Ah ok. I though I missed something. Thanks for the answer. I have another question. I know you don't have the resources at the moment and it is just a question out of interest. There is an app called snoopsnitch. It is made by a person from CCC in germany. It is the only app that
Conversation
is capable to detect several anomalies in the baseband. By using some sort of debugging in the Qualcomm chip. Unfortunately it needs root. I know rooting is insecure. Is it possible to integrate such an app and only grant it this kind of privileges? Hope I make sense
1
ok after reading this thread:
stackoverflow.com/questions/1621
I answered most of the question myself. But still I would be interested to hear your opinion.
1
Replying to
It's not useful in the real world so it makes no sense to include it. Exposing root to the application layer would be a substantial security loss too. It fails to offer any value to make up for that beyond appearing to be useful to people that don't know any better. It isn't.
2
Replying to
or even silent sms. I'm glad I asked you. I was sure you would have something to say about the security loss. Just wasn't sure what it would be
1
Replying to
It's snake oil. The network can't be trusted, whether or not there's local interception. Use encrypted messaging and encrypted calls. If you don't want to be tracked by your carrier and others, you inherently need to turn on airplane mode. Silent SMS is not a real world concern.
1
It simply doesn't matter. Can you explain why these things are a real world issue? You can be tracked by the carrier without sending an SMS. It doesn't matter if it's silent or not, that only controls whether it will be displayed as user-facing. What about that makes it worse?
1
Replying to
I agree 100% with you that the network can't be trusted. I only use signal for communication over ivpn. No other ways. My idea with snoopsnitch was to be informed about targeted surveillance.
1
For example you are a journalist in some shady democracy and they decide to investigate you. Like to get your phone number. If you are with a burner number the telco doesn't have it tied to your name. So when they wan't to track you. They have to use an imsi catcher first
2
2
if I understand it right. The baseband has knowledge about the 3 towers you are connected too. And it knows the distance. When in your home area a new tower pops up 30 meters away from you. And there is a van sitting in front of your house. You'll get informed about this imsi
2
Replying to
These apps have false positives and I think they cause far more harm than good. I don't see the benefit. Requiring root to be exposed to the application layer rather than having it properly implemented is also completely unacceptable for any serious real world usage.
No, they don't have to do that... you are just not thinking it through. There is no reason for the government to do what you're saying in your scenario. They can go through the carrier. You aren't going to get a positive response from me about this.
Quote Tweet
Replying to @Nuttso2go and @DanielMicay
For example you are a journalist in some shady democracy and they decide to investigate you. Like to get your phone number. If you are with a burner number the telco doesn't have it tied to your name. So when they wan't to track you. They have to use an imsi catcher first
1
I've already thought it through and talked to many people about it. The consensus among informed people is that it's not useful in the real world, and the apps providing it are too fragile with many false positives. Of course, there's also no modem debugging in production builds.
Replying to
of course you are right. It uses heuristic which may fail. But srlabs are studying for a long time mobile networks. They do know what they do. Would there be a way to implement such a app without granting it root? Didn't Fdroid extension also works with root?
1
Replying to
The F-Droid privileged extension is a priv-app bundled into the OS which receives permissions unavailable to regular apps. It exposes that capability to F-Droid, meaning F-Droid can install / upgrade apps without user consent. That has major risks but there's no app level root.
1
Show replies