GrapheneOS It's specific to devices which moved to Samsung GNSS. It's a known issue filed in the tracker already, probably multiple times.
It's covered in the FAQ section on default connections for Qualcomm gpsd but the necessary research and changes for Samsung gnssd haven't been done yet. We've had endless high priority work and haven't gotten to it yet.
Perhaps some parts of the FAQ are not clear enough, perhaps I did not have enough knowledge to fully comprehend what was written.
I see that in the "default connections" FAQ section, the url addresses of the servers to which connections are made are explicitly written everywhere. For example: https://releases.grapheneos.org. Which elements of the system are responsible for requests and how to turn them off is usually written in the FAQ or you can find the corresponding topic on the forum
Regarding Qualcom Snapdragon SoC devices and Samsung GNSS chip the situation is different or maybe I have not understood it well.
Qualcomm Snapdragon SoC devices also fetch time via NTP for xtra-daemon instead of using potentially incorrect OS time. We use time.grapheneos.org when using the default GrapheneOS PSDS servers or the standard time.xtracloud.net when using Qualcomm's servers. Stock Pixel OS uses time.google.com but we follow Qualcomm's standard settings to match other devices and to avoid the incompatible leap second handling. These connections all go through the Owner VPN so it isn't a real world fingerprinting issue.
NTP (pool.ntp.org) servers are not explicitly specified here, while in other cases the addresses were specified.
What conclusions should be drawn from the last two sentences?
"we follow Qualcomm's standard settings" - What does this mean in practice?
Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL and Pixel 9 Pro Fold use a Samsung GNSS chip. Almanacs are downloaded from https://samsung.psds.grapheneos.org/p4/42F3 which is a cache of Samsung's data. Alternatively, the standard servers can be enabled in the Settings app which will use https://1.ssiloc.com/p4/42F3.
I was also unable to deduce from the FAQ that the Samsung GNSS chip can and will make NTP requests. It is now clear
Can the user disable these requests? If yes, how? If not, then perhaps it should be warned in the FAQ for clarity.
An HTTPS connection is made to https://time.grapheneos.org/generate_204 to update the time with a millisecond precision X-Time header. As part of future support for using other services, it falls back to the standard Date header with second precision.
This is a full replacement for Android's standard network time update implementation, which uses unauthenticated SNTP (Simple Network Time Protocol) with fallback to the cellular network when it's not available (GNSS can also be used as a time source but is disabled by default, and OEMs can choose the priority order). Network time updates are security sensitive since certificate validation depends on having an accurate time, but the standard NTP / SNTP protocols used across most OSes have no authentication. Our servers obtain the time from 6 independent NTP servers with NTS for authentication where at least 3 servers need to agree on the time for it to be updated.
After reading this paragraph, I get the feeling that GNSS is disabled by default
Network time can be disabled with the toggle at Settings > System > Date & time > Set time automatically. Unlike AOSP or the stock OS on the supported devices, GrapheneOS stops making network time connections when using network time is disabled rather than just not setting the clock based on it. The time zone is still obtained directly via the time zone provided by the mobile network (NITZ) when available which you can also disable by the Set time zone automatically toggle.
After reading this paragraph, I get the impression that when you turn off time synchronization in the settings, requests to the time servers stop. But they don't, at least not for all.
Please do not take my words as something hostile or demanding. For me, open source projects like GrapheneOS, Monero, Linux and so on are islands of freedom. It is a great value and all people involved in the creation deserve the utmost respect. I tried to say how I perceive it. I may be missing something. I am not an English speaking person.
GrapheneOS Why?
Such a simple question, but so hard to answer without touching on politics and all that is going on in the world. We all know the context of current events and I think it needs to be taken into account.
Given the huge influence of American intelligence agencies around the world. Surveillance, jailing of mixer developers (samurai wallet, tornado cash), strange inadequate behavior of Tor browser developers. In general, a lot of interesting, strange and bad things are happening in the world. I have been watching this for a long time and I look at it all through the prism of privacy and anonymity as a struggle for freedom.
Any failures, imperfections, uncovered iѕѕѕuе hurt my heart and make me sad that we are losing. But I don't blame anyone for that. The world is the way it is. It's just that no one can be perfect. GrapheneOS can't be perfect, other free and proprietary projects can't be perfect. It's an endless process of evolution.
On the psychological side, I don't know what to do with my mistrust and suspicions that I often feel. All the questions about uncovered privacy vulnerabilities make me suspect that the developers are backed by secret service handlers who forbid them to do certain things.
Maybe you can say that the problem is insignificant, but it still makes me sad.