Last Update: 2018-04-10
SnoopSnitch offers users several tests they can use to assess the overall security of their mobile devices. These tests are focused on two areas:
First, SnoopSnitch offers analysis on whether the testing device’s build of the Android mobile operating system is missing security patches. The primary goal of this test is to identify if any patches are missing relative to the device’s current security patch level date. Our secondary goal is to provide a fact-based incentive to device vendors to further improve their patching processes.
Second, SnoopSnitch offers tests to assess whether a device is exposed to attacks or surveillance from the mobile network. Here, the primary goal is to help mobile users detect network originated attacks, such as via SS7, SMS, or ISMI catchers. Our secondary goal is to provide a fact-based incentive to Mobile Network Operators to better improve the security of their networks. In doing this we also respect your privacy concerns from using the app itself.
Please note that the dual feature nature of SnoopSnitch results in different types of action, information collected, and permissions requested, depending on the security tests selected. The Android patch level analysis will work on devices running Android version 5.0 or higher. The mobile network tests will only work on a smaller set of devices (See DeviceList) and requires root permission using Superuser (SU) access.
Here, we specify what kind of information SnoopSnitch is collecting while in operation, and how this information is treated.
By default, we do not collect or transmit any personally identifiable information.
After manually triggering the Android security patch analysis, anonymous results and firmware build details are collected and uploaded to our server.
For mobile network security tests, the user may choose to upload detailed event logs, which are encrypted by default. These logs may contain some personally identifiable information, such as phone numbers, GPS locations, IMEI, IMSI or other mobile network data, even though we have implemented methods to remove such information.
We do not share any personally identifiable data with anyone and do not use any advertisements or any other 3rd-party plug-ins that could do so.
Google Privacy Ambiguity¶
Even though SnoopSnitch does not collect any personally identifiable data, we cannot guarantee that Google does not. As SnoopSnitch is provided by Google on the Google Play store, we do not know what kind of information is collected from this acquisition and subsequent app installation when using their services. We do know that they provide our Play Store developer account with detailed hardware information about the devices that SnoopSnitch has been installed on. This also includes some crash and error logs. For example, ANR ("Application Not Responding") and FC ("Forced Closed") logs are provided by the Android Operating System.
Alternatively, the pre-compiled APK can be downloaded from the SnoopSnitch open source page https://opensource.srlabs.de/projects/snoopsnitch, you may compile and install the app by yourself following the instructions available on the same web page.
Logging of ANR and FC Events¶
If you experience an ANR or FC event while using SnoopSnitch, you may be asked for permission to upload a crash report. If you agree, some information about the crash will be uploaded. This information is designed to not contain any personally identifiable information, but may include information such as the stack trace of what the program was trying to do when it crashed, as well as limited information about your phone's software (such as which version of SnoopSnitch you are using) and the hardware.
What information is collected¶For Android security patch analysis:
- SnoopSnitch application version
- Detailed information about the device’s firmware build
- Patch test results
- Information provided directly by the user. This may include:
- personal data such as: phone number and email.
- Information provided indirectly by the user. This may include:
- hardware details: phone model and processor information.
- software details: detailed AOS, Kernel and SnoopSnitch application versions.
- GPS locations, IMEI, IMSI and other mobile network data (LAC,CID, encryption status etc.)
- Complete radio network (signalling) traces related to detection events
- We may also collect other information intentionally provided to us by the user, for example through the Send Feedback feature. Transfer of these data is not mandatory.
Why is this data collected and how is it used?¶For Android security patch analysis:
- Efficiently pre-select relevant patch tests for a given device
- Improving the SnoopSnitch application and individual patch tests
- Provide a fact-based incentive to device vendors to further improve their patching processes
- Providing and improving the SnoopSnitch application
- Analyzing and securing mobile networks & services, worldwide
- Provide mobile network statistics (through GSMMap) that help us understand how secure various Mobile Network Operators (MNOs) are
- Provide statistics of how, where, and when mobile networks are being attacked
- Provide a warning to users when their phones and network is being attacked by IMSI catchers and user tracking by SS7 or Silent SMS
Anonymously collected analytics are kept safe on a database while personal data provided by e-mail are used only for users support purposes and nothing else. No data are sold or shared with third party entities or companies.
SnoopSnitch requests different levels of permissions depending on the types of security tests being conducted.For Android security patch analysis, the level of permissions requested are:
- ACCESS_NETWORK_STATE: To check for available network
- INTERNET: To download patch tests and upload test results
- RECEIVE_BOOT_COMPLETED: To check whether build version has changed since last test
- ACCESS_FINE_LOCATION / ACCESS_COARSE_LOCATION: Allow you to record your location when IMSI catchers and security events are detected
- ACCESS_NETWORK_STATE: Is used to check for available network so that up or downloads can proceed
- ACCESS_SUPERUSER: To use the non API supported Qualcomm diagnosis interface to capture radio data, you need root access. See below.
- CALL_PHONE/ SEND_SMS / RECEIVE_SMS: Needed to make the test calls used to generate the network traffic to be analyzed
- GET_TASKS: Retrieve state of helper processes interacting with diagnostic interface
- INTERNET: Is used to download new data from gsmmap.org and to upload radio traces and debug logs upon user request
- READ/WRITE_EXTERNAL_STORAGE: To allow saving debug/trace logs to your SD card
- READ_PHONE_STATE: Used to detect what kind of network you are currently using (GSM,UMTS,LTE etc)
- RECEIVE_BOOT_COMPLETED: To start app automatically when phone is restarted
- GET_TASKS: Retrieve state of helper processes interacting with diagnostic interface
- WAKE_LOCK: Stop phone from falling asleep during long-running analysis steps
Root and Superuser access¶
Some SnoopSnitch security tests require root and superuser access to function. However, the app can still be installed and some security tests will function without that level of access.
Android security patch analysis does not require root access to function.
Mobile network security tests require root access to function. These tests collect data directly from the radio diagnostics interface, they require your phone to be rooted and ask for root permission using Superuser (SU) access. This is required for the mobile security tests to function as the Android API does not provide enough network details for the analysis to be performed. This permission is not a standard Android system permission and is ignored by normal Android devices. It is an informal standard developed by the Android developer community. It allows a program to indicate that it would like to acquire super-user permission. SnoopSnitch does nothing else with this permission. It simply asks for the permission in order to allow command-line tools to run as root. The "su" command is an example of a command that will use this permission.
What are my opt-out rights?¶
You can easily stop all collection of information by either deleting the application, or disabling the app from the Android OS settings.
You can also limit the scope of uploaded data in the app’s settings.
Data Retention Policy¶
We will retain user provided data for as long as you use the application and for a reasonable time thereafter. We will retain (user approved) collected information for up to 24 months and thereafter may store it in aggregate (in backups). If you would like us to delete any data provided by you, please contact us at the email below.
We do not use the application to knowingly solicit data from or market to children under the age of 13. If a parent or guardian becomes aware that his or her child has provided us with information without their consent, he or she should contact us at the email provided below and we will remove that information from our servers within a reasonable time.
We are concerned about safeguarding the confidentiality of your information. We provide electronic safeguards to protect information we process and maintain. For example, we limit access to this information to authorized persons who need to know that information in order to operate, develop, or improve our application. Please be aware that, although we seek to provide reasonable security for the information we process and maintain, no security system can prevent all potential security breaches.
If you have questions or concerns regarding this policy, please contact us via email at snoopsnitch @srlabs.de