Android: IMSI Leaking during GPS Positioning
First of all, the basics:
Assisted GPS (abbreviated as A-GPS) is a system that usually significantly improves the time it takes to fix a satellite-based positioning system (GPS) for the first time - so GPS positioning is accelerated. How does this work? With mobile phones, the approximate location is already known from the radio cell in which your device is registered. This approximate location is then sent via the Secure User Plane Location Protocol (SUPL) to a SUPL server, which uses this information to limit the search range for the satellite signals and thus enables fast GPS positioning. Communication with the SUPL server takes place via TCP/IP or SMS.
Android systems use such a SUPL server to accelerate GPS positioning. However, the problem is that your IMSI number is also transmitted to the SUPL server when you make a request - which would not actually be necessary from a technical point of view.
The problem: The combination of the IMSI number with the radio cell ID enables the operator of a SUPL server to uniquely identify a user as soon as the smartphone locates or limits the location via a SUPL request. The SUPL protocol is therefore actually relatively sensible, but we do not know what the operators of the SUPL servers do with this information.
With my test devices I have now tried to find out when such a SUPL request is sent. Result: Whenever your GPS is activated and an app wants to query the location. It doesn't matter which mode you have chosen:
High accuracy:
Use GPS, WLAN, Bluetooth or mobile networks to determine your location.
Energy-saving mode:
Use WLAN, Bluetooth or mobile networks to determine your position.
Device only:
Use GPS to locate.
This means: Even if you have selected the mode "Device only", a request will be sent via A-GPS or SUPL-Request. The question is now which SUPL server or operator receives the radio cell information together with the IMSI number?
This is quite different - even with LineageOS. You can find out if you open the following file (root assumed) on your Android:
supl.google.com: Google
supl.sonyericsson.com: Sony
supl.qxwz.com: SUPL Server in China
supl.nokia.com: Nokia
If your GPS is activated, a SUPL request is sent to the SUPL_HOST - but this does not happen every time. You can force it after a device restart in combination with an app that wants to determine the GPS location. Sometimes it was also necessary to deactivate the WLAN interface.
Now you have to ask yourself if a quick GPS position determination via SUPL is important to you or maybe your privacy. If it's your privacy, you'll need to make the following changes to gps.conf and then restart your device:
With tcpdump you can check directly on the device if SUPL requests are still being sent:
How SUPL Reveals My Identity And Location To Google When I Use GPS. If you can help to answer this question, please feel free to contact me via email or use the forum thread.
With a "toy" like the HackRF One, mobile phone traffic on this level could certainly be recorded.
π‘ @NoGoolag
#android #IMSI #leaking #GPS #positioning #guide #kuketz
First of all, the basics:
Assisted GPS (abbreviated as A-GPS) is a system that usually significantly improves the time it takes to fix a satellite-based positioning system (GPS) for the first time - so GPS positioning is accelerated. How does this work? With mobile phones, the approximate location is already known from the radio cell in which your device is registered. This approximate location is then sent via the Secure User Plane Location Protocol (SUPL) to a SUPL server, which uses this information to limit the search range for the satellite signals and thus enables fast GPS positioning. Communication with the SUPL server takes place via TCP/IP or SMS.
Android systems use such a SUPL server to accelerate GPS positioning. However, the problem is that your IMSI number is also transmitted to the SUPL server when you make a request - which would not actually be necessary from a technical point of view.
The problem: The combination of the IMSI number with the radio cell ID enables the operator of a SUPL server to uniquely identify a user as soon as the smartphone locates or limits the location via a SUPL request. The SUPL protocol is therefore actually relatively sensible, but we do not know what the operators of the SUPL servers do with this information.
With my test devices I have now tried to find out when such a SUPL request is sent. Result: Whenever your GPS is activated and an app wants to query the location. It doesn't matter which mode you have chosen:
High accuracy:
Use GPS, WLAN, Bluetooth or mobile networks to determine your location.
Energy-saving mode:
Use WLAN, Bluetooth or mobile networks to determine your position.
Device only:
Use GPS to locate.
This means: Even if you have selected the mode "Device only", a request will be sent via A-GPS or SUPL-Request. The question is now which SUPL server or operator receives the radio cell information together with the IMSI number?
This is quite different - even with LineageOS. You can find out if you open the following file (root assumed) on your Android:
/etc/system/gps.confor
/vendor/etc/gps.confThere you can search for the following entries:
SUPL_HOST=supl.google.comPreviously identified as SUPL_HOST or operator:
SUPL_PORT=7275 (may vary)
supl.google.com: Google
supl.sonyericsson.com: Sony
supl.qxwz.com: SUPL Server in China
supl.nokia.com: Nokia
If your GPS is activated, a SUPL request is sent to the SUPL_HOST - but this does not happen every time. You can force it after a device restart in combination with an app that wants to determine the GPS location. Sometimes it was also necessary to deactivate the WLAN interface.
Now you have to ask yourself if a quick GPS position determination via SUPL is important to you or maybe your privacy. If it's your privacy, you'll need to make the following changes to gps.conf and then restart your device:
SUPL_HOST=localhostβ οΈNote: It is not sufficient to comment out the lines. Then a fallback becomes active. Where the fallback information came from I could not find out yet.
SUPL_PORT=7275
With tcpdump you can check directly on the device if SUPL requests are still being sent:
tcpdump -i any -s0 port 7275Unfortunately, one question remains unanswered: Does the proprietary baseband possibly send a SUPL request on its own and bypasses the Android operating system? In any case, this is indicated by the following article:
How SUPL Reveals My Identity And Location To Google When I Use GPS. If you can help to answer this question, please feel free to contact me via email or use the forum thread.
With a "toy" like the HackRF One, mobile phone traffic on this level could certainly be recorded.
Source and more infohttps://www.kuketz-blog.de/android-imsi-leaking-bei-gps-positionsbestimmung/
π‘ @NoGoolag
#android #IMSI #leaking #GPS #positioning #guide #kuketz