Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
Android Communications Security

Android 16 Will Tell You When Fake Cell Towers Try To Track Your Phone (androidauthority.com) 30

Posted by msmash from the sting-operations dept.
Android 16 will include a new security feature that warns users when their phones connect to fake cell towers designed for surveillance. The "network notification" setting alerts users when devices connect to unencrypted networks or when networks request phone identifiers, helping protect against "stingray" devices that mimic legitimate cell towers to collect data and force phones onto insecure communication protocols.

Android 16 Will Tell You When Fake Cell Towers Try To Track Your Phone More | Reply

Android 16 Will Tell You When Fake Cell Towers Try To Track Your Phone

Comments Filter:

  • Why don't telecons maintain a database of legitimate towers and send an updated list to one's phone every week or so? If you ride out of the area, a new list for the new area is downloaded just before you reach the boundary. (There might be special "starting" towers the world over in the local list.) The phone should only attempt communicating with towers in the database.

    In emergencies such as 911 one could override that protection upon user confirmation.

    Or do they spoof legitimate towers also? Seems they c

    • If they accidentally forget to put a tower in, they're gimping themselves -- not to mention some companies do cross-sharing agreements which would need to sync. Most people won't be affected by Stingray like devices or fake towers. I bet even after this, most people won't even notice a difference.

      • If they accidentally forget to put a tower in, they're gimping themselves -- not to mention some companies do cross-sharing agreements which would need to sync.

        All the more reason becoming a certified legitimate cell tower should be quite the documented process, along with sustaining a more centralized list of registered legitimate towers that include hefty fines for lack of accuracy.

        Most people won't be affected by Stingray like devices or fake towers. I bet even after this, most people won't even notice a difference.

        Most people won't be falsely accused of a crime either. But when it does happen to someone, it's not exactly something you brush off and forget about in the manner you just described.

      • Re: (Score:2)

        by Tablizer ( 95088 )

        If they accidentally forget to put a tower in, they're gimping themselves

        Who is "they"? The vendor would set up phones initially and test them. If by chance the phone can't find ANY usable towers, the phone can prompt the user for the option of having their phone ignore the registry (along with a stern warning).

        Not a show-stopper, just need a decent Plan B.

        not to mention some companies do cross-sharing agreements which would need to sync.

        I don't see why that's a problem. Vendors can include all registered

    • Phone-to-provider encryption seems like a better option. The only unencrypted information to start with would be your provider's ID, so your traffic is routed to their systems for decryption. Basically... my best current guess for greater security? Give up your mobile phone number, use data and a VOIP app. Then the cops will have to get a warrant (assuming your VOIP provider worries about that) not only to know the content of your conversation, but even to know who you called.

      You're never going to be ab

    • Why don't telecons maintain a database of legitimate towers and send an updated list to one's phone every week or so? If you ride out of the area, a new list for the new area is downloaded just before you reach the boundary. (There might be special "starting" towers the world over in the local list.) The phone should only attempt communicating with towers in the database.

      It’s a reasonable idea on paper, but cellular networks weren’t built with centralized tower authentication in mind — especially not legacy protocols like 2G and 3G, which are still widely used as fallbacks. Tower IDs aren’t verified cryptographically, and there’s no authoritative global list to push to phones in real time. Tower infrastructure changes constantly due to roaming agreements, maintenance, emergencies, and temporary deployments. A weekly "known good" sync would be

      • Re: (Score:1)

        by Tablizer ( 95088 )

        It's a reasonable idea on paper, but cellular networks weren't built with centralized tower authentication in mind -- especially not legacy protocols like 2G and 3G

        Okay, but they should require it for new or overhauled towers to start heading in that direction. Maybe give the industry a window of 5 to 10 years to add it.

    • Re: (Score:2)

      by cstacy ( 534252 )

      Why don't telecons maintain a database of legitimate towers and send an updated list to one's phone every week or so?

      That's how it used to work, although the update frequency was much less than 2 weeks. If you didn't update, you could even lose connectivity. And it was not transparent: you had to do something on your phone that disrupted usage, in order to download and install the tower update. They stopped doing all that, or made it totally transparent. It was probably too hard to keep their databases up to date.

  • Sure it will. (Score:4, Funny)

    by zawarski ( 1381571 ) on Friday June 27, 2025 @02:16PM (#65480542)
    Seems exactly what people running fake towers would want you to think.
  • The police will probably have an apoplectic fit over this one. Kind of like how they hate it when security bugs are patched that ruin their spy software.

    How are they supposed to spy on journalists if they can't spoof cell towers and hack phones?

  • This is too little, too late.

    It's already become common to set up cellular hotspots where even picocell sites can't reach. It's also become common to set up phone-over-carrier-wifi where phones will connect to an org's wifi network specifically set up through an org like Ameriband where calls and texts tunnel to the carrier, but data is offloaded to the host org's corporate internet connection and thus their policies. And DAS has been around for so long that I've seen systems lifecycle, and then the lifec

  • It's easy to dismiss fake cell towers as tin-foil hat stuff — until you read the court filings. Stingrays (aka IMSI catchers) are real, widely used by law enforcement, and rarely disclosed to the public. They're not some hobbyist-grade hacker toy — they're high-end surveillance gear.

    What Android 16 is doing isn't magic; it's giving users visibility into when their phone gets bumped onto a sketchy, unencrypted channel — something that has real privacy implications, especially for high-risk individuals like journalists, activists, or whistleblowers. Next time you're near a protest, I suggest turning it on. If the crowd is big enough, some alphabet agency is probably hoovering up cell metadata. The FBI once logged license plates near demonstrations — this is the internet-era version of the same playbook.

    Is it overkill for the average user? Probably. But the principle matters: people should at least know when their phone is being manipulated at the network level. You wouldn’t ignore a browser telling you your HTTPS connection was hijacked — why ignore your phone doing the same?

    • Better would be a setting that stops your phone connecting to an unencrypted network.

      A Stingray may be the strongest signal in order to get switched to automatically, but it won't be the only signal of adequate strength.

  • What is a user supposed to do with this information? Femtocells are common in many public places that where large numbers of people gather such as stadiums and malls. I doubt Google can easily tell the difference between these and a device such as a Stingray. Then there are places like the airports in D.C. where there are far too many people playing "spy" and your cellphone is in a frantic spasm of "catch and release" as the operators of the various cell site simulators decide your phone is not the droid

    • Femtocells are common in many public places that where large numbers of people gather such as stadiums and malls. I doubt Google can easily tell the difference between these and a device such as a Stingray.

      Femtocells are typically provider locked and should not break encryption. The ones in stadiums and malls should look identical to the ones on towers.

      • The cell phone standards only mandate encryption between the user equipment (UE, e.g., the cell phone) and the LTE base station (eNodeB). Basic text messages are never encrypted as they are just extra bytes on a control packet. Any encryption on the network is generally hop-to-hop. There is no need to "break encryption" if you are a base station man-in-the-middle. The cell network's security focus is on making sure the correct providers get the correct cut of the cost of the connection.
        • I'm certainly no expert, but doesn't setting up a MitM require a downgrade to broken GSM ciphers to extract the device key?
  • ... reminding the user that the Android maker itself tracks your phone all the time? And that the cellular phone networks also track the phone all the time, and will sell your location data to whomever is willing to pay enough? And that the fines for doing so are much lower than the profits from selling that data?

Slashdot Top Deals

If the facts don't fit the theory, change the facts. -- Albert Einstein

Close