Flohack74
commented
6 years ago Its sounds interesting but will be defeated by the closed-source radio firmware. Part of this is even necessary to follow official regulations, part of it is IP protection. And I can understand vendors also, you don develop such a complex part of silicon just for others to rip off a cheap copy. And as you are not allowed to change frequencies on your mobile to not disturb other bands, each government has its fingers also in the play. The baseband chipset has this information for sure, but not in API form. Also hacking into the radio firmware to give back this information is probably impossible. But good luck with that ;)
Description of the feature
I want to build an security app on IMSI-Catcher so I found this bug on launchpad
https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1416741 I think exposing as much information as possible about mobile networks opens the door for interesting applications, e.g. IMSI catcher detectors, free cell tower location databases, location-based services etc.
Technology
There are currently at least four different mobile network technologies available around the world:
GSM
LTE
CDMA
WCDMA (UMTS)
A device may support one or more technologies at the same time, and the currently available status may therefore change over time. For example an LTE device may temporarily roam down to UMTS or even GSM.
Needed information
The available information differs between technologies, and new technologies will be introduced during the lifetime of the API, so the design should be extensible.
GSM: A base station is identified by its Cell-ID (CID), Location Area Code (LAC), Mobile Country Code (MCC) and Mobile Network Code (MNC). The last digit of the CID may encode the antenna number if the same base station has more than one. Signal strength may be reported in ASU, dBm or “levels”. A Timing Advance value is used to coarsely describe the distance between the mobile device and the currently used base station.
LTE: A base station is identified by its Cell-ID (CID), Mobile Country Code (MCC), Mobile Network Code (MNC), Physical Cell ID and Tracking Area code. Signal strength may be reported in ASU, dBm or “levels”. Timing Advance values are available for every base station of the same operator within range, not only for the currently used one.
CDMA: A base station is identified by its Base Station ID, Latitude, Longitude, Network ID and System ID. Signal strength may be reported in ASU, dBm, Ec/Io, “levels” or SNR. EVDO for faster data transfer may be available.
WCDMA (UMTS): A base station is identified by its Cell-ID (CID), Mobile Country Code (MCC), Mobile Network Code (MNC) and Primary Scrambling Code. Signal strength may be reported in ASU, dBm or “levels”.
API calls and features
The Baseband chip has to monitor the whole network at all times anyway, so the required information should be readily available. A single call a la
networkCells()should therefore suffice. The rest of the API is heavily dependent on which methods the Baseband offers and which data it exposes.Security and Privacy
A hostile app may calculate the location of a user from the list of cell towers in range. Because of the long-range nature of mobile networks this location will often not be accurate, but especially in cities it may be accurate enough. I therefore propose that the first call to networkCells() triggers a system popup informing the user about possible privacy implications and asking for permission.
Illustrations
https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector