The article is wrong and sensationalist at best. I hope that they correct it since it looks really bad for them.
The good faith interpretation is that they didn't know any better. A less charitable take is that this is a marketing stunt for them to peddle the Nitrophone, which is just a Google Pixel on which they have installed GrapheneOS for a very high price (I always recommend obtaining a Pixel yourself and flashing it - it's extremely easy with the web installer).
It is important to note that Nitrophones run GrapheneOS, but Nitrokey is in no way affiliated with GrapheneOS. Vendors can sell phones with GrapheneOS in accordance with the project's licenses. I'm making sure to mention this in case people think that there's some sort of partnership or affiliation with them, which there isn't.
What they "found" out is just a service that provides PSDS location data. It's not secret, and it's not a "backdoor", as some people have unfortunately started calling it.
All Nitrokey had to do is actually visit http://izatcloud.net/
and plainly see what it says there:
The Qualcomm Location XTRA Service generates and provides accurate Satellite positions for extended periods of time to a mobile device. This assistance data is provided in compact form and allows the mobile device to perform positioning for an extended period of time (up to seven days). The assistance data files are made available to a Data Distribution Network for global distribution.
If you would like to know what connections GrapheneOS makes, please take a look at the relevant FAQ entry:
https://grapheneos.org/faq#default-connections
HTTPS connections are made to fetch PSDS information to assist with satellite based location. These are static files and are downloaded automatically to improve location resolution speed and accuracy. No query or data is sent to these servers. These contain orbits and statuses of satellites, Earth environmental data and time adjustment information.
On 6th and 7th generation Pixels (which use a Broadcom GNSS chip), almanacs are downloaded from https://broadcom.psds.grapheneos.org/lto2.dat, https://broadcom.psds.grapheneos.org/rto.dat and https://broadcom.psds.grapheneos.org/rtistatus.dat which are a cache for Broadcom's data available at https://gllto.glpals.com/7day/v5/latest/lto2.dat, https://gllto.glpals.com/rto/v1/latest/rto.dat and https://gllto.glpals.com/rtistatus4.dat. Alternatively, the standard servers can be enabled in the Settings app which are https://agnss.goog/lto2.dat, https://agnss.goog/rto.dat and https://agnss.goog/rtistatus.dat providing a similar cache of Broadcom's data currently (as of October 2022) hosted on GCP (Google Cloud Platform).
On 4th and 5th generation Pixels (which use a Qualcomm baseband providing cellular, Wi-Fi, Bluetooth and GNSS in separate sandboxes), almanacs are downloaded from https://path1.xtracloud.net/xtra3grcej.bin https://path2.xtracloud.net/xtra3grcej.bin, https://path3.xtracloud.net/xtra3grcej.bin, https://path1.xtracloud.net/xtra3Mgrbeji.bin, https://path2.xtracloud.net/xtra3Mgrbeji.bin and https://path3.xtracloud.net/xtra3Mgrbeji.bin which currently (as of October 2022) are hosted via Amazon Web Services. We plan to offer the option to download these files from the GrapheneOS servers, but we'll retain the option to use the standard servers to blend in with other devices.
Qualcomm Snapdragon SoC devices also fetch time from time.xtracloud.net via NTP rather than using the OS time. Stock Pixel OS overrides this to time.google.com but we use the standard server like other Snapdragon devices. It's technically incorrect to use the time.google.com server for this due to non-standard leap second smearing not expected by the Qualcomm GNSS implementation. This could be avoided by using OS time instead but Qualcomm built it this way to avoid GNSS-based location being crippled by having time set wrong in the OS.
We're hosting a similar PSDS cache for Qualcomm PSDS data and plan to use it by default once we implement support for switching between our servers and Qualcomm's servers via the same toggle we use for the newer Broadcomm GNSS Pixels.