Yes, and then sending such old and misleading infos around makes sense, suddenly.
Control plane isn’t clearly defined (and I was talking about the baseband part of the software). You’re also mixing up (A-)GNSS and (A-)GPS while you don’t define the latter.
So they invented the wheel by programming their own HTTP client in C?
More interesting, is that the UserAgent you mentioned is sent via plaintext. This contains the values brand name, board name, model name, manufacturer name, and the ‘build version release’ (not sure of what? the OS?). Now, @amoun yes you can argue a UserAgent string is needed for the web to function properly. But if you’re going to argue all this information is needed for the device to function properly (LOL), then no. We can test this by just trying to download the almanac from within the browser. Oh, lets see if it works. Yes, it does. So with just a normal and simple HTTP request (over plaintext, sadly) from a normal browser (in my case, Firefox on macOS but you can use whatever including curl) you get the data. So how exactly is the PII we sent them required to function? It does not, its a GDPR violation. There is no way the user accepted this when they received their device and started using Android. So, @KurtF, it is rather UNLIKELY this falls under any kind of exemption because the data they gather is not required for them to function, and furthermore is sent over plaintext. With regards to the latter: if you are on a hotel WiFi they now have this information as well, if you are on a hostile mobile network (hello SS7) they have it as well. What for? Why would you want everyone in the world to know these details?
3 Likes
I’ve replaced the A-GPS reference with A-GNSS as it should’ve been.
Control plane isn’t what is in question here over the past few days.
SUPL and PSDS and any NLP are NOT control plane.
Furthermore PSDS requests for Qualcomm via XTRA should be HTTPS.
However many older devices pre-2018 are not.
Any aftermarket systems supporting such devices should take the time to fix the URL in the configs, as my DivestOS has done for years now.
3 Likes
No not the device, the service they deem 'important 
ComputerBase hat eine Antwort von Qualcomm:
Standort-Dienst: Qualcomm widerspricht Vorwürfen der Datensammlung
5 Likes
… and Nitrokey’s website is down. Boy, that escalated quickly!
Even The Register had an article about it.
Website is back and they corrected their post a little bit.
… and off again 5 mins later 
True experts …
2 Likes
The attack on the Nitrokey website could be interpreted as meaning that the article is right and somebody is trying to prevent dissemination.
As for true experts - if you didn’t think you could be a target of a DDoS attack, you can’t repel it with the means you have. I couldn’t, either. You need to migrate your site to a service that is able to survive a DDoS attack. For that, you have to contract them. Could take some time, especially on a weekend.
Unless it´s proven that it was an DDoS attack I rather suspect it was caused (once again?) by incompetence 
3 Likes
The attack on the Nitrokey website could be interpreted as meaning that the article is right and somebody is trying to prevent dissemination.
Please, no conspiracy BS.
As for true experts - if you didn’t think you could be a target of a DDoS attack, you can’t repel it with the means you have. I couldn’t, either. You need to migrate your site to a service that is able to survive a DDoS attack. For that, you have to contract them. Could take some time, especially on a weekend.
Really easy in 2023: get a CDN like Cloudflare, a new IPv4, and update the DNS records.
1 Like
Has anybody tried AFWall+ to stop the phone sending data to qualcomm servers yet? On my FP3, I’ve blocked the following services listed in AFWall+ at #1001: com.qualcomm.qti.telephonyservice
com.qti.qualcomm.datastatusnotification
com.qualcomm.qcrilmsgtunnel
Not a security guy, I tend to belive what a renowned German security consultant and hacker has to say about it (from his blog, Google translation with minor correction):
Nitrokey spreads that the Qualcomm chipset uploads your private data to the cloud.
This is nonsense. The cloud contact from the Qualcomm chipset is downloading the GPS almanac. GPS works by satellites sending signals and you can then calculate your position when you see the signals and know where the satellites just were. There is a timestamp in the signal so you can see how long the signal was on the go. Now all you need to know is where the satellites are, and since their orbits are constantly being corrected, this isn’t static data. The positions are in a so-called almanac, and Qualcomm downloads it from the cloud every two weeks or so.
One can criticize the fact that this is done via HTTP. But what Nitrokey spreads here crosses the line of grotesque incompetence and looks to me like willful deception.
Nitrokey verbreitet, dass der Qualcomm-Chipsatz deine privaten Daten in die Cloud hochlädt.
Das ist Blödsinn. Der Cloud-Kontakt von dem Qualcomm-Chipsatz ist das Runterladen des GPS-Almanachs. GPS funktioniert so, dass Satelliten Signale schicken, und du kannst dann deine Position ausrechnen, wenn du die Signale siehst, und weißt, wo die Satelliten gerade waren. Im Signal ist ein Timestamp, mit dem du sehen kannst, wie lange das Signal unterwegs war. Jetzt musst du nur noch wissen, wo die Satelliten sind, und da deren Laufbahnen ständig nachkorrigiert werden, sind das keine statischen Daten. Die Positionen stehen in einem sogenannten Almanach, und den lädt Qualcomm halt alle zwei Wochen oder so aus der Cloud nach.
Dass das über HTTP geht, kann man kritisieren. Aber was Nitrokey hier verbreitet überschreitet die Grenze der grotesken Inkompetenz und sieht für mich nach mutwilliger Irreführung aus.
7 Likes
Again to be completely clear, the Qualcomm xtra-daemon DOES send unique device serial numbers in the PSDS requests.
So yes, the Nitrokey article had issues, but so do all these blog posts saying opposite.
7 Likes
I wonder how that works. Somehow it has to come from the firmware of the hardware with the software back to layer 4, i.e. the software interface for data transmission in the OS, in order to send the data to layer 3 there. That’s crazy… I don’t think it’s good at all when manufacturers do something like that and I think it’s even more stupid when they think that nobody will notice in the long run.
Just on the depressing side, to keep those fears alive
Taipei, Taiwan – Chinese authorities monitor the phones of ethnic minority Uighurs for the presence of 50,000 known multimedia files that are used to flag what Beijing views as extremism with possession of the Quran enough to trigger a police interrogation, according to a forensic investigation by Human Rights Watch (HRW).
Has anybody tried AFWall+ to prevent the phone from sending data to qualcomm servers yet? On my FP3, I’ve blocked the following services listed in AFWall+ at #1001:
com.qualcomm.qti.telephonyservice
com.qti.qualcomm.datastatusnotification
com.qualcomm.qcrilmsgtunnel
Surely not alone with this. He and his blog rockz
It´s the defined start page of all my devices. Fast, fluent, without any ads, tracking or bling-bling-hipster stuff in it. Just plain-vanilla
I wish more sites would be like this. The last domain of feeling how the internet was in the 90ies before commercials & companies devoured & infected our web with all that crap