this post was submitted on 27 Oct 2023

170 points (95.2% liked)

Privacy

31220 readers

972 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago

MODERATORS

170

Fairphone 4 is making hundreds of unwanted connections per day, to the same addresses. (lemmy.world)

submitted 10 months ago by Cossty@lemmy.world to c/privacy@lemmy.ml

47 comments fedilink hide all child comments

So I got Fairphone 4, with /e/ os, a couple of days ago. When I connected it to my NextDNS I saw that it was trying to connect to some weird addresses, like every 5-10 minutes. I searched Internet a bit and found out that it was something with snapdragon cpu and location services. I travel a lot and use Organic Maps for navigation, so location was enabled almost all day on the phone. I turned off location services and connections stopped, and everything was fine for a couple of days.

Today I came home, checked logs in NextDNS and saw that phone started doing the same connections almost constantly even with location turned off.

Can I do something about this, other than allowing these connections? These connections are probably so numerous because they are getting blocked. If I allowed them, phone would maybe call home once in a couple of hours. I would rather not allow them, but I don't want 20% of battery to be eaten by this.

all 50 comments

sorted by: hot top controversial new old

[–] MigratingtoLemmy@lemmy.world 115 points 10 months ago* (last edited 10 months ago) (2 children)

I found a few links summarising this:

https://old.reddit.com/r/nextdns/comments/14919dp/randomly_pathnxtracloudnet_is_stopped_getting/jo5n5va/
- It's Qualcomm's URL for downloading assisted GPS almanac days
https://teddit.net/r/privacy/comments/12yii9u/comment/jhojlr7/
Graphene OS' relevant documentation: https://grapheneos.org/faq#default-connections

On 4th and 5th generation Pixels (which use a Qualcomm baseband providing cellular, Wi-Fi, Bluetooth and GNSS in separate sandboxes), almanacs are downloaded from https://qualcomm.psds.grapheneos.org/xtra3Mgrbeji.bin which is a cache of Qualcomm's data. Alternatively, the standard servers can be enabled in the Settings app which will use https://path1.xtracloud.net/xtra3Mgrbeji.bin, https://path2.xtracloud.net/xtra3Mgrbeji.bin and https://path3.xtracloud.net/xtra3Mgrbeji.bin. GrapheneOS improves the privacy of Qualcomm PSDS (XTRA) by removing the User-Agent header normally containing an SoC serial number (unique hardware identifier), random ID and information on the phone including manufacturer, brand and model. We also always fetch the most complete XTRA database variant (xtra3Mgrbeji.bin) instead of model/carrier/region dependent variants to avoid leaking a small amount of information based on the database variant.

Note sure if e/OS/ has taken as much care as Graphene has to make the requests more private. Then again, they don't claim to be the most private OS, just De-Googled.

Edit: this is also a good read for further attempts to make your device more private: https://grapheneos.org/faq#other-connections

[–] Cossty@lemmy.world 9 points 10 months ago (3 children)

Android is so troublesome, I am tempted to just install Ubuntu Touch and be done with this.

[–] Deckweiss@lemmy.world 44 points 10 months ago (1 children)

I have a linux phone on the shelf, because in real life I need apps that are only available on android ...

[+] LanternEverywhere@kbin.social -6 points 10 months ago (2 children)

Which apps?

[–] Deckweiss@lemmy.world 24 points 10 months ago (1 children)

Banking, usable gps navigation with live traffic, workout tracker that can read and log gps and data from my Polar H10 and smartwatch.

[–] notenoughbutter@lemmy.ml 2 points 10 months ago* (last edited 10 months ago) (1 children)

I use online banking and Garmin smartwatch so when Linux phone becomes mainstream, I don't be locked down

plus it looks like WhatsApp is getting interoperability and we may see a semi open source Linux client

[–] Deckweiss@lemmy.world 2 points 10 months ago (1 children)

You want a Linux phone but then use whatsapp? Just wow

[–] notenoughbutter@lemmy.ml 1 points 10 months ago (1 children)

yeah

everyone I know uses WhatsApp

and privacy is not an incentive for them to switch over to signal because again, everyone they know also uses WhatsApp

[–] Deckweiss@lemmy.world 1 points 10 months ago* (last edited 10 months ago)

Everybody I know uses whatsapp, but they also use threema because every time I get asked for whatsapp I tell them that I am only on threema.

Worked out fine. Everybody that actually wants to chat with me got it. And after some privacy related whatsapp news they made their friends migrate and so on.

For other cases there is plain old calls and emails. Chat is really just a small convenience and not necessary at all. I'd never sacrifice my privacy for.

[–] user224@lemmy.sdf.org 6 points 10 months ago (1 children)

For me, it's something to use a Mi Band and banking apps. The rest would probably be doable on GNU phone as well.

(I only said "GNU", since both operating systems already use the Linux kernel.)

[–] MigratingtoLemmy@lemmy.world 15 points 10 months ago (2 children)

Ah, it's just a quirk of e/OS/. Nothing much - and you can run a DNS filter on your mobile to get rid of this problem (Bonus: won't take too much of battery since it'll not be operating a VPN since you're root)!

I haven't heard much about Ubuntu Touch - does it work well?

[–] 0x2d@lemmy.ml 1 points 10 months ago

i tried it on my pixel 3a, its neat, and i can run android apps in waydroid, but I don't like the navigation

[–] Cossty@lemmy.world 1 points 10 months ago (1 children)

I am kind of new to all these privacy things. So what do you exactly mean by getting rid of this problem? I have DNS which blocks these connections but phone is still making them. How can I make the phone stop doing that?

Ubuntu Touch is just a linux distro for your phone. I actually haven't used it yet, but according to their website, the Fairphone 4 has really good support. So I might try it.

[–] codenul@lemmy.ml 1 points 10 months ago

Just a heads up - Been following UT for some time and the major for me is that there is currently no VolTe support. Major bummer for US folks. There's workarounds, at least for pixel3a but its not 100% reliable.

Also SMS / MMS can be troublesome as well. Can't download images while on WiFi??? Group MMS doesn't work.

Great system, works well but I can't make it my daily driver

[–] Pantherina@feddit.de -1 points 10 months ago

GrapheneOS really is the only Android that should be used. I hope e/OS and others just fork it, add a nicer UI and all.

[–] lemann@lemmy.one 46 points 10 months ago (2 children)

The Qualcomm chipset is making these requests, most likely for GPS almanac data (satellite positioning).

Older chipsets send these almanac requests to izatcloud.net, unencrypted, containing your IMEI. No idea if newer chipsets have improved things though.

[–] Cossty@lemmy.world 4 points 10 months ago (1 children)

How do you deal with this? Or are you using iPhone or something else?

[–] lemann@lemmy.one 6 points 10 months ago* (last edited 10 months ago) (3 children)

I don't ☹️

There is a hidden LocationServices system app from Qualcomm that proxies the communication on some devices - however removing this causes a bootloop from what I've read, and would prevent Android from being able to identify your location even if it didn't cause a bootloop.

I use a Fairphone 3 though with a bunch of Google services in the stock OS disabled, so I've settled for just keeping my location data out of Google's hands

Edit: add info

[–] Cossty@lemmy.world 3 points 10 months ago

I actually wanted to get a Fairphone 3 because of headphone jack but I got really good deal on a Fairphone 4 so I took it instead.

[–] SpaceNoodle@lemmy.world 3 points 10 months ago (1 children)

Just decompile Qualcomm's platform service and stub out the right system calls!

[–] kionite231@lemmy.ca 5 points 10 months ago (1 children)

"Just"

[–] SpaceNoodle@lemmy.world 1 points 10 months ago

You get pretty good at it after you do a couple. I also came up with a way to manually start a platform service with strace and a custom SELinux context, but that was a few years ago and I left all of that work with my previous employer.

[–] MigratingtoLemmy@lemmy.world 2 points 10 months ago

however removing this causes a bootloop from what I’ve read

Is this document for every Qualcomm device? I'd be interested to remove such calls from my system if possible, but I'm no systems expert, and unlike the other commenter I don't think I'll be able to decompile Qualcomm's platform service just to remove a few system calls.

[–] SpaceNoodle@lemmy.world 4 points 10 months ago (1 children)

Chipsets don't make network requests. More likely some closed-source platform service does.

[–] noride@lemm.ee 14 points 10 months ago (1 children)

That really isn't entirely true anymore since the TPM ecosystem came into existence. I can remotely wipe any pc at my company even if it's stolen and reformatted because a hardware chip will phone home the second a compatible os is installed and internet access is available.

[–] skullgiver@popplesburger.hilciferous.nl 16 points 10 months ago* (last edited 9 months ago) (2 children)

[This comment has been deleted by an automated system]

[–] MigratingtoLemmy@lemmy.world 4 points 10 months ago (1 children)

I think unless the HAP bit is specifically set to 1, Intel ME is still active on consumer boards, just without an interface for the OS to interact with it. Not sure if someone has hacked an OEM UEFI/BIOS to interact with it, but I have seen a different MAC address from my PC on my network before, and this is without any virtual adapters. This is the only explanation I can come up with.

[–] skullgiver@popplesburger.hilciferous.nl 2 points 10 months ago* (last edited 9 months ago)

[This comment has been deleted by an automated system]

[–] noride@lemm.ee 1 points 10 months ago (1 children)

For what it's worth, I did specifically say ecosystem because the TPM is just one component, which is required to authenticate the remote wipe. Also the drivers are installed automatically with most modern operating systems, it's not like you install your own south bridge driver, for example. Linux of course notwithstanding.

I've seen it used successfully numerous times. Someone steals one of our laptops, rips the drive out, installs vanilla windows, and boom it reboots and performs a wipe.

Regardless, system-on-a-chip are just that, systems; they can absolutely make remote calls without user interaction, just as intimated by the comment you originally replied to.

[–] skullgiver@popplesburger.hilciferous.nl 1 points 10 months ago* (last edited 9 months ago)

[This comment has been deleted by an automated system]

[–] simonmicro@programming.dev 20 points 10 months ago

Well, sounds like blocking them is bad: https://gitlab.com/CalyxOS/calyxos/-/issues/370

[–] skullgiver@popplesburger.hilciferous.nl 15 points 10 months ago* (last edited 9 months ago)

[This comment has been deleted by an automated system]

[–] 0x2d@lemmy.ml 8 points 10 months ago (1 children)

you can get calyx os for it (graphene isn't supported)

[–] schnapspraline@lemmy.world 3 points 10 months ago

Apparently calyx wouldn't help. https://gitlab.com/CalyxOS/calyxos/-/issues/370

[–] TCB13@lemmy.world -1 points 10 months ago (1 children)

So fair 😇

[–] Cossty@lemmy.world 12 points 10 months ago (1 children)

I don't really blame fairphone for this. They would probably have to make their own chips, if they wanted control over that. Almost nobody has money for that.

[–] TCB13@lemmy.world 2 points 10 months ago* (last edited 10 months ago) (1 children)

Naa that's not something with "snapdragon cpu and location services" it's something with snapdragon + the OS allowing it and most likely profiting from it. Fairphone guys have been petitioned multiples times to open their platform and/or collaborate with projects such as GrapheneOS and CalyxOS so user can have private and secure phones but they don't care.

CalyxOS does support the Fairphone 4 however that's only due to the persistence and reverse engineering efforts of the CalyxOS project / community. If you decide to use it you won't have a secure bootloader anymore due to a bug in Fairphone's firmware that they choose not to fix. That's how "fair" the "Fairphone" really is.

Here is more relevant information for you from here:

XTRA is technology offered by Qualcomm Technologies, Inc. in the US and QT Technologies Ireland Limited in the European Economic Area to improve mobile device performance. XTRA downloads a data file from Qualcomm containing the predicted orbits of the Global Navigation Satellite System (GNSS) satellites. Using the XTRA data file reduces the time the device needs to calculate its location, thus saving time and battery power when using location-based applications. Newer versions of the XTRA software also upload a small amount of data to us. We use the uploaded data for purposes described in this Policy, such as maintaining and improving the quality, security, and integrity of the service. XTRA uploads the following data types: a randomly generated unique ID, the chipset name and serial number, XTRA software version, the mobile country code and network code (allowing identification of country and wireless operator), the type of operating system and version, device make and model, the time since the last boot of the application processor and modem, and a list of our software on the device

Before you say this is the CPU's fault, it isn't, at least on its own. GrapheneOS also deals with this kind of stuff and has patches and options so you can block it.

[–] Cossty@lemmy.world 4 points 10 months ago (3 children)

After looking into it more, I don't think I would use Graphene OS even if it was supported on FP4, main dev seems like a lying man baby.

On the other hand, I didn't know Calyx OS has support for FP4, I might try it out.

[–] fl42v@lemmy.ml 2 points 10 months ago

I don't really remember strcat "lying", yet there are some evidence of him being... Let's say unstable. GrapheneOS, tho, is another story as it's trying to improve the android's privacy/security model instead of simply not making things worse. For example, they are behind hardened malloc - for security, and have storage & contact scopes (i.e. letting the user choose which files/directories exactly an app can access) - for privacy. While the former feature has been adopted by a few other roms and even desktop Linux distributions, the latter I've seen only on graphene so far, which is quite a shame. Same goes for sandboxing play services

[–] TCB13@lemmy.world 2 points 10 months ago (1 children)

Why so much hate towards GrapheneOS? The thing is carefully planned and executed. About Calyx... just don't forget that you won't get a secure boot... anyone who gets you phone can temper with your boot.

[–] Cossty@lemmy.world 4 points 10 months ago* (last edited 10 months ago) (3 children)

I don't hate GrapheneOS, it is probably fine. I just don't think I would feel comfortable running an OS on my phone when its main dev acts like this. That's just me and completely subjective.

https://www.youtube.com/watch?v=Dx7CZ-2Bajg

https://www.youtube.com/watch?v=4To-F6W1NT0

[–] TCB13@lemmy.world 3 points 10 months ago

Yes I'm aware of his bad soft skills... either way he does good work and he's capable of working on small details while still seeing the bigger picture - this makes him able to spot and fix stuff others would miss easily. Example that stuff you've reported.

[–] RogueBanana@lemmy.zip 1 points 10 months ago

Wasn't that the guy who stepped down from development entirely because of the backlash? Louis himself is still using it afaik

[–] PipedLinkBot@feddit.rocks 0 points 10 months ago

Here is an alternative Piped link(s):

https://www.piped.video/watch?v=Dx7CZ-2Bajg

https://www.piped.video/watch?v=4To-F6W1NT0

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source; check me out at GitHub.

[–] 7heo@lemmy.ml 1 points 10 months ago* (last edited 10 months ago) (1 children)

expired

[–] Cossty@lemmy.world 1 points 10 months ago (1 children)

Thanks, that was interesting and eye opening read. Do you know if he is still working on graphene os or is he out? Because some users mentioned that he left.

[–] 7heo@lemmy.ml 1 points 10 months ago* (last edited 10 months ago)

expired