The German security company Nitrokey, which also sell Pixel phones with pre-installed GrapheneOS, have "found out" that phones with Qualcomm chips transmit a lot of information to Qualcomm, although they have been flashed an alternative OS to: https://www.nitrokey.com/news/2023/smartphones-popular-qualcomm-chip-secretly-share-private-information-us-chip-maker
Are Pixels with this chipset also compromised...despite of having GrapheneOS installed on them?
Misleading article about Qualcomm PSDS (XTRA)
- Edited
The article is wrong and sensationalist at best. I hope that they correct it since it looks really bad for them.
The good faith interpretation is that they didn't know any better. A less charitable take is that this is a marketing stunt for them to peddle the Nitrophone, which is just a Google Pixel on which they have installed GrapheneOS for a very high price (I always recommend obtaining a Pixel yourself and flashing it - it's extremely easy with the web installer).
It is important to note that Nitrophones run GrapheneOS, but Nitrokey is in no way affiliated with GrapheneOS. Vendors can sell phones with GrapheneOS in accordance with the project's licenses. I'm making sure to mention this in case people think that there's some sort of partnership or affiliation with them, which there isn't.
What they "found" out is just a service that provides PSDS location data. It's not secret, and it's not a "backdoor", as some people have unfortunately started calling it.
All Nitrokey had to do is actually visit http://izatcloud.net/
and plainly see what it says there:
The Qualcomm Location XTRA Service generates and provides accurate Satellite positions for extended periods of time to a mobile device. This assistance data is provided in compact form and allows the mobile device to perform positioning for an extended period of time (up to seven days). The assistance data files are made available to a Data Distribution Network for global distribution.
If you would like to know what connections GrapheneOS makes, please take a look at the relevant FAQ entry:
https://grapheneos.org/faq#default-connections
HTTPS connections are made to fetch PSDS information to assist with satellite based location. These are static files and are downloaded automatically to improve location resolution speed and accuracy. No query or data is sent to these servers. These contain orbits and statuses of satellites, Earth environmental data and time adjustment information.
On 6th and 7th generation Pixels (which use a Broadcom GNSS chip), almanacs are downloaded from https://broadcom.psds.grapheneos.org/lto2.dat, https://broadcom.psds.grapheneos.org/rto.dat and https://broadcom.psds.grapheneos.org/rtistatus.dat which are a cache for Broadcom's data available at https://gllto.glpals.com/7day/v5/latest/lto2.dat, https://gllto.glpals.com/rto/v1/latest/rto.dat and https://gllto.glpals.com/rtistatus4.dat. Alternatively, the standard servers can be enabled in the Settings app which are https://agnss.goog/lto2.dat, https://agnss.goog/rto.dat and https://agnss.goog/rtistatus.dat providing a similar cache of Broadcom's data currently (as of October 2022) hosted on GCP (Google Cloud Platform).
On 4th and 5th generation Pixels (which use a Qualcomm baseband providing cellular, Wi-Fi, Bluetooth and GNSS in separate sandboxes), almanacs are downloaded from https://path1.xtracloud.net/xtra3grcej.bin https://path2.xtracloud.net/xtra3grcej.bin, https://path3.xtracloud.net/xtra3grcej.bin, https://path1.xtracloud.net/xtra3Mgrbeji.bin, https://path2.xtracloud.net/xtra3Mgrbeji.bin and https://path3.xtracloud.net/xtra3Mgrbeji.bin which currently (as of October 2022) are hosted via Amazon Web Services. We plan to offer the option to download these files from the GrapheneOS servers, but we'll retain the option to use the standard servers to blend in with other devices.
Qualcomm Snapdragon SoC devices also fetch time from time.xtracloud.net via NTP rather than using the OS time. Stock Pixel OS overrides this to time.google.com but we use the standard server like other Snapdragon devices. It's technically incorrect to use the time.google.com server for this due to non-standard leap second smearing not expected by the Qualcomm GNSS implementation. This could be avoided by using OS time instead but Qualcomm built it this way to avoid GNSS-based location being crippled by having time set wrong in the OS.
We're hosting a similar PSDS cache for Qualcomm PSDS data and plan to use it by default once we implement support for switching between our servers and Qualcomm's servers via the same toggle we use for the newer Broadcomm GNSS Pixels.
They're just static file downloads via HTTPS and are done by the xtra-daemon service in the OS for the Qualcomm devices we support. Perhaps it moved into firmware for newer Qualcomm devices but it's almost certainly configurable like SUPL.
We have qualcomm.psds.grapheneos.org similar to broadcom.psds.grapheneos.org. It has been tested but not deployed for the Qualcomm Pixels yet because it's tricky to support the PSDS toggle for it. This is a very low priority and low impact feature even if we only supported Qualcomm devices and 6th/7th and later generation Pixels don't need it so that makes it even lower priority.
MoonShine I would recommend reading through this reply by the GrapheneOS account on Reddit:
[deleted]
- Edited
MoonShine I am interested in knowing what evidence is there that it is sending personal data at all, let alone unencrypted other than them claiming it does, because they didn't provide any evidence or documentation of that from what I can see?
[deleted]
- Edited
GrapheneOS https://www.qualcomm.com/site/privacy/services
I'm curious your opinion on this section on their privacy policy "Qualcomm GNSS Assistance Service" "The Qualcomm GNSS Assistance Service (formerly “XTRA”)" It seems like they are stating their PSDS service transmits that information, but I'm not that technically knowledgeable about this so I'm just asking, thanks!
"The Qualcomm GNSS Assistance Service also uploads a small amount of data to us comprised of: a randomly generated unique software ID that is not associated to you or to other IDs, the chipset name and serial number, the Qualcomm GNSS Assistance Service software version, the mobile country code(s) and network code(s) (allowing identification of country and wireless operator), the type of operating system and version, device make and model, the date and time of connection to the server, the time since the last boot of the application processor and modem, and a list of QTI software on the device."
[deleted]
matchboxbananasynergy The article is wrong and sensationalist at best. I hope that they correct it since it looks really bad for them.
The good faith interpretation is that they didn't know any better. A less charitable take is that this is a marketing stunt for them to peddle the Nitrophone, which is just a Google Pixel on which they have installed GrapheneOS for a very high price (I always recommend obtaining a Pixel yourself and flashing it - it's extremely easy with the web installer).
To be fair Nitrokey handles the guarantee for the (altered) Pixels and they remove the mics and sensors for extra charge.
Is GOS development for Pixel 6/7 phones considered to be of higher priority than for older Pixel phones?
OpenSource-Ghost Is GOS development for Pixel 6/7 phones considered to be of higher priority than for older Pixel phones?
I don't speak for the GrapheneOS project, but I will point out Google plans to stop issuing firmware patches for 4a in August, 5 in October, and 4a5g in November. So I suspect GrapheneOS support for those phones will be over by the end of this year. Personally I would avoid at least those - unless maybe you get one cheap to experiment with GrapheneOS before switching your real phone, or some other special purpose.
Other people may have other opinions!