Project

General

Profile

FAQ » History » Version 4

Patrick, 04/17/2018 04:26 PM
updates to reflect SnSn v2.0

1 1 Alex
h1. Frequently Asked Questions
2
3
{{toc}}
4 2 Karsten
5 4 Patrick
h1. SnoopSnitch 2.0 Overview
6 1 Alex
7 4 Patrick
h2. General - SnSn app v2.0
8
9
h3. What does SnoopSnitch do?
10
11
SnoopSnitch offers users several tests they can use to assess the overall security of their mobile devices. These tests are focused on two areas:
12
13
First, SnoopSnitch offers analysis on whether the testing device’s build of the Android mobile operating system is missing security patches. The primary goal of this test is to identify if any patches are missing relative to the device’s current security patch level date. Our secondary goal is to provide a fact-based incentive to device vendors to further improve their patching processes.
14
15
Second, SnoopSnitch offers tests to assess whether a device is exposed to attacks or surveillance from the mobile network. Here, the primary goal is to help mobile users detect network originated attacks, such as via SS7, SMS, or ISMI catchers. Our secondary goal is to provide a fact-based incentive to Mobile Network Operators to better improve the security of their networks.
16
17 1 Alex
h3. Where can I download SnoopSnitch?
18
19
It is available from "Google Play":https://play.google.com/store/apps/details?id=de.srlabs.snoopsnitch, from "F-Droid":https://f-droid.org/repository/browse/?fdid=de.srlabs.snoopsnitch or directly from the "project website":https://opensource.srlabs.de/projects/snoopsnitch.
20
21 4 Patrick
h3. Do you accept donations?
22 1 Alex
23 4 Patrick
No.
24 1 Alex
25 4 Patrick
h2. Update to v 2.0
26 1 Alex
27 4 Patrick
h3. What was updated in the 2.0 release?
28 1 Alex
29 4 Patrick
The 2.0 update added the Android patch level analysis test feature set to the app. It also included a lot of UI improvements. 
30 1 Alex
31 4 Patrick
h2. Compatibility - SnSn app v2.0
32 1 Alex
33 4 Patrick
h3. Does SnoopSnitch require root privileges?
34 1 Alex
35 4 Patrick
PARTIALLY. Some SnoopSnitch security tests require root and superuser access to function. However, the app can still be installed and some security tests will function without that level of access.
36 1 Alex
37 4 Patrick
Android patch level analysis *does not require root access* to function.
38 1 Alex
39 4 Patrick
Mobile network security tests *require root access* to function. 
40 1 Alex
41 4 Patrick
Please refer to the different sections of the FAQ for greater details about topics related to the two different security testing feature sets.
42 1 Alex
43 4 Patrick
h3. Can you implement a mode that does not require root privileges?
44
45
As noted above, tests for Android patch level analysis do not require root access. SnSn can be downloaded, installed, and used for Android patch level analysis without granting it root access. 
46
47
As discussed in the FAQ section "Topics regarding mobile network security testing", we explain in greater details why these tests require root access.
48
49
h3. Does SnoopSnitch run on my phone?
50
51
SnoopSnitch will work on Android OS > 4.1.2 phones only. SnoopSnitch *does not work* on any non Android device e.g. Apple devices. 
52
53
The *patch analysis feature* will work on all Android devices. 
54
55
To use the *mobile network testing and attack detection features*, your phone must be rooted *and* it must have a Qualcomm chipset.
56
For devices reported to support all features of SnoopSnitch have a look at the list here: https://opensource.srlabs.de/projects/snoopsnitch/wiki/DeviceList .
57
58
See http://www.xda-developers.com/root/ for a description of what "rooting" means and for instructions on how to root your device. The website http://www.gsmarena.com/ offers extensive information for many phone models, including the chipsets used.
59
60
h3. Which custom kernel can I use to make SnoopSnitch work with my stock ROM?
61
62
Have a look at the comment column in the non exhaustive 'known supported device list' here: https://opensource.srlabs.de/projects/snoopsnitch/wiki/DeviceList
63
64
h3. Does SnoopSnitch run on custom ROMs like CyanogenMod or LineageOS?
65
66
That depends on the particular build of your custom ROM. SnoopSnitch and the mobile network security tests should work if the maintainer of your devices ROM enabled the Qualcomm DIAG driver in the Android kernel. If you find SnoopSnitch complaining about a missing /dev/diag device, ask your maintainer to include that driver in future version of your ROM.
67
Many versions of LineageOS are known to work properly with SnoopSnitch.
68
69
h3. How do I grant root permissions on CyanogenMod/LineageOS?
70
71
You need to enable root access for apps in the developers menu or grant the permission in the popup dialogs when running SnoopSnitch.
72
73
h3. On CyanogenMod when starting SnoopSnitch it immediately tells me it can't su
74
75
You need to enable root access for apps in the developers menu.
76
77
h3. My device works, but is not in the compatibility list
78
79
Send mail to snoopsnitch@srlabs.de containing the device brand and model, including the model number from the "About phone" menu. Please also tell the Android version, whether you are using a custom ROM or special kernel and any other specifics you find worth mentioning. We are happy to add you device to the list.
80
81
h3. Can I use an old Android phone running SnoopSnitch in addition to my normal phone?
82
83
Sure, as long as it is compatible. This works for hunting IMSI catchers in identification mode, but naturally you'll not be warned about attacks or tapping against your main phone.
84
85
h3. Are 64bit Qualcomm chipsets supported?
86
87
We don't expect many changes in the debug interface we are using. However, we don't know whether anybody has successfully tried SnoopSnitch on any 64bit Qualcomm SoC.
88
89
h3. Can you make SnoopSnitch run on my non-Qualcomm device, e.g. the Fairphone?
90
91
This is very unlikely, as it is a huge amount of work to get any different chipset supported. Most importantly, information on how to get raw radio data or debug traces out of those chipsets must be available, the respective interfaces need to be available to the application processor and someone has to develop the tools and services to support it.
92
93
94
h2. Privacy
95
96
For additional information on this topic please refer to our [[Privacy_Policy]] page
97
98
h3. What information is uploaded by SnoopSnitch?
99
100
For *Android patch level analysis*, after manually triggering a test, the anonymous analysis results and firmware build details are collected and uploaded to our server.
101
102
For *mobile network security tests*, the user may choose to upload detailed event logs, which are encrypted by default. These logs may contain some personally identifiable information, such as phone numbers, GPS locations, IMEI, IMSI or other mobile network data, even though we have implemented methods to remove such information.
103
104
h3. Which information does SnoopSnitch store during mobile network security tests operation?
105
106
In the default configuration radio traces are stored on the device encrypted with our public key. Additionally, parsed radio data are stored in a database locally on the device. This database contains metadata of the transactions your phone performed, including timestamps, cell IDs, your IMSI, your IMEI, phone numbers of communication partners and SMS user data in its original binary form. A debug log is constantly written to a file on the device. If configured in the settings your location is periodically stored in the same database.
107
108
As soon as one event is marked for upload, the whole database content is anonymized to prevent private identities and communications disclosure.
109
This involves shortening IMSI, IMEI and phone numbers to at most 6 digits, and deleting all the SMS payloads that are not considered suspicious.
110
111
By default, metadata is purged after one month and raw traces, location data and debug logs are cleaned after one day.
112
113
h3. Does SnoopSnitch encrypt its files/database/network traffic?
114
115
Files like debug logs, radio traces or database dumps are stored on the device encrypted with our public key. For upload of those files to our servers HTTPS is used with certificate pinning. For downloading GSMmap data from gsmmap.org HTTPS is used.
116
117
h3. Does SnoopSnitch use the Tor network for anonymity?
118
119
SnoopSnitch is not modified to use Tor. However, as your device must be rooted to work with SnoopSnitch you can simple install Orbot and configure it to transparently anonymize all connections made by SnoopSnitch.
120
121
h3. What information is uploaded by SnoopSnitch for the mobile network security tests?
122
123
When you press the "Upload" button for an event, the raw radio data for that event are uploaded. Raw radio data is split into chunks of 10 minutes. For each event at most 2 of those files, i.e. at most 20 minutes of radio data, are uploaded. In the recent versions of the app, metadata information corresponding to the time window of the event is also uploaded.
124
125
h3. What happens when "Upload suspicious activity" is pressed after a mobile network security test?
126
127
Raw radio traces and a database dump for the last hour is uploaded.
128
129
h3. What happens when "Upload pending files" is pressed?
130
131
*mobile network security test related files* you submitted for upload earlier are uploaded. This is useful if you had no connectivity when pressing "Upload" or "Upload suspicious activity" and you want to upload the data later. This currently does not trigger uploading the patch analysis information though.
132
133
h2. Development 
134
135
h3. What needs to be enabled in the Android kernel to make SnoopSnitch work?
136
137
The kernel needs to have the DIAG_CHAR device driver enabled and the /dev/diag character device must be present. The driver can be found under drivers/char/diag/ in the MSM kernel source.
138
139
h3. How can I check whether the DIAG driver is enabled
140
141
Check whether a kernel driver named 'dia' is found in /proc/devices:
142
143
<pre>
144
$ grep dia$ /proc/devices
145
247 dia
146
</pre>
147
148
Then check whether a character device /dev/diag with a corresponding major number (it may differ from the value 247 in this example) exists:
149
150
<pre>
151
$ ls -l /dev/diag
152
crw-rw---- system   qcom_diag 247,   0 1970-02-02 03:25 diag
153
</pre>
154
155
h3. Where does the initialization sequence for the DIAG device come from?
156
157
It is snooped from the communication between the QXDM tool and the mobile device.
158
159
h3. How can I build and start developing SnoopSnitch?
160
161
Check out the source repository by:
162
<pre>
163
$ git clone --recursive https://opensource.srlabs.de/git/snoopsnitch.git
164
</pre>
165
166
and in the _./SnoopSnitch_ directory do:
167
168
<pre>
169
$ ./gradlew build
170
</pre>
171
172
h3. How can I build the binaries used by SnoopSnitch?
173
174
You do not have to as we always ship some prebuilt binaries. 
175
If you want to do it anyway, please check out the *README* file in the _./contrib_ folder.
176
It contains information on how to use the shipped _compile.sh_ script (from the same folder) to build and integrate all the necessary binaries automatically.
177
178
h3. Which IDE are you using to develop SnoopSnitch?
179
180
We use _Gradle_ and _Android Studio_ to develop SnoopSnitch.
181
182
h3. How are radio messages processed?
183
184
1. *SnoopSnitch/jni/diag-helper.c*
185
186
Thats a small binary binary proxying data between the App and the Qualcomm DIAG interface. It is invoked in SnoopSnitch/src/de/srlabs/snoopsnitch/qdmon/MsdService.java and there are two threads (FromDiagThread and ToDiagThread) that pass data back and forth.
187
188
2. *GSM parser*
189
190
Another native binary started by MsdService. The source is in contrib/gsm-parser/diag_import.c. That binary takes the diag data, parses it and sends back SQL statements to the App, resulting in metadata to be inserted into the local Sqlite database.
191
192
3. The *actual analysis* (including SS7 and IMSI catchers) is done in SnoopSnitch/src/de/srlabs/snoopsnitch/qdmon/MsdServiceAnalysis.java using the SQL scripts in SnoopSnitch/assets.
193
194
h3. Is there a public bug tracker for SnoopSnitch?
195
196
No, to report bugs please mail to snoopsnitch@srlabs.de
197
198
h2. Translation
199
200
h3. Can you translate SnoopSnitch in my language?
201
202
SnoopSnitch is being maintained in English and German. We do not have the capacity to create and maintain any other translations. If you want to contribute *and* maintain a translation to another language, please contact snoopsnitch@srlabs.de. Note, that maintaining a translation involves regular work to adapt to upstream changes.
203
204
205
h1. Topics regarding the *Android patch level analysis* 
206
207
This section covers topics specific to the Android patch level analysis testing feature set. 
208
209
h2. Testing
210
211
h3. How often should I run the Android level patch analysis tests?
212
213
You only need to run the patch level analysis tests once initially, and then each time your device receives a firmware security patch level update. Running multiple tests while your device is on the same security patch level date will not offer different results. 
214
215
SnoopSnitch has a helpful reminder feature: the app will detect when a new security patch level update is installed on a device and, on the next reboot, offer a prompt for the user to run a new round of patch level analysis tests.
216
217
h3. What do the patch level analysis results mean? 
218
219
| Result                        | Definition                                                                                |
220
|*Patched* 			| firmware includes a patch to fix the listed CVE                                           |
221
|*Patch missing* 		| Missing a patch for a CVE that should be included based the firmware’s patch level date.  |
222
|*after claimed patch level* 	| Your device is missing a patch. However, the patch is included in a update that is after the latest security patch level date for your device. For example, if your device patch level date is October 2017, then unpatched CVEs found from November 2017 and onwards will be marked as “after claimed patch level” |
223
|*test inconclusive* 		| Our tests did not produce a conclusive test result and might e.g. be a false positive, that is to say we can not be sure about the result |
224
|*not affected* 		| Your current firmware is not affected by this CVE                                                                              |
225
226
h3. How do I install patches the tests indicate as missing?
227
228
Unfortunately there is not much an individual user can do on their own regarding missed patches that SnoopSnitch detects. Android security updates are a process impacted by chipset, device, and mobile network vendors.  One of our goals with SnoopSnitch Android patch level analysis is to provide a fact-based incentive to device vendors to further improve their patching processes. Therefore, any specific questions or concerns about missing patches should be directed to your device vendor. 
229
230
h3. Do missing patches mean my phone is going to be hacked right away?
231
232
Probably not. A missing patch would have to be part of complex exploit chain in order for a device to be properly hacked. In our view a mobile device is much more likely to be compromised by a user installing a malicious app. 
233
234
You can also review our Hack in the Box conference talk "Mind the Gap - Uncovering the Android Patch Gap Through Binary-Only Patch Level Analysis":https://conference.hitb.org/hitbsecconf2018ams/sessions/mind-the-gap-uncovering-the-android-patch-gap-through-binary-only-patch-level-analysis/ where we introduce and discuss our Android patch level analysis. 
235
236
h3. How often do you add new tests for new patch levels or Android OS versions?
237
238
Writing tests for new patch levels and new Android OS versions takes time. We strive to release new tests as often as we are able. 
239
240
h1. Topics regarding the *mobile network security tests*
241
242
This section covers topics specific to the mobile network security testing feature set.
243
244
h2. Context - mobile network security tests
245
246
h3. Why do SnoopSnitch mobile network security tests require root privileges?
247
248
Mobile network security tests *require root access* to function. 
249
250
These tests collect data directly from the radio diagnostics interface, they require your phone to be rooted and ask for root permission using Superuser (SU) access. This is required for the mobile security tests to function as the Android API does not provide enough network details for the analysis to be performed. This permission is not a standard Android system permission and is ignored by normal Android devices. It is an informal standard developed by the Android developer community. It allows a program to indicate that it would like to acquire super-user permission. SnoopSnitch does nothing else with this permission. It simply asks for the permission in order to allow command-line tools to run as root. The "su" command is an example of a command that will use this permission.
251
252
SnoopSnitch will run tools as root, which are necessary to open the diagnostic device /dev/diag. This device is an Android kernel interface to debug messages from the Qualcomm baseband chip. It can be used to retrieve debug information, including raw radio messages.
253
254 1 Alex
Access to the DIAG interface is crucial for the analysis SnoopSnitch needs to perform. The Android OS and all apps are execute on the so-called application processor whereas all interactions with the mobile network are performed on the baseband processor independently. The baseband takes care of details like measuring the signal strengths of neighboring cells, performing transitions to other cells or passing binary SMS to the SIM card. Only certain details are exposed to the application processor through official interfaces.
255
256
To detect traces of IMSI catchers, to recognize silent SMS and binary SMS and to calculate the network security score, access to information is necessary that is normally handled by the baseband internally. The only way we know to accomplish that is through the DIAG interface which requires root access.
257
258 4 Patrick
h3. Can you implement a mobile network security test mode that does not require root privileges?
259 1 Alex
260
No, not without dropping SnoopSnitch’s core functionality of detection mobile abuse.
261
262
During development of SnoopSnitch we tried to gather information for IMSI catcher and special SMS detection on the application processor. We invested a lot of time and effort to instrument and analyze Androids radio interface layer (RIL) just to recognize that binary and silent SMS are handled inside the baseband processor completely, even though there is an Android API that suggested the opposite.
263
264
Furthermore, when comparing serving cell information and neighboring cell information presented by official Android APIs to the GSM traces we recorded through the Qualcomm diagnostic interface, we had to realize that those tend to be inaccurate, if present at all.
265
266
We do not see a way to build any decent threat detection using non-root interfaces on Android.
267
268 4 Patrick
h3. Is it legal to use SnoopSnitch for mobile network security tests?
269 1 Alex
270 4 Patrick
SnoopSnitch mobile network security tests record and analyze only your own transactions that are processed by your baseband chip. It does not intercept traffic of other mobile subscribers. While this should normally be legal, we cannot give you advice on whether this is lawful in your jurisdiction.
271 1 Alex
272 4 Patrick
h3. Does SnoopSnitch prevent or mitigate mobile network attacks?
273 1 Alex
274 4 Patrick
No. SnoopSnitch is a tool for detecting mobile network-base attacks using diagnostic information from the baseband chip. As it has no control over the baseband chip, it cannot block or prevent attacks.
275 1 Alex
276 4 Patrick
h3. SnoopSnitch says may phone is incompatible for mobile network network security tests, but it's rooted and has a Qualcomm chipset
277 1 Alex
278 4 Patrick
Your phone may be missing the DIAG device driver in the kernel or the /dev/diag device node.
279 1 Alex
280 4 Patrick
h3. SnoopSnitch says /dev/diag not found - what does that mean?
281 1 Alex
282 4 Patrick
Either your ROM does not have the DIAG driver compiled into the kernel or at least the respective device does not exist.
283 1 Alex
284 4 Patrick
h3. How can I verify that SnoopSnitch's mobile network security tests work correctly?
285 1 Alex
286 4 Patrick
If you do not get the error "No baseband message received" after an active test your setup works fine. A comparable error message is also displayed in the dashboard if SnoopSnitch recognizes that something is wrong.
287
288
h3. What are the timelines on the main screen good for?
289
290
The upper half of the dashboard shows potential attacks such as silent SMS and IMSI catchers for the last hour, the last day, the last week (w) and the last month (m). A detailed view is available by tapping the timeline.
291
292
h3. What do the graphs show?
293
294
The two bar charts in the center of the dashboard screen indicate the general protection capabilities of the current network (colored dot surrounded by a circle) compared to the other networks in a country (colored, filled circles). The network scores do not indicate concrete threats like IMSI catchers.
295
296
While colored circles in the bar chart indicate values obtained from https://gsmmap.org, white circles designate results of local measurements on your device.
297
Tapping on this section will display the gsmmap for the country you are in.
298
299
The chart in the lower part of the dashboard screen display recent found network attacks, split into SMS/SS7 and IMSI catcher events, you can tap these to gain more details on the recognized events and upload related logs.
300
301
h3. Does SnoopSnitch mobile network security testing support CDMA?
302
303
No. (We may add support for CDMA data collection in one of the next versions.)
304
305
h3. Does SnoopSnitch mobile network security testing support LTE?
306
307
You can collect and upload LTE radio traces in the active network test if you have LTE enabled to support our security research. There is no LTE security score or any mobile threat detection for that technology, yet.
308
309
h3. What do I need to consider when hunting IMSI catchers using SnoopSnitch mobile network security testing?
310
311 1 Alex
Not much. You may want to activate GPS location tracking within SnoopSnitch. Furthermore, you can change all cleanup intervals to "never" to avoid losing any data. If the app detects something, press the upload button for all events and send a brief email to snoopsnitch@srlabs.de describing the circumstances of your discovery (place, network technology, signal strength, etc.) and your App ID.
312
313
If you know you had contact with an IMSI catcher, but nothing was detected, you press "Upload suspicious activity" in the menu and also send an email to snoopsnitch@srlabs.de describing what you observed and what your App ID was at that time.
314
315
h3. Does it make sense to use SIMs of multiple operators when hunting for IMSI catchers?
316
317
Sometimes. IMSI catchers in identification mode would typically collect IMSIs of all operators in the target area. Having an alarm for different networks in the same place at the same time is an even stronger indication for an IMSI catcher.
318
319 4 Patrick
h3. How reliable is SnoopSnitch's mobile network security test detection?
320 1 Alex
321
While we are pretty confident about SnoopSnitch's capabilities, keep in mind that it uses a heuristic which may fail. The reason is that networks may behave strangely or characteristics we have not foreseen when designing the analysis model.
322
323 4 Patrick
h2. Operation - mobile network security tests
324 1 Alex
325
h3. What does "No baseband messages" mean?
326
327
It means that SnoopSnitch successfully initialized the diagnostics interface of your Qualcomm-based phone, but never received any radio messages afterwards.
328
329
This can happen if your operator uses the CDMA standard which is unsupported by SnoopSnitch; or if you are out of coverage of your network.
330
331
If you encounter this message and you are using GSM, UMTS, or LTE network, please send mail to snoopsnitch@srlabs.de providing your App ID, the SnoopSnitch version and the following details from the "About phone" dialog:
332
333
	* Model name
334
	* Android version
335
	* (alternative ROM version) 
336
	* Baseband version
337
	* Kernel version
338
339
Also press "Upload debug logs". If you could also provide the output of "logcat -v time" from the moment you started SnoopSnitch to the occurrence of the error message, that could be very helpful, too.
340
341 4 Patrick
h3. SnoopSnitch mobile network security testing seemed to work, but now it does not update anymore
342 1 Alex
343
It seems like the diagnostic interface sometimes hangs and does not deliver (certain) radio messages anymore. We'll look into resetting it in a future version. For the time being, a phone restart is the only workaround we know of.
344
345
h3. What does "w" and "m" mean in the timeline on the dashboard?
346
347
Last *w*<notextile></notextile>eek and the last *m*<notextile></notextile>onth.
348
349
h3. Are dual-SIM phones supported by SnoopSnitch?
350
351
It will work if you manually select on SIM, but there is no way of selecting the SIM to be used for SnoopSnitch. Some people also report increased battery consumption on dual-SIM devices. Battery consumption is higher when you switch on SnoopSnitch’s GPS tracking.
352
353
h3. Where can I find the version string?
354
355
In the first line of the About screen.
356
357
h2. IMSI Catcher/Stingray Detection
358
359
h3. I got an IMSI catcher alarm - where can I get more information?
360
361
Please upload detection events using the "Upload" button in the event list.
362
363
Please also send an e-mail to snoopsnitch@srlabs.de describing what happened - we will look into your data and give you feedback on whether this was a real event. Don't forget your App ID!
364
365
h3. Are false positives possible?
366
367
As SnoopSnitch uses heuristics to detect IMSI catchers and we cannot test the app on every mobile network in the world, false positives are well possible. This is true especially in situations with poor coverage or when traveling at high speeds.
368
369
Events with scores >= 5.0 are most probably real catchers.
370
371
h3. Are active tests needed for IMSI catcher detection?
372
373
No, IMSI catcher detection is independent of active tests. SnoopSnitch can be used passively without ever running an active test.
374
375
h3. Are SRLabs servers required for catcher detection?
376
377
No. We do not upload your data to our servers unless you press the upload button for an event. The continuous analysis does not required any server or even Internet connectivity.
378
379
h3. Are security events or IMSI catchers collected on a website somewhere?
380
381
No.
382
383
h3. Does a catcher alarm imply that my calls are wiretapped?
384
385
Not necessarily. Some IMSI catchers only collect IDs of devices passing by to locate or track them. Those devices don't intercept calls or SMS.
386
387
h3. Is a SIM card required to detect IMSI catchers?
388
389
Yes, a valid SIM card is required.
390
391
h3. Has SnoopSnitch been tested with real IMSI catchers/Stingrays?
392
393
Yes.
394
395
h3. How is the score calculated?
396
397
See [[IMSI Catcher Score]] for details.
398
399
h3. What is the range of the IMSI catcher score?
400
401
Only scores above 2.0 are displayed. The score can be greater than 10.0 with IMSI catcher in identification mode (that we tested) having a score of around 9.0.
402
403
h3. What does the location in catcher events mean?
404
405
It shows the location of your *phone* when the event occurred. It does not give you the location of the IMSI catcher.
406
407
h3. Why is no location information shown in my events?
408
409
That location information only works if the location service is activated in your OS settings *and* in the SnoopSnitch settings.
410
411
h3. How accurate is the location information?
412
413
We sample the location of the phone once per minute and correlate that the time of a security event. Hence, this is only an approximation which may be inaccurate especially when traveling at high speeds.
414
415
Turning on GPS location leads to a much higher accuracy than network-based location.
416
417 4 Patrick
h2. Security Events - mobile network security tests
418 1 Alex
419 4 Patrick
h3. What threats do SnoopSnitch mobile network security tests warn about?
420 1 Alex
421
The app detects threats in mobile networks, such as fake base stations (aka. IMSI catchers or Stingrays), silent SMS, and binary SMS. It also detects some artifacts of user tracking using the SS7 network.
422
423
h3. What is a silent SMS and what is it used for?
424 3 Karsten
425 1 Alex
Silent messages are used to refresh location information in databases police departments sometimes have access to. A silent SMS is a text message that is neither stored on the phone nor displayed to the user when received. Standard-compliant phones will send a delivery notification upon arrival. They can be used to validate that a phone is switched on and to generate metadata that allows to determine the rough position of a subscriber.
426
427
h3. What is a binary SMS and what is it used for?
428
429
Binary SMS carry data dedicated to the SIM card, the baseband processor or the application processor. They are typically used to perform updates to the SIM card over the air (OTA), but also for voice mail notification, device configuration, MMS or custom applications. As silent SMS, the user normally is not notified about the reception of a binary SMS.
430
431
Binary SMS can be misused to update your phone with malware or to exploit weaknesses in your phones software stack.
432
433
h3. Which legitimate applications of binary SMS can cause false positives?
434
435
You often receive one or two binary SMS when roaming: Your home network updates the list of preferred networks when first connecting to a foreign network. Depending on the size of this list you will receive multiple binary SMS when you are traveling and crossing the boarder. See "this list post":https://lists.srlabs.de/pipermail/gsmmap/2015-March/001247.html for details.
436
437
Users also reported mobile authentication systems for online banking to use binary SMS.
438
439
h3. What is an empty paging?
440
441
It is an artifact we observed during our SS7 attack research. It is a regular paging that gets aborted, i.e. there is no useful transaction like a call or SMS happening afterwards. It could be a sign of SS7-based tracking if it happens regularly.
442
443
h3. In which situations can empty pagings be false positives?
444
445
Users reported empty paging alarms when using so-called Multi-SIMs. In this setup two SIMs are reachable under the same number. The user can configure which phone takes precedence when both phones are turned on and a call or SMS arrives. The phone with lower priority may observe null paging alarms.
446
447
Received calls that are hung up by the caller such that your phone got paged, but the call was not set up yet may also result in a false positive. This pattern may also happen in situations with poor reception where only parts of a transaction are received.
448
449 4 Patrick
h3. What should I do when a mobile network security event is detected?
450 1 Alex
451
Keep calm. Skim through the above FAQ entries and check whether any of the causes for false positives apply to you. Think about other actions you performed with your phone that may be related to the alarm.
452
453
If you see no good reason for an alarm, you can send email to snoopsnitch@srlabs.de asking for an analysis of your data. You need to upload every relevant incidents using the 'upload' button in the detail view and provide us with your App ID. Please also include a description of what you did when the alarm was triggered.
454
455 4 Patrick
h3. How are mobile network security events detected?
456 1 Alex
457
SnoopSnitch uses the diagnostic interfaces of Qualcomm chipsets to gather raw radio data. This data is parsed, GSM and UMTS messages are extracted and stored as transaction metadata in a local database on the device. The SnoopSnitch background service regularly runs an event detection filter on that database and notifies the user if an event was detected since the last analysis.
458
459
h3. Does SnoopSnitch detect silent SMS sent by HushSMS?
460
461
It does. However, some network operators apply filters to block silent SMS or transform them into regular SMS.
462
463
h3. Does SnoopSnitch block binary or silent SMS?
464
465
No. SnoopSnitch has no control over the baseband processor which is handling these messages independently.
466
467
h3. Does SnoopSnitch take countermeasures to security events?
468
469
No. Given the amount of legitimate reasons for receiving those messages we did not implement that. There may be a configuration option in future versions to enable such a feature (e.g. switch to airplane mode).
470
471
h3. What is the difference to AIMSICD, mICC or Darshak?
472
473
mICC as well as AIMSICD are apps for IMSI catcher detection using non-rooted Android devices. In addition, AIMSICD strives for detecting silent SMS and other threats without requiring root privileges.
474
475
The idea of not requiring root privileges is very attractive as it allows for a less complicated and much more widespread use of an app. However, as regular Android APIs provide only limited information about the radio network, those app potentially have a less accurate detection and a higher false-positive rate. Silent SMS, binary SMS and most network security characteristics cannot be detected without access to low-level data, which on Android implies root privileges.
476
477
Darshak is an app for Samsung Galaxy S3 phone with stock Android 4.1.2 firmware requiring root privileges. According to the project docs it performs a security estimation comparable to SnoopSnitch's network score and detects silent SMS. Furthermore, a non-published IMSI catcher detection scheme seems to exist.
478
479 4 Patrick
h2. Mobile network security metrics
480 1 Alex
481
h3. When I press "Test" the phone places a lot of calls and get called by a US number. What's going on?
482
483
This is normal and expected. The active test will generate 3 rounds of incoming/outgoing calls and incoming/outgoing SMS in the default configuration. This is to generate a defined set of transaction necessary for calculating the network scores.
484
485
Make sure not to pick up or reject any of the calls, otherwise you'll get blocked. 
486
487
h3. How often should I run the active tests?
488
489
One or two times per month are sufficient per location and network technology (GSM, UMTS, LTE) and every time you are abroad.
490
491
h3. Are active tests needed for the network security metrics?
492
493
No, the score will also be calculated based on the radio data you produce when using the phone normally. However, running the active tests improves the quality of the score by creating all transactions necessary for that calculation.
494
495
h3. Will I get charged for active tests?
496
497
You shouldn't. However, some users reported they got billed for the outgoing SMS we send to an invalid number (*4* by default) during active test. You should have have an eye on your phone bill / balance when running active tests regularly. If you notice your are billed for those outgoing SMS, you can either disable outgoing SMS completely or configure a different number in the settings.
498
499
h3. How can I disable outgoing SMS to save money?
500
501
Check the "Disable outgoing SMS" box in the settings.
502
503
h3. How can I change the number test SMS are sent to?
504
505
Enter a free-of-charge number in the "Outgoing SMS number" dialog in the settings.
506
507
h3. How long does the incoming test call ring?
508
509
The server rings for 15 seconds. You should disable or reconfigure your mailbox if it picks up the call earlier than that.
510
511
h3. I got banned, what now?
512
513
See [[Banned]].
514
515
h3. Why do I never receive incoming SMS during active test?
516
517
We suppress incoming SMS for networks users have already contributed enough data; for example Germany.
518
519
h3. What does the message "Test 2G and 3G networks" mean?
520
521
It just means that you should test all the network technologies available, i.e. GSM, UMTS and maybe LTE.
522
523
h3. How can I switch between network modes (GSM/UMTS/LTE) easily?
524
525
Due to limitations in Android this cannot be done from within the App or by SnoopSnitch automatically. You need to change this in your Android settings, typically under "Mobile network settings" > "Preferred network type".
526
527
h3. Where can I find active test results?
528
529
They are represented as white circles in the bar charts on the lower half of the dashboard.
530
531
h3. What do the Intercept and Impersonation charts mean?
532
533
These are scores estimating the risk of having a connection intercepted or impersonated in a certain network. See the report for your country for details. If there is no report available for your country, have a look at the "report for Germany":http://gsmmap.org/assets/pdfs/gsmmap.org-country_report-Germany-2015-02.pdf for an explanation.
534
535
h3. Why is the Tracking score missing in SnoopSnitch?
536
537
Tracking is a global value for your operator which has nothing to do with your particular devices. As it would essentially be a static value we decided to leave it out to safe screen space.
538
539
h3. Why does my local measurement differ from https://gsmmap.org results?
540
541
The values on GSMmap are averaged over many samples for a network contributed by different users in different locations. The location, the type of SIM used or the current load of the network are factors that influence the score. For the reason your local measurement may differ significantly from the GSMmap score.
542
543
h3. How long does it take to update https://gsmmap.org?
544
545
We update it once per month, as all scores are calculated on a per-month basis.
546
547
h3. I don't see my measurements reflected in https://gsmmap.org?
548
549
The map is not updated in real time. It may take as long as a month to have your values incorporated into GSMmap.
550
551 4 Patrick
h2. Collected Data - mobile network security tests
552 1 Alex
553
h3. How can I access or export the data used for (IMSI Catcher) analysis?
554
555
The analysis results and meta data is stored in a SQLite database. You can use a third-party tool like SQLiteManager to view and export the database. The database file on the device is
556
557
<pre>
558
/data/data/de.srlabs.snoopsnitch/databases/msd.db
559
</pre>
560
561
h3. Which logs exist on the phone an what do they contain?
562
563
Encrypted Qualcomm DIAG traces:
564
565
<pre>
566
/data/data/de.srlabs.snoopsnitch/files/qdmon_*.gz.smime
567
</pre>
568
569
Unencrypted Qualcomm DIAG traces (to be enabled in the development settings):
570
571
<pre>
572
/data/data/de.srlabs.snoopsnitch/files/qdmon_*.gz
573
</pre>
574
575
Encrypted SnoopSnitch debug log:
576
577
<pre>
578
/data/data/de.srlabs.snoopsnitch/files/debug_*.gz.smime
579
</pre>
580
581
Unencrypted SnoopSnitch debug log (to be enabled in the development settings):
582
583
<pre>
584
/data/data/de.srlabs.snoopsnitch/files/debug_*.gz
585
</pre>
586
587
h3. How can I access raw radio information?
588
589
Enable unencrypted radio data in the development settings. You can pull the unencrypted radio traces from
590
591
<pre>
592
/data/data/de.srlabs.snoopsnitch/files/qdmon_*.gz
593
</pre>
594
595
h3. How can I analyze radio data?
596
597
You can use the same GSM parser used in the app on your Linux or OS X machine. In the SnoopSnitch code base it can be found under ./contrib/gsm-parser (or in its separate repository: http://opensource.srlabs.de/git/gsm-parser.git). The compile.sh script in the SnoopSnitch repo can build that for Linux or OS X:
598
599
<pre>
600
$ cd contrib
601
$ ./compile.sh -t host
602
</pre>
603
604
The resulting parser binary is in contrib/gsm-parser/diag_import. To analyze the log files diag_import on the raw traces you pulled from the device and parse the results into an SQLite database. On the host the sqlite3 binary is required to do this:
605
606
<pre>
607
(cat \
608
        contrib/gsm-parser/cell_info.sql \
609
        contrib/gsm-parser/si.sql \
610
        contrib/gsm-parser/sms.sql \
611
        | sed -e 's/\/\*.*//g'
612
613
    contrib/gsm-parser/diag_import <your input files> | sed -ne 's/SQL://p'
614
615
) | sqlite3 result_db.sqlite
616
</pre>
617
618
h3. How can I extract radio traces in PCAP/GSMTAP format?
619
620
Add the parameter
621
622
	-g output.pcap
623
624
to the diag_import call above.
625
626
h3. How can I check what was uploaded or still needs to be uploaded?
627
628
Unfortunately you can't at the moment.
629
630
h3. The name of my network operator is wrong
631
632
Send an email to snoopsnitch@srlabs.de telling us the name of your country and network operator.
633
634
h3. My country is unknown
635
636
Send an email to snoopsnitch@srlabs.de telling us the name of your country and network operator.
637
638
h3. Why do security events disappear after a while?
639
640
By default, all log files and metadata is cleaned up after a month (metadata) or a day (logs). When this happens, your events or the location recorded for them may disappear. You can change the period in the settings.
641
642
h3. I cannot upload radio data, as the Upload button is replaced by "No data"
643
644
This means that you still have the metadata of some event in your database, but the respective radio data has been deleted in the meantime. Normally this should not happen, as files that potentially contain events are not removed on cleanup. However, if you upgrade to a later version of SnoopSnitch, a situation may arise where we improved the detection and now recognize events that were not detected in the past. In this case the raw data may already be deleted.
645
646
h3. Why is the cell ID "0" in the Network Info screen?
647
648
This is a technical limitation currently present in SnoopSnitch's GSM parser. The sessions are still valid, we just don't know the cell ID.
649
650
h3. How many people are using SnoopSnitch in <my_favorite_location>?
651
652
We can't tell. SnoopSnitch does not phone home to tell us who is using it. We only know where SnoopSnitch is used when people tell us by email or upload their results.
653
654
h3. What does the Cell ID mean?
655
656
It is the unique identifier of cell tower comprising of MCC/MNC/LAC/CID.