Telemetry, Spyware, list of privacy threats on FP3 Android 9

The relevant sections:

Qualcomm Location periodically sends us a unique software ID, the location of your device (longitude, latitude and altitude, and its uncertainty) and nearby cellular towers and Wi-Fi hotspots, signal strength, and time (collectively, “Location Data”). As with any Internet communication, we also receive the IP address your device uses. We use Location Data, software IDs and IP addresses, and the other data we collect to help us protect, evaluate, and improve the performance of our systems.
…
To enhance system performance your software ID and IP address are associated with your Location Data for thirty days from receipt after which time it is permanently deleted. After removing IP addresses and software IDs, we aggregate the Location Data to create an anonymous database regarding the locations of cellular towers and WiFi access points.

So in short, Qualcomm tracks where every single Fairphone user (Or other user with Qualcomm hardware) has been in the last 30 days. They also record the location of all Wifi networks and Cellphone towers encountered within radio range to make a detailed map. And they log all IP addresses one had during that timespan.

Although Qualcomm does not “identify” these users, identification would be trivial for any 3rd party who either knows

• Who owned any of the involved IP address during any moment in the last 30 days that has been logged
• The location of the involved person during a sufficient subset of the location history to profile and statistically match (for example both home and work location, both of which might be public)

Assuming I do not agree to this data collection and storage, who do I need to send a DSGVO letter? I don’t remember agreeing to Qualcomm’s privacy policy directly. I think the phone only showed me Google’s privacy policy on first boot/setup.

Where’s the mandatory opt-in / opt-out? The Quallcomm page only mentiones opt-in/out for the QTR Statistics, not Location.

$  host xtrapath1.izatcloud.net
xtrapath1.izatcloud.net is an alias for xtrapath1.qcomgeo2.com.
xtrapath1.qcomgeo2.com is an alias for xp1.gpsonextra.net.
xp1.gpsonextra.net is an alias for d3w2id5zlqvvik.cloudfront.net.
d3w2id5zlqvvik.cloudfront.net has address 13.35.253.48
d3w2id5zlqvvik.cloudfront.net has address 13.35.253.85
d3w2id5zlqvvik.cloudfront.net has address 13.35.253.81
d3w2id5zlqvvik.cloudfront.net has address 13.35.253.126

I don’t see any traffic to any of these hosts or IP addresses from my FP3. (I have disabled some services via ADB though.)

Cloudfront, like many content delivery networks, resolves to different random IPs depending on your ISP and carrier you use and where in the world you ask, as well as the time of day, moon phase, and number of other users in your area. When I just did the same check on my cable ISP, I got

d3w2id5zlqvvik.cloudfront.net. 45 IN A 143.204.101.22
d3w2id5zlqvvik.cloudfront.net. 45 IN A 143.204.101.49
d3w2id5zlqvvik.cloudfront.net. 45 IN A 143.204.101.101
d3w2id5zlqvvik.cloudfront.net. 45 IN A 143.204.101.102

I did the same again on my Fairphone, connected to mobile data and got instead

d3w2id5zlqvvik.cloudfront.net. 45 IN A 99.86.243.102
d3w2id5zlqvvik.cloudfront.net. 45 IN A 99.86.243.57
d3w2id5zlqvvik.cloudfront.net. 45 IN A 99.86.243.128
d3w2id5zlqvvik.cloudfront.net. 45 IN A 99.86.243.32

The GPS daemon service on my Fairphone tried to connect to yet another set of IPs, which are

13.224.196.116
52.222.169.135
52.222.169.178
13.224.196.35
13.224.196.125
13.224.196.68
13.224.196.83
…

and several dozen more, all of which have in common that they belong to amazon registered IP ranges and reverse resolve to server-[IP]-[location].cloudfront.net

An IP based blocklist wouldn’t cut it here, you’d have to block all IP blocks assigned to cloudflare. Aside from the problem of finding all of those, it would also break any other services and webpages which use cloudfront for content delivery - which as Russia found out the hard way when they tried to block Telegram - breaks a good portion of the Internet as all major webpages use content delivery networks these days, either to speed up the service or as DDOS mitigation, and Cloudflare is one of the biggest of those.

To inhibit these accesses, you can’t block traffic by destination IP, you’d have to instead block DNS requests that resolve the target domain to the cloudflare IP, or block based on the APP/userID (which unfortunately only works locally on the device). Unfortunately Fairphone, like all Android phones, are hardcoded to use 8.8.8.8 as a DNS server instead of your own, and with the advent of DoT (DNS over TLS), it becomes exceedingly difficult to interecept these.

You can put “private DNS” off.

DoT generally runs on 853, making it easy to contain. A bigger issue is DoH, but that is also the purpose.

The box I use to sniff the traffic, is using the same resolver as the FP3.

I’ve used several regexp to ensure I was catching the traffic, including src IP and port 80, and then checking the headers.

Since it is HTTP it is plaintext. The only HTTP requests coming from my FP3 are weather API requests. I’m not yet sure which application is sending those over HTTP instead of HTTPS but ultimately it does not matter, as regardless of connectivity the connection between my FP3 is secured with a VPN to my home network.

I checked my logs. The last two times I had “GPS service” attempt a connection was on Dec. 2 between 1:01 and 1:04 am and then on Dec. 3 between 1:40 to 2:42 am with roughly 1 attempt every 10 minutes. No attempts since.

app is called “GPS daemon” (android.gps) - user ID 1021
Clicking on the “app info” button opens the system settings app which then - crashes

the app does not show up in the app list in settings

it also does not show up in adb shell with “pm list packages”

it seems to be installed in a hidden way and only active sporadically. so far I haven’t been able to get a pcap from it, since it simply didn’t attempt any connections since I enabled the logging

Screenshot_20191203-1604271080×2160 170 KB

I finally managed to get a packet capture. The enigmatic GPS daemon finally decided to contact its masters again last night at 01:52 am. It looks like tries to indeed get binary (Almanach?) data roughly once every 24 hours, preferably past midnight.

capture.pcap (26.6 KB)

Over a time of 10 minutes, it retrieved the same file from multiple servers
GET /xtra3grc.bin HTTP/1.1
from
Host: xtrapath3.izatcloud.net ( binary size 32232 )
Host: xtrapath2.izatcloud.net ( binary size 23498 )
Host: xtrapath3.izatcloud.net ( binary size 32232 ) (same file again?)
Host: xtrapath1.izatcloud.net ( binary size 24347 )

The full request looks like this:

GET /xtra3grc.bin HTTP/1.1
Host: xtrapath3.izatcloud.net 
Accept: */*, application/vnd.wap.mms-message, application/vnd.wap.sic
x-wap-profile: http://www.openmobilealliance.org/tech/profiles/UAPROF/ccppschema-20021212#
User-Agent: A/9/Fairphone/FP3/FP3/unknown/QCX3/l3557659004810866045/35781109/+111575957/-+262|01+262|03/Fairphone/36966/36953/-/3.0/1/W/0

with slight changes in user agent on the 2nd to 4th request:

User-Agent: A/9/Fairphone/FP3/FP3/unknown/QCX3/l3557659004810866045/35781109/+111575957/-+262|01+262|03/Fairphone/36969/36956/-/3.0/1/W/0
User-Agent: A/9/Fairphone/FP3/FP3/unknown/QCX3/l3557659004810866045/35781109/+111575957/-+262|01+262|03/Fairphone/37287/37274/-/3.0/1/W/0
User-Agent: A/9/Fairphone/FP3/FP3/unknown/QCX3/l3557659004810866045/35781109/+111575957/-+262|01+262|03/Fairphone/37287/37274/-/3.0/1/W/0

Interesting is the data revealed in the user agent. A/9 is obviously the OS, Android 9 Pie. Fairphone/FP3/FP3 seems to be manufacturer, model number and board. 35781109 I identified as the first 8 digits of the IMEI - also known as TAC (type allocation code) (this is identical for both SIM card slots)

I could not identify the long number, it is likely some sort of serial number.
It’s safe to assume that Qualcomm deliberately packed a lot of detailed identification data into this user agent string - probably more than enough to identify and track individual users, especially since some of the information is run time information changing between every request.

It’s possible that the 2 changing fields indicate what state information the phone is in. This is speculation, but since the phone did not learn new information by re-downloading the binary from xtrapath3.izatcloud.net, it sent the next GET request with the same identifiers.

I managed to get that pcap on the phone itself by letting WireGuard run over night with packet capturing enabled:

Wire%202019-12-04%20at%202_49%20PM1080×2160 176 KB

Wire%202019-12-04%20at%202_50%20PM1080×2160 251 KB

It’s interesting to note that GPS daemon cannot be disabled or uninstalled without rooting the device, since it does not even show in the list of installed applications (pm list packages) or running system services. The only way to prevent this data exchange is to leave wifi and data turned off during the night (or whenever GPS daemon tries to retrieve it) OR to install a firewall on the device that prevents this based on App/UserID.

While we’re on a roll, the elusive “GPS daemon” app runs with user id 1021. So if its running we might get some info on the adb shell via:

ps -u 1021 -f
UID            PID  PPID C STIME TTY          TIME CMD
gps            605     1 0 15:36:39 ?     00:00:01 vendor.qti.gnss@1.0-service
gps            728     1 0 15:36:40 ?     00:00:00 mlid
gps            736     1 0 15:36:40 ?     00:00:00 loc_launcher
gps            803   736 0 15:36:40 ?     00:00:01 lowi-server
gps            804   736 0 15:36:40 ?     00:00:00 xtwifi-inet-agent --gtp-wifi BASIC --gtp-modem-cell BASIC --gtp-ap-cell DISABLED --gtp-waa DISABLED
gps            805   736 0 15:36:40 ?     00:00:01 xtwifi-client --gtp-wifi BASIC --gtp-modem-cell BASIC --gtp-ap-cell DISABLED --gtp-waa DISABLED
gps            811   736 0 15:36:40 ?     00:00:00 slim_daemon --sap BASIC
gps            812   736 0 15:36:40 ?     00:00:00 xtra-daemon

user gps has user id 1021. We can get more info via

cat /proc/605/cmdline
/vendor/bin/hw/vendor.qti.gnss@1.0-service

the same reveals
/vendor/bin/mlid
/system/vendor/bin/loc_launcher

the rest is more elusive since no full paths are in /proc/…/cmdline given and a “find /” does not find any of the executables due to restrictive permissions
however one can find them indirectly
ls -la /vendor/bin/
…
ls: /vendor/bin//xtwifi-client: Permission denied
ls: /vendor/bin//xtwifi-inet-agent: Permission denied
ls: /vendor/bin//slim_daemon: Permission denied
ls: /vendor/bin//xtra-daemon: Permission denied
and
ls: /system/vendor/bin//lowi-server: Permission denied

It’s hard to tell which one of those is making the HTTP connection. Normally on Android each App runs with its own UID, which allows the firewall to filter and log traffic based on the app. However some UIDs are hardcoded

https://android.googlesource.com/platform/system/core.git/+/master/libcutils/include/private/android_filesystem_config.h

and “GPS daemon” is one of those hardcoded users (user gps) - so this is no app, this is indeed a “daemon” in the linux/unix sense of the word, running native code with elevated privileges. There is no “apk”. This is no “system app”, it’s part of the system.

It’s possible that one of the processes listed is doing these http connections. It’s also possible that this “loc_launcher” - which is obviously capable of launching additional processes is calling yet another program to do it once a night.

Due to the restrictive permissions of all the vendor tools, further reverse engineering would require rooting the device, since:

adb pull /vendor/bin/xtra-daemon
adb: error: failed to stat remote object '/vendor/bin/xtra-daemon': Permission denied

What could be done is hacking NetGuard (or another VPN based firewall app), to insert a trigger function when process 1021 makes any network connection that in turn calls “netstat” to figure out which process is responsible for it (And at the same time run “ps” in a loop from adb shell to get a list of running processes to match to the PID)

But one would still need “root” to access the executable and look into its disassembly to figure out what it does.

You could set in WireGuard to block all connections, except when it is enabled. This ensures you always use WireGuard as VPN. Then on the endpoint, you block port 80 outgoing, or these specific hosts.

People can also block network connection in android.gps, as the only GPS related which needs networking is AGPS. Which is optional, and just allows a quicker fix.

In long term, UnifedNlp is just better and more versatile than Google’s proprietary choice. The amount of backends alone is worth it.

I would love to. Where do you set this?

The main issue is, as a user installed App in Android9 , it would not run until the user logged in (Same issue as with custom keyboard Apps and similar). Which means all it needs is a spontaneous reboot while Wifi is on. The phone will remember that Wifi WAS on before rebooting, but would not start the VPN app until after the user unlocked the phone. By then all these background telemetry connections have all already taken place.

In some ROMs (MIUI for example) It’s possible to setup a Wifi network in such a way that the phone does not automatically connect to it. This was my workaround on my previous phone, I didn’t allow autoconnect to ANY wifi’s, ensuring that after a reboot I wouldn’t have internet until after I unlocked the phone. However in stock Android, the only way is to manually have it “forget” the network, which of course is not an option if you encounter an unscheduled device reboot.

Settings → Network & Internet → VPN → WireGuard Settings (Icon) → Block connections without VPN (Toggle).

Faraday cage I mean, does this occur often? Not on FP3 AFAIK.

After some playing around I found a way to force the GPS daemon to make the aforementioned connections.

In Settings -> System -> Extended -> Developer Options -> Service Menu
click Service tests -> Test Single -> GPS -> Purge assistance data
followed by
Service tests -> Test Single -> GPS -> GPS Location Test

this will trigger the GPS daemon to make two connections to a random IPv4 address hosted by Amazon cloud services

1. udp port 123 (NTP)
2. tcp port 80 (HTTP)

I have been able to “see” the port 80 connection attempt in netstat, but due to the limited access restrictions in /proc/… I couldn’t find out which PID was responsible for this connection, so - close but no cigar. Needs root.

I had only one spontaneous reboot on the FP3 so far that I’m aware of.
But if you worry about your privacy. It doesn’t really matter how often this happens. Once is already once too often, compromised is compromised.

Depends on the impact, and who you consider your adversary.

Our privacy has been impacted already. When I worry about privacy, I leave my (smart)phone at home. Whatever has to remain private isn’t digital. The stakes are too high to depend on technology.

Other people can carry smartphones around. With mics. And spyware. And radios. And cameras. And who knows what else. I cannot decide I don’t get tracked when I leave my house, even if I leave my smartphone at home.

My goal isn’t to win. We can’t. The system is too complex to win. Source code, binaries, huge amounts, super complex. Think of the capabilities you can give an app alone.

My goal is to fight back as good as I can, explore, and document the findings. By sharing our findings, we empower each other to fight back. Thousands of David’s, against the Goliath’s. Be it Google, Facebook, or a (hostile) state actor.

Sorry, but I find all these efforts and discussions such a waste of time (pardon me). If this is really an issue for you, you should not use a smartphone or mobile phone at all.

This thread might have derailed a bit towards justifying privacy and possible countermeasures, I apologize. (This very post including).

We should focus on documenting actual privacy threads found in the phone as opposed to hypothetical impacts on different user bases.

IMHO this isn’t just a “waste of time” - far from it. Spying on the user base - which Qualcomm seems to be doing through their preinstalled drivers - without offering an opt-in or even an opt-out and without consent or even informing the user is simply illegal in the countries where the Fairphone 3 is sold. Feel free to look at
https://eur-lex.europa.eu/eli/reg/2016/679/oj and the national implementations for reference.

This is made worse by the fact that Qualcomm is the leading manufacturer of Smartphone modem and processors and their exact same drivers can not only found in FP3 but basically any modern smartphone.

For me personally one of the main reasons to buy a Fairphone was the desire to have a Phone that I could trust, which wasn’t the case with the cheap Chinese phone I had previously. If you don’t expect any phone, not even a phone built to “fair principles” to at least abide the laws protecting its customers, then that is your choice, but don’t dis this thread or other people who might do care.

Or are you arguing that the rights of workers in an African Cobalt mine matter, but the rights of the users in Europe should be freely violated? I argue, a “fair” phone should care about both.

You are free to not read it. You are in no position to demand what other people spend their time on. There are quite some people on this forum who value privacy and security. You shall have to live with that fact.

That is one solution. It might be applicable in some situations, however it is a defeatist approach, and in 21th century people are simply using mobile phones and smartphones.

Allow me to quickly swoop into this conversation with some general remarks that might be of interest.

First of all, thank you, guys, for not only putting in so much effort into this issue, but also for sharing the gained information with everybody who is willing to know more about it. I would like to thank corvuscorax in particular as he seems eager to do the work most of us wouldn’t or simply couldn’t do.

I myself have been a strong supporter of privacy for a long while now, alas my lack of knwowledge has always put some restraints to it. Unfortunately, my FP2 recently fell to the “flexing” demon and I was forced to order a new phone. I went for the FP3 for rather obvious reasons (I suppose) and chose to take privacy issues more seriously than before (I was one of the early adopters of the FP2 and had lived with a Google contaminated phone ever since).

Your contributions (in this wiki, but also in other discussions in this forum) have greatly increased my understanding of several privacy concerns, while admittedly reducing hope of creating a somewhat privacy-friendly environment on my phone. The Qualcomm issue in particular seems to send a bit of a devastating message in this regard.

Still, this is the first time ever for me to register to a forum simply to express my appreciation and on behalf of everybody who has been reading along so far without contributing (as I often do), I say kudos and thank you!

Hi,
I do not know if you understand German. I received this from Bussels:
Lieber Alexander,

da das Gesetzgebungsverfahren rund um die DSGVO abgeschlossen und die Fraktion im Europäischen Parlament neu ist, gibt es keine formelle Zuständigkeit innerhalb der Fraktion für die DSGVO. Anna hat uns gefragt, ob wir dir weiterhelfen können, was wir gerne machen. Ich bin Mitarbeiterin im Büro von Alexandra Geese und wir betreuen, grob gesagt, die Digitalthemen. Ich habe vormals bei Jan Philipp Albrecht gearbeitet und war lange Zeit anwaltlich beratend zur DSGVO tätig. Ich kann leider nicht direkt im Thread antworten, da ich dort keinen Account habe, aber du kannst meine Anmerkung gerne dahin weitergeben.

Zur rechtlichen Bewertung: Eine Datenverarbeitung kann unter der DSGVO nicht nur nach einer Einwilligung geschehen, sondern auch, wenn sie etwa nötig ist zur Durchführung eines Vertragsverhältnisses oder ein “berechtigtes Interesse” des Verarbeitenden besteht (Art. 6 DSGVO: Verordnung - 2016/679 - EN - Datenschutz Grundverordnung - EUR-Lex). Zudem sind hier (zumindest zum Teil) Telekommunikationsdaten betroffen (Verkehrsdaten, Standortdaten), auf die nicht die DSGVO, sondern die e-Privacy-Richtlinie (EUR-Lex - 32002L0058 - DE) anwendbar ist. Diese wurde in jedem Mitgliedsstaat durch eigene Gesetze umgesetzt; in Deutschland ist das das Telekommunikationsgesetz (https://www.gesetze-im-internet.de/tkg_2004/, insbesondere §§ 91 ff.).

Eine DSGVO-Beschwerde kann jede*r bei der Datenschutzbehörde ihres/seines Wohnortes einreichen. In Deutschland hat jedes Bundesland sowie zusätzlich der Bund eine eigene Datenschutzbehörde; in Sachsen ist das der Sächsische Datenschutzbeauftrage: https://www.saechsdsb.de/. Die haben mittlerweile ein Online-Formular zum Eingeben von Beschwerden: Startseite - Sächsische Datenschutz- und Transparenzbeauftragte - sachsen.de. Das Verfahren ist nicht formgebunden, das heißt du kannst die Beschwerde auch per E-Mail oder Post eingeben. Auch der Inhalt ist nicht formgebunden; am besten trägst du einfach - so wie ihr es im Thread ja auch gemacht habt - zusammen, worum es euch geht. Sollte die Behörde dann noch mehr Informationen brauchen, meldet sie sich (beachte, dass das aktuell alles sehr lange dauert, weil die Behörden leider nach wie vor viel zu schlecht ausgestattet und ziemlich überlastet sind). Da es sich in diesem Fall um eine Bewertung nach dem Telekommunikationsrecht zu handeln scheint, könntest du deine Beschwerde auch direkt beim Bundesdatenschutzbeauftragten einreichen, der in einem solchen Fall zuständig wäre; auch dieser hat ein Online-Meldeformular: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit ( BfDI ) Interaction Platform. So oder so leiten die Behörden ansonsten intern die Beschwerde an die richtige Stelle weiter.

Ich hoffe das bringt erstmal etwas Licht ins Dunkel! Bitte verstehe, dass wir keine Rechtsberatung oder ähnliches vornehmen dürfen oder können. Wenn ihr detaillierteren Klärungsbedarf habt, ist es, wie ihr schon erkannt habt, definitiv der richtige Weg, sich an die Datenschutzbehörde zu wenden. Toi toi toi!

Beste Grüße

Jana

Jana Gooth
Legal Policy Advisor

to Alexandra Geese, MEP
European Parliament
Rue Wiertz 60
ASP 08H342
B-1047 Bruxelles

+32 2 283 89 05
@janagooth | www.alexandrageese.eu

Wow, thanks for going that far this did clear some things up.

I wonder who is at fault here. If you purchase a software license (for example for windows) and accept the EULA, you accepted a contract with that party. The party then has the rights and obligations under DSGVO and e-Privacy-Directive towards you as a contracted party.

But if you purchase a phone, are you ever agreeing to such a contract? Who is the contract partner and legally responsible? Is it Fairphone for selling the phone? Is it Google for making you click on “I accept” on first power on (if so)? Is it Qualcomm?

If it is Qualcomm, based on what contract? I don’t want any services from Qualcomm, I’d happily stop using their stuff and uninstall all their “Qualcomm Mobile Security” software. I wouldn’t even install that myself, the phone came with it as part of the drivers. It was already running when I unpacked it.

I don’t want to file too many complaints without knowing more at this point in time. We should first make sure Fairphone isn’t the one legally responsible for Qualcomm’s wrongdoings.

Can anyone who has recently factory-reset the FP3 tell if there is any notification and/or information about the Qualcomm software that is preinstalled, any contract or software license that one implicitly or explicitly agrees by turning the thing on? Any EULA , end user agreement or privacy information file mentioning ANY of the Qualcomm features? I can’t remember, but I don’t want to factory reset the phone now just to figure that out.

Fairphone seems to be really busy right now with hardware manufacture and delivery hell and a million support requests because stuff isn’t working as it should (hint: microphone )

I don’t think it would be fair to give them even more of a headache by filing legal complaints because of Qualcomm’s potential spyware now, if the issue might be addressed soon by an option to root the phone and get rid of the crap and/or a ROM that doesn’t have this stuff. Then again, it might be Qualcomm’s proprietary drivers which could be the main hold-back from releasing the kernel source so far.

Fairphone might be trapped between the fire and a hot place, by being legally responsible for the effects on end-user-privacy of shipping phones with Qualcomm’s spyware, while at the same time being contractually bound to them (without Qualcomm drivers, the phone would not boot) the only short-term possible solution might be to stop shipping Fairphones, and that’s not something I would want to have enforced before all cards and options are on the table.

We might should contact someone @Fairphone regarding this, before bringing it to the attention of authorities (even though we probably could)

So going forward:

1. A 2nd pcap would be helpful. Can anyone with a Fairphone 3 make a traffic log of the gps daemon calling “home” and record the “User-Agent” identifier. If this identifier is unique to each phone, it allows tracking each device. If it’s not and only identifies the phone as a Fairphone (and maybe the software version) this would be a whole lot less problematic.

2. Who could we best contact at Fairphone to tell us what the contractual base is for software use of Qualcomm products on the Phone by the end-user, how an end user can withdraw from any such contract and uninstall the qualcomm software products, if and what alternatives are /will be/ available and when, etc.
   At the intersection of “highly technical” and “legally relevant” this isn’t something the typical support clerk is ready or capable of answering, and it would be better to have a good answer than a quick one.

Been reading this thread since the beginning, never bothered to sign up until now as this discussion revealed some disturbing information to me. And yes, I’m also someone who’s getting more and more concerned about our privacy when using online devices…

I’ve reset my device 10 minutes ago.
The only Accept I had to give was for Google services…

No message was displayed about any other service which might send PII back to 3rd parties.