Pixel 9 Pro XL phones home every few minutes. How affected is GrapheneOS?

moddel

According to an article published by cybernews.com:
(https://cybernews.com/security/google-pixel-9-phone-beams-data-and-awaits-commands/)

"You can’t say no to Google’s surveillance"

Researchers analyzed network traffic and found that Pixel 9s are phoning home to google every few minutes including sending personal identifiable information.

From the article:
"The device shares location, email address, phone number, network status, and other telemetry. Even more concerning, the phone periodically attempts to download and run new code, potentially opening up security risks,"

How much, if anything, can installing GrapheneOS protect device owners from this?

For example the article mentions several connection attempts but does not mention which services or apps are generating these requests:

Every 15 minutes, the device sends a regular authentication request to an endpoint called ‘auth.’
The phone also requests a ‘check-in’ endpoint around every 40 minutes, listing low-level features enabled on the phone, such as the firmware version, whether connected to WiFi or using mobile data, the SIM card Carrier, and the user’s email address.
The location data is included in the request even when the GPS is disabled – the phone then relies on nearby Wi-Fi networks to estimate the location.

The article also mentions a few specific services that are leaking data:

CloudDPC: Most Android phones have a “CloudDPC” package built in. It is used to manage enterprise devices, such as changing security policies, remotely distributing apps, wiping data, etc.
enterprise-staging.sandbox: Moreover the Pixel device periodically calls out to a Staging environment service (‘enterprise-staging.sandbox’) and attempts to download assets that do not yet exist.
experiments and configurations endpoint: The Pixel phone also maintained a nearly constant connection to the experiments and configurations endpoint.
scam-related phone numbers Also, the phone continuously requested Google’s servers for updates on known scam-related phone numbers, presumably for its call-screening feature. Every 24 hours, the device would rotate cryptographic keys.

It would be reasonable to assume that some of this is related to Google play services which can be mitigated by not installing it however it is also likely that some of these leaks may be related to specific pixel system apps or code in blobs that GrapheneOS retains. Which of these leaks is GrapheneOS susceptible to?

Have anyone tested GrapheneOS on a pixel 9 device and analyzed all outgoing attempts to phone home to Google's servers?

Dumdum

moddel
https://grapheneos.org/faq#default-connections

de0u

moddel According to an article published by cybernews.com:
(https://cybernews.com/security/google-pixel-9-phone-beams-data-and-awaits-commands/)

"You can’t say no to Google’s surveillance"

By now that is a very old article. It was discussed thoroughly here when it was first published, e.g.: https://discuss.grapheneos.org/d/16338-highly-misleading-and-inaccurate-article-from-cybernews-about-the-pixel-9

For a topic that is old it would be best to search before posting.

Also for a topic that is hot off the press it would be best to search before posting.

Arguably in general it would be best to search before posting.

grayway2

moddel There is no telemetry at all in GrapheneOS. The only real private thing that is collected is your IP address during a couple days then purged from GrapheneOS servers (when your phone perform updates or install let's say sandbox playstore)

GrapheneOS does not store your IP address in the purpose to collect it. It's just an automatic thing.

Eagle_Owl

moddel
Normal behaviour of an Android phone with Android OS installed. Nothing new.
Many telemetry data can be blocked by using a DNS resolver with integrated filter lists.
No app solution needs to be installed for this (such filter apps are all very energy-intensive).

A service such as NextDNS is sufficient (everything can be controlled via the browser on the large desktop monitor).
On the Pixel phone, this will be realised via the Internet settings, see Settings/Network & Internet/Private DNS.
This is where you copy the text string that was generated for you on the NextDNS settings page.

However, it can also be even simpler with a service such as dnsforge.de.
They have three versions of filter lists (Ad blocker / Ad blocker & Youth protection / Ad blocker and hard block list).
This is a German-based free service (donations are welcome).

And of course you replace this otherwise almost uncontrollable Android OS from Google with the one from Graphene!
This doesn't necessarily mean that you have to do without apps from Google's Play Store, but you can.
In this way, you can deny any app access to the Internet.

In NextDNS, I can see which domains have been resolved and which have been blocked at any time in the ‘Statistics’ tab.
Anyone using a Pixel phone with GrapheneOS can see that not much telemetry data is transmitted and that this is only desired data from/to GOS servers.

moddel

de0u For a topic that is old it would be best to search before posting.

Yes I did and did not find it. Thanks for providing this link.

moddel

de0u It was discussed thoroughly here when it was first published

I disagree with your assessment that this article was "discussed thoroughly here"

The thread poster of the link you provided actually did not address any of the specifics mentioned in the article and neither did the 3 other participants in this thread. In fact the thread itself has only 6 replies, 3 of which are the original poster.

The original poster also spends 10 paragraphs out of the original 13 talking about iOS and apple which wasn't even mentioned in this article!

None of this is a thorough discussion about the actual, specific, technical issues raised in the article. This post comes of much more as a diatribe against the article, iOS and this journalist in general.

Have there been any more discussion about this issue?

The original question stands, has anyone actually tested GrapheneOS on a pixel 9 device and analyzed all outgoing attempts to phone home to Google's servers? How affected is GrapheneOS to the issues raised in this article?

n3t_admin

moddel unless you install Play Services, there will not be any such connections to Google.
However, once Play Services is installed, I assume that whatever the sandbox allows access to (from this list)

The phone also requests a ‘check-in’ endpoint around every 40 minutes, listing low-level features enabled on the phone, such as the firmware version, whether connected to WiFi or using mobile data, the SIM card Carrier, and the user’s email address.

will be reported back to Google, like on the stock PixelOS. I don't know the specifics of what Play Services can or can not access by being sandboxed; that needs to be elaborated on by someone with more knowledge.
The other data points are not likely to be exploited/connections to be made, since corresponding system apps don't exist on GOS (independent of Play Services).

de0u

moddel The original question stands, has anyone actually tested GrapheneOS on a pixel 9 device and analyzed all outgoing attempts to phone home to Google's servers?

A key point of the official GrapheneOS account is that most of the described network traffic has nothing to do with Pixel devices and is part of normal traffic by normal vendor distributions of Android, e.g., Samsung, Sony, etc.

If "Cyber News" is in the business of posting articles about network traffic by Pixel devices running Google's Android, perhaps it would be responsible for them to also investigate network traffic from Samsung devices running Samsung's Android. And, since GrapheneOS is free and easy to install, perhaps it would be responsible for "Cyber News" to report on network traffic from a Pixel running GrapheneOS.

moddel

Here is another post discussing the issue: https://discuss.grapheneos.org/d/16334-mental-outlaw-shilling-false-cybernews-article

Again, the poster characterizes a blog post about the article as misleading.
20 replies any none of them actually address anything specifically discussed in the original article.

Is there any discussion of substance around the issues addressed in the article?

Lion

Did you have a look at https://grapheneos.org/faq#default-connections as already suggested by Dumdum?

moddel

Lion
Yes I have read the entire FAQ and everything else on the GrapheneOS website. I still have the questions I have raised. This is why I started the discussion

moddel

n3t_admin
https://discuss.grapheneos.org/d/16334-mental-outlaw-shilling-false-cybernews-article

I agree that most of it appears as though it would need google play services. For example the article mentions that email is one of the personal identifiers that is leaked but all of it?

GrapheneOS doesn't replace every layer of software on the device. There is still a lot of google code, drivers, blobs etc. and even an entire baseband OS for Google's custom soc hardware, all of which could potentially leak and phone home to Google. How many of those connection could potentially be still an issue with GrapheneOS, has anyone tested the specific claims of the article against a pixel 9 device?

moddel

n3t_admin However, once Play Services is installed,

Agreed, Let's assume that Play services are not installed. Which of the points in this article seem like they could be coming from services or software not reliant on Google Play services. Any of them?

de0u

moddel Yes I have read the entire FAQ and everything else on the GrapheneOS website. I still have the questions I have raised. This is why I started the discussion.

If the "Cyber News" article seems like a plausible information source, and the GrapheneOS FAQ's inventory of network traffic does not seem like a plausible information source, one approach might be for you to connect a Pixel device running GrapheneOS to a router you control and analyze the logs to your own satisfaction. And maybe also connect up a Samsung device!

n3t_admin

moddel as I wrote before

unless you install Play Services, there will not be any such connections to Google.

that is a very clear and definitive answer. Someone above already linked the FAQ about default connections in GrapheneOS. Those are what I observed myself as well.

moddel

n3t_admin that is a very clear and definitive answer. Someone above already linked the FAQ about default connections in GrapheneOS. Those are what I observed myself as well.

This is good to hear. How did you observe the outgoing connections?

moddel

de0u f the "Cyber News" article seems like a plausible information source
Plausible or not they gave specifics, which as far as I have seen have not been specifically addressed.
and the GrapheneOS FAQ's inventory of network traffic does not seem like a plausible information source,
Who said this, you? Certainly not me? In fact I specifically said that I read it all, which I did. I did not comment on the plausibility of the information.

de0u one approach might be for you to connect a Pixel device running GrapheneOS to a router you control and analyze the logs to your own satisfaction.

This is exactly what I am asking, has anyone actually attempted to verify the claims of this article. All I see are vague comments and users attacking the credibility of the website or the journalist. If Graphene actually fixes the issues discussed in this article then the Graphene community missed a huge opportunity to prompt itself as a solution.

What you propose is exactly how I would envision testing these issues. I do not own a Pixel 9 device. Considering Pixels future, the only reason I can think of buying one is to run GrapheneOS.

de0u And maybe also connect up a Samsung device!

I don't see what relevance Samsung devices or Apple devices or any other devices have to this discussion. The questions specifically here is, are any of the data leaking behavior discussed in the article pertaining to Pixel 9 devices relevant to a Pixel device running GrapheneOS. Is the documentation that lists all of the connection up to date? Is there anything specific on the Pixel 9 that can leak this info at a lower level?

de0u

de0u If the "Cyber News" article seems like a plausible information source [...]

moddel Plausible or not they gave specifics, which as far as I have seen have not been specifically addressed.

The GrapheneOS FAQ also lists "specifics" (quite a few). I believe some of them (e.g., GNSS PSDS connections) do not appear in the "Cyber News" article.

de0u [...] and the GrapheneOS FAQ's inventory of network traffic does not seem like a plausible information source [...]

moddel Who said this, you? Certainly not me? In fact I specifically said that I read it all, which I did. I did not comment on the plausibility of the information.

If the "Cyber News" claims about network traffic from a stock Pixel are relevant to a Pixel running GrapheneOS, then the claims in the GrapheneOS FAQ are inaccurate. If the claims in the GrapheneOS FAQ are accurate then the observations in the "Cyber News" article about network traffic from a stock Pixel are irrelevant to Pixels running GrapheneOS (regardless of the number of "specifics" in the "Cyber News" article). The original post asked "Which of these leaks is GrapheneOS susceptible to?". It did not ask "Is this article accurate?".

It appears that you are doing a substantial amount of research while considering running GrapheneOS on a Pixel. Actually running GrapheneOS on a device containing personal data will, to some extent, require a "leap of faith" in the GrapheneOS development team -- even though the code for most of the stack is open, it's impractical for anybody to review all of it.

Placing trust in the GrapheneOS team (and hence their inventory of network connections) may not immediately seem warranted. But it may also be useful to be careful about placing trust in news organs. Hopefully if "Cyber News" doesn't address "specifics" that the GrapheneOS FAQ does, that results in scrutiny of "Cyber News"?

locked

de0u one useful software for this might be inviZible. You can set up a profile specifically for this testing . it should be ran in VPN mode, and then you will be able to see all the DNS requests by specific apps, should be interesting. I think i may try this, however, I have a P8 with GOS. Also, just in case there is traffic that is not encapsulated through the VPN, It might be wise also to run another test routing network traffic through a computer and monitoring everything on WireShark or even simpler program that logs all DNS requests.

n3t_admin

moddel mostly through RethinkDNS. I also have a firewall set up at home where I can (and do) monitor traffic.