
Android IMSI-Catcher Detector - slashdotaccount
http://secupwn.github.io/Android-IMSI-Catcher-Detector
======
slashdotaccount
Hello, everyone! Since Google does not seem to be interested in fixing the
huge security hole of not showing a ciphering indicator on Android, it appears
as if they get paid (or are forced to) not fix it. For all of you that are
sick of getting spied on through IMSI-Catchers, Silent SMS and alike and want
to do something about it, here's a great project you should check out: "The
Android-IMSI-Catcher-Detector" (AIMSICD). It is an Android open-source based
project to detect and (hopefully one day) avoid fake base stations (IMSI-
Catchers) or other base-stations (mobile antennas) with poor/no encryption.

This project aims to warn users if the ciphering is turned off and also
enables several other protection-mechanisms. Since it is under constant
development, they are constantly searching for testers and security-
enthusiastic developers with balls. Don't be shy, feel free to contribute, in
any way you can on GitHub: [https://github.com/SecUpwN/Android-IMSI-Catcher-
Detector](https://github.com/SecUpwN/Android-IMSI-Catcher-Detector)

~~~
nradov
Do you intend to add CDMA support?

~~~
E3V3A
We had partial CDMA support with an extra feature to detect Verizon Pico/Micro
(?) cells. However, the lack of CDMA testers put this on hold.

------
TorKlingberg
You probably shouldn't put the EFF, Guardian Project and Privacy International
logos so prominently on your website if you are not affiliated with or
supported by those projects.

~~~
slashdotaccount
Sadly, this Project is not yet officially supported by them. But it is one of
the GOALS to support FF, Guardian Project and Privacy International. Not
necessarily the other way around. :)

------
noyesno
This reminds me of the early days of GSM where Nokia phones showed a broken
lock icon if the air interface between the mobile phone and the base station
did not use encryption. At the time at least France had disabled the
encryption and the indicator caused some interesting discussions.

------
abritishguy
Display which cipher is being used?

2G is insecure regardless of whether encryption has been turned off or not, it
can be decrypted on the fly with very modest hardware so the indicator telling
you what connection you have is as good as telling you whether it is "secure"
or not.

> Detect hidden SMS

Not really feasible - there are tons of different types of "hidden" sms that
are routinely used by the network but can be spoofed by a third party.

> Detect SIM card app installations through public APIs

This won't work unless it is rooted and this messages have to be signed from
the network anyway.

------
nerderloo
It seems only 2G connection is crackable. Are we safe as long as the device is
on 3G/4G network? We should just disable cellular radio when you see the
device is on 2G suspiciously in the middle of city(around demonstrations, I
suppose)

~~~
slashdotaccount
I'm just going to quote the GitHub README here: "Although A5/3 withstands
passive eavesdropping, it can be bypassed by deploying an IMSI-Catcher which
can force a mobile device into 2G mode and downgrade then the encryption to
A5/1 or disable it."

Here is the best hint I can give you: LEAVE YOUR PHOEN AT HOME when you really
_have to_ participate in demonstrations! The main reason why the use of IMSI-
Catchers, Stingrays and alike is such a popular tactic for law enforcement
agencies is because people are not SMART ENOUGH to think ahaed and leave their
phones at home!

No solution for you? Well then, at the very least make yourself your own
signal blocking pouch to fully block all Silent SMS: www.killyourphone.com

~~~
lttlrck
Or use airplane mode?

------
slashdotaccount
IMPORTANT: We're actively searching for skilled DEVELOPERS. Chime in!

------
programmernews
Great project! Will follow this and share the GitHub link.

------
cowbell
This sounds like such a good idea, I think the US government will outlaw it.

~~~
slashdotaccount
How will they outlaw an open-source project? They can "outlaw" all they want,
they're already doing what they want, when they want it. It's time for the
brave people out there to fight back! Have some balls and stand against the
massive abuse of your most private data!

~~~
cowbell
Look at the attempts to outlaw apps like Trapster. You give away the position
of speed traps and DUI checkpoints and cops don't like that.

Last I heard, Trapster was forced to remove DUI checkpoints to stay on the app
store. That was after attempts to rule it illegal in court failed. Same
result. Crowdsourced DUI checkpoint apps are effectively gone if the stores
don't have them. If only a few sideloaders have them, then there's no crowd to
source.

This would work in a similar manner, but would expose the cops' fake cell
towers. I fully expect this to suffer a similar fate.

That is not to say I don't like the project. I commented just so I could find
it again in the future :)

~~~
slashdotaccount
That is exactly the reason why we keep this porject as open-source as
possible, have a disclaimer for it which basically tells YOU to be responsible
what you do with the code and most importantly, we are on NO STORE, especially
not GooglePlay. If an App moves to GooglePlay and does something that not
plays by the rediculous "rules" (serach for what happened to the awesome
HushSMS), they're kicked.

If any store, then F-Droid. But for now, why not just grab the most recent
compiled WIP-Release from here and give it a shot?
[https://github.com/SecUpwN/Android-IMSI-Catcher-
Detector/rel...](https://github.com/SecUpwN/Android-IMSI-Catcher-
Detector/releases)

Also, as much as I appreciate your comment just to find this thread later on,
this is NOT the official discussion of the App. I HIGHLY recommend just
starring the GitHub and (if you have balls) contribute to it's success by
submitting pull requests. Thanks for listening, spread the link to the GitHub
in all social media and places where potential developers and good Hackers
hang out! ;-)

------
couchand
Any chance you could quiet the headline a bit? I recognize you have a good
project but that title's awfully loud.

~~~
dang
We took "DEVELOPERS WANTED: " out of the headline. It broke more than one of
the site guidelines.

~~~
slashdotaccount
Thank you, much appreciated.

