"Smartphones With Popular Qualcomm Chip Secretly Share Private Information With US Chip-Maker"

Just checked my pi-hole logs: There’s both a FP3 and a FP4 in the household. Both are connected to internet pretty much all the time. But I can only see requests for this domain (xtrapath2 and 3) on the FP3, not on the FP4 in the past 7 days!
No mention of xboxprod-anything anywhere in my logs…


So it seems to me FP4 is not sending anything to this domain…

Maybe you don’t own an xbox and @JeroenH owns one?

That might be the case, but I’d like to see more data on this from other people…

are you talking to me? who is a DivestOS developer and why do you think I don’t believe them?
I just suggested, that your comment on “there is not real google free android system” is not proven - and Kuketz doesn’t prove your point either; as far as I can see, there are systems that get really close to google free.

basically that’s my point. even when, after I had a few other conversations about this assumably good wrapped NirtroP-promotion, I don’t really trust it’s content anymore, this is still my point.

btw, there’s an interesting statement by the microG developper.


I think you should take your concern to the Nitro guys. The news article has a comment function. I’d be interested to see their defense.

1 Like

I’ve found some traces of izcloud.net on my pihole, too. Got a stock FP3 (A11) in use
Below is filtered for the last week. Also the pattern at night time fits

Well, now I’ve got (.|^)izatcloud.net$ blacklisted (thanks @JeroenH ) and also followed the advice @yvmuell posted from the kuketz-blog about disabling mobile background data on the FP3 (also thanks for the hit)

I’ll keep an eye on the pihole logs now if it shows up again …

Corrected " (.|^)izatcloud.com$ " to (.|^)izatcloud.net$

Edit: There is far more nuance to this, please see my writeup: https://divestos.org/misc/gnss.txt


Sorry I said .com in regexp it should been .net

Anyway I feel lile we already discussed this some other time. Back then I did same. Block then unblock.

As for the device xbox, for a moment I thought it was my old FP3 or wife’s Pixel 6 but no. Its an Nvidia Shield TV doing those requests. I think it has some xbox package or widget which cannot be removed. I should move it to a different VLAN…

As for AGPS Martijn Braam is correct. Great post by him.

Nitro produce nothing themselves, all they do is rebadge and merch fluff. Fuck them.

If you want to mitm the request to read or modify it you could set up a fake cell tower and run mitmproxy or burpsuite. Because its unencrypted everything should be there. Including user agent. But I feel like I read on this before. I’m curious which HTTP client they use. I hope curl. Also which OS is running on it? Minix?

1 Like

Thanks for that. Its a shame that Nitrokey gets that attention by just throwing out a few evil words (like spying and Google) without really explaining anything…so well done marketing Nitro


This is not news, also see this thread in 2020(!):

Also it should be known that mobile radio components usually run as autonomous systems inside the phone with their own CPU and firmware.

1 Like

Did that, too: And I only found some entries from my tablet: It’s a Lenovo TB-X605L with a Qualcomm Snapdragon 429 processor. My FP4 is not in the list, at least not in 2023. The entries I found are from February this year and only from then.
In 2022 I also found entries in the pi-hole logs from my old LG V30 running on some AOSP/Lineagos ROM.

IZAT/XTRA was supposed to be no longer included in the FP3 LOS for quite some time (see proprietary-files.txt · Gerrit Code Review (lineageos.org)). Nevertheless, in the current LOS20 vendor/etc/izat.conf and vendor/bin/xtra-daemon although without any libs or apks are included (see android_device_fairphone_FP3/proprietary-files.txt at lineage-20 · LineageOS/android_device_fairphone_FP3 · GitHub) .

@TeamB58: Why not removing these two residuals? xtra-daemon appears to link up with izatcloud.net: GitHub - fogfon/xtra-daemon: Research on Qualcomm xtra-daemon cause of privacy leaks and HowTo remove it.

1 Like

For those who are interested in less detailed-technical summary…

Edit: as explained below by SkewedZeppelin, it seems to be difficult and not all is correct in this response to Nitro neither… So my take a way: dont believe everything right away its most times not that easy black and white. I will still leave the info here and for more details about the indepth technical details read here


that link and my original post is not correct: https://divestos.org/misc/gnss.txt

Not correct, because? I have seen your write up and for me its too technical I dont understand a word and the blog I linked for me is sufficient to understand my first gut feeling of this Nitro bla bla was correct, so I thought its the noob version…

I appreciate your in depths knowledge and linked it because of people like I with less knowledge.

1 Like

So the original blog post is still wrong because it conflates IZAT NLP and PSDS and strings together multiple unrelated things.

I was originally incorrect because I thought PSDS on Qualcomm didn’t contain any personal/device info: it actually does have serial.

I originally agreed with Braam, but they’re also incorrect in the same regard as I was.

xtra-daemon function for setting User-Agent of the PSDS requests:


I have an answer to my ticket. I’ll quote the important part:

That’s definitely important news, thank you so much for the heads up and for opening a thread in our Forum. I’m sure my colleagues will read the thread (if they haven’t already), they always keep an eye on such important input on the Forum and on specialized news websites.

In the meanwhile, I will make sure to forward this news internally so that they are aware of it and hopefully fix it.


Here is what Gael Duval of /e/ has to say about it



To quote what he said:

Connections to izatcloud.net
Those calls are triggered by some Qualcomm GPS chipsets to improve the GPS location service. The service in question is called A/GPS and is using the SUPL protocol. More information at:

This is just wrong, this IZAT request in question is PSDS yet he calls it SUPL which are not the same at all.

There’s a bit of info here that’s relevant.

1 Like