specifics you find worth mentioning. We are happy to add you device to the list.
367
368
h3. Which phone do you recommend?
369
370
We tested a lot with the "Motorola Moto E":https://people.torproject.org/~ioerror/skunkworks/moto_e/. It is relatively cheap, seems to work well and is a pretty good phone for that price. Note, that we did not test try the current (2015) version of the Moto E.
371
372
h3. Can I use an old Android phone running SnoopSnitch in addition to my normal phone?
373
374
Sure, as long as it is compatible. This works for hunting IMSI catchers in identification mode, but naturally you'll not be warned about attacks or tapping against your main phone.
375
376
h3. Are 64bit Qualcomm chipsets supported?
377
378
We don't expect many changes in the debug interface we are using. However, we don't know whether anybody has successfully tried SnoopSnitch on any 64bit Qualcomm SoC.
379
380
h3. Will there be a SnoopSnitch version for iPhone/Blackberry/Windows Phone...?
381
382
For the time being, SnoopSnitch will run on rooted Android phones with Qualcomm chipset exclusively. Even if the device does have a Qualcomm chipset like some Blackberry 10 models, we do not have permissions to access radio data there and rooting those devices pose a much greater challenge than on Android.
383
384
h3. Can you make SnoopSnitch run on my non-Qualcomm device, e.g. the Fairphone?
385
386
This is very unlikely, as it is a huge amount of work to get any different chipset supported. Most importantly, information on how to get raw radio data or debug traces out of those chipsets must be available, the respective interfaces need to be available to the application processor and someone has to develop the tools and services to support it.
387
388
h3. Does SnoopSnitch run on Jolla/Sailfish OS?
389
390
No. Given that Sailfish OS has an Android emulation and the Jolla device has a Qualcomm chipset, it is at least imaginable to implement support for it.
391
392
h3. SnoopSnitch says may phone is incompatible, but it's rooted and has a Qualcomm chipset
393
394
Your phone may be missing the DIAG device driver in the kernel or the /dev/diag device node.
395
396
h3. SnoopSnitch says /dev/diag not found - what does that mean?
397
398
Either your ROM does not have the DIAG driver compiled into the kernel or at least the respective device does not exist.
399
400
h2. Privacy and Security
401
402
h3. Which information does SnoopSnitch store during operation?
403
404
In the default configuration radio traces are stored on the device encrypted with our public key. Additionally, parsed radio data are stored in a database locally on the device. This database contains metadata of the transactions your phone performed, including timestamps, cell IDs, your IMSI, your IMEI, phone numbers of communication partners and SMS user data in its original binary form. A debug log is constantly written to a file on the device. If configured in the settings your location is periodically stored in the same database.
405
406
As soon as one event is marked for upload, the whole database content is anonymized to prevent private identities and communications disclosure.
407
This involves shortening IMSI, IMEI and phone numbers to at most 6 digits, and deleting all the SMS payloads that are not considered suspicious.
408
409
By default, metadata is purged after one month and raw traces, location data and debug logs are cleaned after one day.
410
411
h3. Does SnoopSnitch encrypt its files/database/network traffic?
412
413
Files like debug logs, radio traces or database dumps are stored on the device encrypted with our public key. For upload of those files to our servers HTTPS is used with certificate pinning. For downloading GSMmap data from gsmmap.org HTTPS is used.
414
415
h3. Does SnoopSnitch use the Tor network for anonymity?
416
417
SnoopSnitch is not modified to use Tor. However, as your device must be rooted to work with SnoopSnitch you can simple install Orbot and configure it to transparently anonymize all connections made by SnoopSnitch.
418
419
h3. What information is uploaded by SnoopSnitch?
420
421
When you press the "Upload" button for an event, the raw radio data for that event are uploaded. Raw radio data is split into chunks of 10 minutes. For each event at most 2 of those files, i.e. at most 20 minutes of radio data, are uploaded. In the recent versions of the app, metadata information corresponding to the time window of the event is also uploaded.
422
423
h3. What happens when "Upload suspicious activity" is pressed?
424
425
Raw radio traces and a database dump for the last hour is uploaded.
426
427
h3. What happens when "Upload pending files" is pressed?
428
429
All files you submitted for upload earlier are uploaded. This is useful if you had no connectivity when pressing "Upload" or "Upload suspicious activity" and you want to upload the data later.
430
431
h2. Translation
432
433
h3. Can you translate SnoopSnitch in my language
434
435
SnoopSnitch has been translated to English, German and Dutch. We do not have the capacity to create and maintain any other translations. If you want to contribute *and* maintain a translation to another language, please contact snoopsnitch@srlabs.de. Note, that maintaining a translation involves regular work to adapt to upstream changes.
436
437
h2. Collected Data
438
439
h3. How can I access or export the data used for (IMSI Catcher) analysis?
440
441
The analysis results and meta data is stored in a SQLite database. You can use a third-party tool like SQLiteManager to view and export the database. The database file on the device is
442
443
<pre>
444
/data/data/de.srlabs.snoopsnitch/databases/msd.db
445
</pre>
446
447
h3. Which logs exist on the phone an what do they contain?
448
449
Encrypted Qualcomm DIAG traces:
450
451
<pre>
452
/data/data/de.srlabs.snoopsnitch/files/qdmon_*.gz.smime
453
</pre>
454
455
Unencrypted Qualcomm DIAG traces (to be enabled in the development settings):
456
457
<pre>
458
/data/data/de.srlabs.snoopsnitch/files/qdmon_*.gz
459
</pre>
460
461
Encrypted SnoopSnitch debug log:
462
463
<pre>
464
/data/data/de.srlabs.snoopsnitch/files/debug_*.gz.smime
465
</pre>
466
467
Unencrypted SnoopSnitch debug log (to be enabled in the development settings):
468
469
<pre>
470
/data/data/de.srlabs.snoopsnitch/files/debug_*.gz
471
</pre>
472
473
h3. How can I access raw radio information?
474
475
Enable unencrypted radio data in the development settings. You can pull the unencrypted radio traces from
476
477
<pre>
478
/data/data/de.srlabs.snoopsnitch/files/qdmon_*.gz
479
</pre>
480
481
h3. How can I analyze radio data?
482
483
You can use the same GSM parser used in the app on your Linux or OS X machine. In the SnoopSnitch code base it can be found under ./contrib/gsm-parser (or in its separate repository: http://opensource.srlabs.de/git/gsm-parser.git). The compile.sh script in the SnoopSnitch repo can build that for Linux or OS X:
484
485
<pre>
486
$ cd contrib
487
$ ./compile.sh -t host
488
</pre>
489
490
The resulting parser binary is in contrib/gsm-parser/diag_import. To analyze the log files diag_import on the raw traces you pulled from the device and parse the results into an SQLite database. On the host the sqlite3 binary is required to do this:
491
492
<pre>
493
(cat \
494
        contrib/gsm-parser/cell_info.sql \
495
        contrib/gsm-parser/si.sql \
496
        contrib/gsm-parser/sms.sql \
497
        | sed -e 's/\/\*.*//g'
498
499
    contrib/gsm-parser/diag_import <your input files> | sed -ne 's/SQL://p'
500
501
) | sqlite3 result_db.sqlite
502
</pre>
503
504
h3. How can I extract radio traces in PCAP/GSMTAP format?
505
506
Add the parameter
507
508
	-g output.pcap
509
510
to the diag_import call above.
511
512
h3. How can I check what was uploaded or still needs to be uploaded?
513
514
Unfortunately you can't at the moment.
515
516
h3. The name of my network operator is wrong
517
518
Send an email to snoopsnitch@srlabs.de telling us the name of your country and network operator.
519
520
h3. My country is unknown
521
522
Send an email to snoopsnitch@srlabs.de telling us the name of your country and network operator.
523
524
h3. Why do security events disappear after a while?
525
526
By default, all log files and metadata is cleaned up after a month (metadata) or a day (logs). When this happens, your events or the location recorded for them may disappear. You can change the period in the settings.
527
528
h3. I cannot upload radio data, as the Upload button is replaced by "No data"
529
530
This means that you still have the metadata of some event in your database, but the respective radio data has been deleted in the meantime. Normally this should not happen, as files that potentially contain events are not removed on cleanup. However, if you upgrade to a later version of SnoopSnitch, a situation may arise where we improved the detection and now recognize events that were not detected in the past. In this case the raw data may already be deleted.
531
532
h3. Why is the cell ID "0" in the Network Info screen?
533
534
This is a technical limitation currently present in SnoopSnitch's GSM parser. The sessions are still valid, we just don't know the cell ID.
535
536
h3. How many people are using SnoopSnitch in <my_favorite_location>?
537
538
We can't tell. SnoopSnitch does not phone home to tell us who is using it. We only know where SnoopSnitch is used when people tell us by email or upload their results.
539
540
h3. What does the Cell ID mean?
541
542
It is the unique identifier of cell tower comprising of MCC/MNC/LAC/CID.
543
544
h2. Development
545
546
h3. What needs to be enabled in the Android kernel to make SnoopSnitch work?
547
548
The kernel needs to have the DIAG_CHAR device driver enabled and the /dev/diag character device must be present. The driver can be found under drivers/char/diag/ in the MSM kernel source.
549
550
h3. How can I check whether the DIAG driver is enabled
551
552
Check whether a kernel driver named 'dia' is found in /proc/devices:
553
554
<pre>
555
$ grep dia$ /proc/devices
556
247 dia
557
</pre>
558
559
Then check whether a character device /dev/diag with a corresponding major number (it may differ from the value 247 in this example) exists:
560
561
<pre>
562
$ ls -l /dev/diag
563
crw-rw---- system   qcom_diag 247,   0 1970-02-02 03:25 diag
564
</pre>
565
566
h3. Where does the initialization sequence for the DIAG device come from?
567
568
It is snooped from the communication between the QXDM tool and the mobile device.
569
570
h3. I cannot check out the Git repository under Windows
571
572
When cloning the repository under Windows the following error occurs:
573
574
<pre>
575
Cloning into 'snoopsnitch'...
576
577
fatal: unable to access 'https://opensource.srlabs.de/git/snoopsnitch.git/': error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
578
</pre>
579
580
Some people reported that issue, but we don't know exactly what the problem is. Checkout and build of SnoopSnitch works under Linux as well as OS X. If you have a solution to this problem (other than using Linux or OS X ;-) please mail to snoopsnitch@srlabs.de.
581
582
h3. How can I build SnoopSnitch?
583
584
Check out the source repository and in the ./SnoopSnitch directory do
585
586
<pre>
587
$ ant debug
588
</pre>
589
590
h3. Which IDE are you using to develop SnoopSnitch?
591
592
We are using Eclipse together with the ADT plugin. Note, that a single 'ant debug' build on the command line is necessary as described. The reason is that the asset directory of the app is populated using a custom ant script. This will not work from within Eclipse.
593
594
h3. Can I build SnoopSnitch in Android Studio?
595
596
No.
597
598
h3. How are radio messages processed?
599
600
1. SnoopSnitch/jni/diag-helper.c
601
602
Thats a small binary binary proxying data between the App and the Qualcomm DIAG interface. It is invoked in SnoopSnitch/src/de/srlabs/snoopsnitch/qdmon/MsdService.java and there are two threads (FromDiagThread and ToDiagThread) that pass data back and forth.
603
604
2. GSM parser
605
606
Another native binary started by MsdService. The source is in contrib/gsm-parser/diag_import.c. That binary takes the diag data, parses it and sends back SQL statements to the App, resulting in metadata to be inserted into the local Sqlite database.
607
608
3. The actual analysis (including SS7 and IMSI catchers) is done in SnoopSnitch/src/de/srlabs/snoopsnitch/qdmon/MsdServiceAnalysis.java using the SQL scripts in SnoopSnitch/assets.
609
610
h3. Is there a public bug tracker for SnoopSnitch?
611
612
No, to report bugs please mail to snoopsnitch@srlabs.de