Privacy Policy » History » Revision 2
Revision 1 (Luca, 07/26/2017 03:35 PM) → Revision 2/6 (Patrick, 04/10/2018 07:43 PM)
h1. Privacy Policy Last Update: 2018-04-10 2017-07-26 h2. Introduction This document is the privacy policy for the *SnoopSnitch* **SnoopSnitch** (hereafter simply referred to as "SNSN" or "app") Android security application. SnoopSnitch offers users several tests they can use to assess applications. By design, the overall security **primary** concern of their mobile devices. These tests are focused on two areas: First, SnoopSnitch offers analysis on whether the testing device’s build of the Android mobile operating system SNSN, is missing security patches. The *primary* goal of this test is to identify if any patches are missing relative to the device’s current security patch level date. Our *secondary* goal is to provide a fact-based incentive to device vendors to further improve their patching processes. Second, SnoopSnitch offers tests to assess whether a device is exposed to attacks or surveillance from the mobile network. Here, the *primary* goal is to help mobile users detect maintain their privacy by detecting network originated attacks, such as via SS7, SMS, or ISMI catchers. attacks. Our *secondary* goal **secondary** concern is to provide a fact-based incentive to Mobile Network Operators to better and improve the security of their networks. In doing this we also respect your privacy concerns from using the app itself. Please note that the dual feature nature of SnoopSnitch results in different types of action, information collected, and permissions requested, depending on the security tests selected. The Android patch level analysis will work on devices running Android version 5.0 or higher. The mobile network tests will only work on a smaller set of devices (See [[DeviceList]]) and requires root permission using Superuser (SU) access. Here, Here we specify what kind of information SnoopSnitch SNSN is collecting while in operation, and how this information is treated. h2. Privacy Summary By default, we do not collect or transmit any personally identifiable information. After manually triggering However, the Android security patch analysis, anonymous results and firmware build details are collected and uploaded to our server. For mobile network security tests, the user may choose to upload detailed event logs, which are logs in either clear-text or encrypted by default. form. These logs may contain some personally identifiable information, such as phone numbers, GPS locations, IMEI, IMSI or other mobile network data, even though we have implemented methods to remove such information. We do not share have any personally identifiable data with anyone and do not use any advertisements or any other 3rd-party plug-ins that could do so. We do not share any of the uploaded data with anyone, except the security researchers at Security Research Labs (SRLabs), Berlin. h2. Google Privacy Ambiguity Even though SnoopSnitch SNSN does not collect any personally identifiable personalized data, we cannot guarantee that Google does not. As SnoopSnitch SNSN is provided by Google on the their Google Play store, we do not know what kind of information that is collected from this acquisition and subsequent app installation when using their services. We do know that they provide our Play Store developer account with detailed hardware information about the devices that SnoopSnitch the app has been installed on. This also includes include some crash and error logs. For example, ANR ("Application Not Responding") and FC ("Forced Closed") logs are as provided by the Android Operating System. Alternatively, If you do not agree with that policy, we suggest you download the pre-compiled APK can be downloaded from the SnoopSnitch open source page https://opensource.srlabs.de/projects/snoopsnitch, you may https://opensource.srlabs.de/projects/snoopsnitch or compile and install the app by yourself following the instructions available on the same web page. page, and disable uploading of such logs in your AOS settings. h2. Logging of ANR and FC Events If you experience an ANR or FC event while using SnoopSnitch, SNSN for Android, you may be asked for permission to upload a crash report. If you agree, some information about the crash will be uploaded. This information is designed to not contain any personally identifiable information, but may include information such as the stack trace of what the program was trying to do when it crashed, as well as limited information about your phone's software (such as which version of SnoopSnitch SNSN for Android you are using) and the hardware. h2. What information is collected For Android security patch analysis: * SnoopSnitch application version * Detailed information about the device’s firmware build * Patch test results For mobile network security tests: * Information provided directly by the user. This may include: * personal data such as: phone number and email. * Information provided indirectly by the user. This may include: * hardware details: phone model and processor information. * software details: detailed AOS, Kernel and SnoopSnitch SNSN application versions. * GPS locations, IMEI, IMSI and other mobile network data (LAC,CID, encryption status etc.) * Complete radio network (signalling) traces related to detection events * We may also collect other information intentionally provided to us by the user, for example through user. In particular, user data processed in the Send Feedback feature. framework of our services. Transfer of these data is not mandatory. mandatory, but is some cases required to use the full functionality of SNSN. * SnoopSnitch SNSN does not use cookies. cookies, but the websites linked through the text, within the app, may do so. h2. Why is this data collected and how is it used? For Android security patch analysis: * Efficiently pre-select relevant patch tests for a given device * Improving the SnoopSnitch application and individual patch tests * Provide a fact-based incentive to device vendors to further improve their patching processes For mobile network security tests: * Providing and improving the SnoopSnitch SNSN application (UI, UX and compatibility etc.) * Analyzing and securing mobile networks & services, worldwide worldwide. * Provide mobile network statistics (through GSMMap) that help us understand how secure various Mobile Network Operators (MNOs) are (MNO) are. * Provide statistics of how, where, where and when mobile networks are being attacked attacked. * Provide a warning to users when their phones and network is being attacked by IMSI catchers and user tracking by SS7 or Silent SMS SMS. h2. Information sharing Anonymously collected analytics are kept safe on a database while personal data eventually provided by e-mail are used only for users support purposes and nothing else. No data are sold or shared with third party entities or companies. h2. Application Permissions SnoopSnitch requests different levels of SNSN asks for several permissions depending on the types behalf of security tests being conducted. For Android security patch analysis, command line tools that run from within the level app. The current set of permissions that are requested are: * ACCESS_NETWORK_STATE: To check for available network * INTERNET: To download patch tests and upload test results * RECEIVE_BOOT_COMPLETED: To check whether build version has changed since last test For mobile network security tests, the level of permissions requested are: * ACCESS_FINE_LOCATION / ACCESS_COARSE_LOCATION: Allow you to record your location when IMSI catchers and security events are detected * ACCESS_NETWORK_STATE: Is used to check for available network so that up or downloads can proceed * ACCESS_SUPERUSER: To use the non API supported Qualcomm diagnosis interface to capture radio data, you need root access. See below. * CALL_PHONE/ SEND_SMS / RECEIVE_SMS: Needed to make the test calls used to generate the network traffic to be analyzed * GET_TASKS: Retrieve state of helper processes interacting with diagnostic interface * INTERNET: Is used to download new data from gsmmap.org and to upload radio traces and debug logs upon user request * READ/WRITE_EXTERNAL_STORAGE: To allow saving debug/trace logs to your SD card * READ_PHONE_STATE: Used to detect what kind of network you are currently using (GSM,UMTS,LTE etc) * RECEIVE_BOOT_COMPLETED: To start app automatically when phone is restarted * GET_TASKS: Retrieve state of helper processes interacting with diagnostic interface * WAKE_LOCK: Stop phone from falling asleep during long-running analysis steps h2. Root and Superuser access Some SnoopSnitch security tests require root and superuser access to function. However, the app can still be installed and some security tests will function without that level of access. Android security patch analysis *does not require root access* to function. Mobile network security tests *require root access* to function. These tests collect Because SNSN is collecting data directly from the radio diagnostics interface, they require it requires your phone to be rooted and ask asks for root permission using Superuser (SU) access. This is required for the mobile security tests app to function as the Android API does not provide enough of network details for the analysis to be performed. This permission is not a standard Android system permission and is ignored by normal Android devices. It is an informal standard developed by the Android developer community. It allows a program to indicate that it would like to acquire super-user permission. SnoopSnitch SNSN does nothing else with this permission. It simply asks for the permission in order to allow command-line tools to run as root. The "su" command is an example of a command that will use this permission. h2. What are my opt-out rights? You can easily stop all collection of information by either deleting the application, or disabling the app from the Android OS settings. You can also limit change the scope of uploaded apps own settings to not upload any data in the app’s settings. and/or use any network communication. h2. Data Retention Policy We will retain user provided data for as long as you use the application and for a reasonable time thereafter. We will retain (user approved) collected information for up to 24 months and thereafter may store it in aggregate (in backups). If you would you’d like us to delete any user provided data that you have provided by you, via the application, please contact us at the email below. below and we will respond in a reasonable time. h2. Children We do not use the application to knowingly solicit data from or market to children under the age of 13. If a parent or guardian becomes aware that his or her child has provided us with information without their consent, he or she should contact us at the email provided below and we will remove that information from our servers within a reasonable time. h2. Security We are concerned about safeguarding the confidentiality of your information. We provide electronic safeguards to protect information we process and maintain. For example, we limit access to this information to authorized persons who need to know that information in order to operate, develop, develop or improve our application. Please be aware that, although we seek to provide reasonable security for the information we process and maintain, no security system can prevent all potential security breaches. h2. Your Consent By using the application, you are consenting to our processing of your information as set forth in this Privacy Policy now and as amended by us. h2. Changes This Privacy Policy may be updated from time to time for any reason. We will notify you of any changes to our Privacy Policy by posting the new Privacy Policy here and informing you via the application built-in announcement feature. You are advised to consult this Privacy Policy regularly for any changes, as continued use is deemed approval of all changes. h2. Contact If you have questions or concerns regarding this policy, please contact us via email at snoopsnitch @srlabs.de snoopsnitch@srlabs.de