English

Telemetry, Spyware, list of privacy threats on FP3 Android 9

Tags: #<Tag:0x00007f05da3d0c98>

Allow me to quickly swoop into this conversation with some general remarks that might be of interest.

First of all, thank you, guys, for not only putting in so much effort into this issue, but also for sharing the gained information with everybody who is willing to know more about it. I would like to thank corvuscorax in particular as he seems eager to do the work most of us wouldn’t or simply couldn’t do.

I myself have been a strong supporter of privacy for a long while now, alas my lack of knwowledge has always put some restraints to it. Unfortunately, my FP2 recently fell to the “flexing” demon and I was forced to order a new phone. I went for the FP3 for rather obvious reasons (I suppose) and chose to take privacy issues more seriously than before (I was one of the early adopters of the FP2 and had lived with a Google contaminated phone ever since).

Your contributions (in this wiki, but also in other discussions in this forum) have greatly increased my understanding of several privacy concerns, while admittedly reducing hope of creating a somewhat privacy-friendly environment on my phone. The Qualcomm issue in particular seems to send a bit of a devastating message in this regard.

Still, this is the first time ever for me to register to a forum simply to express my appreciation and on behalf of everybody who has been reading along so far without contributing (as I often do), I say kudos and thank you!

6 Likes

Hi,
I do not know if you understand German. I received this from Bussels:
Lieber Alexander,

da das Gesetzgebungsverfahren rund um die DSGVO abgeschlossen und die Fraktion im Europäischen Parlament neu ist, gibt es keine formelle Zuständigkeit innerhalb der Fraktion für die DSGVO. Anna hat uns gefragt, ob wir dir weiterhelfen können, was wir gerne machen. Ich bin Mitarbeiterin im Büro von Alexandra Geese und wir betreuen, grob gesagt, die Digitalthemen. Ich habe vormals bei Jan Philipp Albrecht gearbeitet und war lange Zeit anwaltlich beratend zur DSGVO tätig. Ich kann leider nicht direkt im Thread antworten, da ich dort keinen Account habe, aber du kannst meine Anmerkung gerne dahin weitergeben.

Zur rechtlichen Bewertung: Eine Datenverarbeitung kann unter der DSGVO nicht nur nach einer Einwilligung geschehen, sondern auch, wenn sie etwa nötig ist zur Durchführung eines Vertragsverhältnisses oder ein “berechtigtes Interesse” des Verarbeitenden besteht (Art. 6 DSGVO: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A32016R0679). Zudem sind hier (zumindest zum Teil) Telekommunikationsdaten betroffen (Verkehrsdaten, Standortdaten), auf die nicht die DSGVO, sondern die e-Privacy-Richtlinie (https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32002L0058&from=EN) anwendbar ist. Diese wurde in jedem Mitgliedsstaat durch eigene Gesetze umgesetzt; in Deutschland ist das das Telekommunikationsgesetz (https://www.gesetze-im-internet.de/tkg_2004/, insbesondere §§ 91 ff.).

Eine DSGVO-Beschwerde kann jede*r bei der Datenschutzbehörde ihres/seines Wohnortes einreichen. In Deutschland hat jedes Bundesland sowie zusätzlich der Bund eine eigene Datenschutzbehörde; in Sachsen ist das der Sächsische Datenschutzbeauftrage: https://www.saechsdsb.de/. Die haben mittlerweile ein Online-Formular zum Eingeben von Beschwerden: https://www.saechsdsb.de/petition. Das Verfahren ist nicht formgebunden, das heißt du kannst die Beschwerde auch per E-Mail oder Post eingeben. Auch der Inhalt ist nicht formgebunden; am besten trägst du einfach - so wie ihr es im Thread ja auch gemacht habt - zusammen, worum es euch geht. Sollte die Behörde dann noch mehr Informationen brauchen, meldet sie sich (beachte, dass das aktuell alles sehr lange dauert, weil die Behörden leider nach wie vor viel zu schlecht ausgestattet und ziemlich überlastet sind). Da es sich in diesem Fall um eine Bewertung nach dem Telekommunikationsrecht zu handeln scheint, könntest du deine Beschwerde auch direkt beim Bundesdatenschutzbeauftragten einreichen, der in einem solchen Fall zuständig wäre; auch dieser hat ein Online-Meldeformular: https://www.bfdi.bund.de/DE/Service/Beschwerden/beschwerden_node.html. So oder so leiten die Behörden ansonsten intern die Beschwerde an die richtige Stelle weiter.

Ich hoffe das bringt erstmal etwas Licht ins Dunkel! Bitte verstehe, dass wir keine Rechtsberatung oder ähnliches vornehmen dürfen oder können. Wenn ihr detaillierteren Klärungsbedarf habt, ist es, wie ihr schon erkannt habt, definitiv der richtige Weg, sich an die Datenschutzbehörde zu wenden. Toi toi toi!

Beste Grüße

Jana

Jana Gooth
Legal Policy Advisor

to Alexandra Geese, MEP
European Parliament
Rue Wiertz 60
ASP 08H342
B-1047 Bruxelles

+32 2 283 89 05
@janagooth | www.alexandrageese.eu

6 Likes

Wow, thanks for going that far :slight_smile: this did clear some things up.

I wonder who is at fault here. If you purchase a software license (for example for windows) and accept the EULA, you accepted a contract with that party. The party then has the rights and obligations under DSGVO and e-Privacy-Directive towards you as a contracted party.

But if you purchase a phone, are you ever agreeing to such a contract? Who is the contract partner and legally responsible? Is it Fairphone for selling the phone? Is it Google for making you click on “I accept” on first power on (if so)? Is it Qualcomm?

If it is Qualcomm, based on what contract? I don’t want any services from Qualcomm, I’d happily stop using their stuff and uninstall all their “Qualcomm Mobile Security” software. I wouldn’t even install that myself, the phone came with it as part of the drivers. It was already running when I unpacked it.

I don’t want to file too many complaints without knowing more at this point in time. We should first make sure Fairphone isn’t the one legally responsible for Qualcomm’s wrongdoings.

Can anyone who has recently factory-reset the FP3 tell if there is any notification and/or information about the Qualcomm software that is preinstalled, any contract or software license that one implicitly or explicitly agrees by turning the thing on? Any EULA , end user agreement or privacy information file mentioning ANY of the Qualcomm features? I can’t remember, but I don’t want to factory reset the phone now just to figure that out.

Fairphone seems to be really busy right now with hardware manufacture and delivery hell and a million support requests because stuff isn’t working as it should (hint: microphone )

I don’t think it would be fair to give them even more of a headache by filing legal complaints because of Qualcomm’s potential spyware now, if the issue might be addressed soon by an option to root the phone and get rid of the crap and/or a ROM that doesn’t have this stuff. Then again, it might be Qualcomm’s proprietary drivers which could be the main hold-back from releasing the kernel source so far.

Fairphone might be trapped between the fire and a hot place, by being legally responsible for the effects on end-user-privacy of shipping phones with Qualcomm’s spyware, while at the same time being contractually bound to them (without Qualcomm drivers, the phone would not boot) the only short-term possible solution might be to stop shipping Fairphones, and that’s not something I would want to have enforced before all cards and options are on the table.

We might should contact someone @Fairphone regarding this, before bringing it to the attention of authorities (even though we probably could)

So going forward:

  1. A 2nd pcap would be helpful. Can anyone with a Fairphone 3 make a traffic log of the gps daemon calling “home” and record the “User-Agent” identifier. If this identifier is unique to each phone, it allows tracking each device. If it’s not and only identifies the phone as a Fairphone (and maybe the software version) this would be a whole lot less problematic.

  2. Who could we best contact at Fairphone to tell us what the contractual base is for software use of Qualcomm products on the Phone by the end-user, how an end user can withdraw from any such contract and uninstall the qualcomm software products, if and what alternatives are /will be/ available and when, etc.
    At the intersection of “highly technical” and “legally relevant” this isn’t something the typical support clerk is ready or capable of answering, and it would be better to have a good answer than a quick one.

2 Likes

Been reading this thread since the beginning, never bothered to sign up until now as this discussion revealed some disturbing information to me. And yes, I’m also someone who’s getting more and more concerned about our privacy when using online devices…

I’ve reset my device 10 minutes ago.
The only Accept I had to give was for Google services…

No message was displayed about any other service which might send PII back to 3rd parties.

5 Likes

Thanks for confirming that. And welcome to the forum, great first post :slight_smile:

1 Like

Is there any way to skip this step? I will receive my FP3 today or tomorrow and don’t agree with Google Services.

1 Like

I don’t know.
You definitely have to accept in order to make a google account and use the google app store. However the app-store technically isn’t necessary, since you can activate developer mode in settings and install F-Droid using adb - then get everything you need from there. However on first start, a “greater” app gets started which helps the user through the setup process (including selecting a google account) and I am not sure if you can bypass it or not. I’d have to do a factory reset to check, and right now I have too many customisations on my FP3 which would take hours to redo.
Since you’re receiving your phone anyway, can you try to bypass the greeter and tell us if/how this works, or where you get stuck ?

Edit: I think, at least some steps in the greeter app have a “skip” button. But even if the greeter app has no way to “quit” it before completion, it might be possible to pull down the quick-menu bar from the top, then enter settings from there and force kill (and later uninstall) the greeter, thus bypassing any agreements and account creations. But I haven’t tried, this is only a theory.

2 Likes

Yep, I will do everything I can to bypass it. I do not intend to use any Google Services, but would install F-Droid right away anyways.

You can also download it using the browser (I assume Chrome is preinstalled? :unamused:) and install the APK locally, right?

By default, the installed Chrome version is not yet updated and therefore likely vulnerable.

It is recommended to download the APK using a secure, latest version of Firefox (or Safari, Edge, Chrome, or curl) and then transfer it via ideally USB.

This is both in advantage to your privacy (in Firefox, disable telemetry) and to security.

Is there any way to skip this step?

Yes, it’s possible.

1 Like

did you need to do anything fancy (settings/force kill) or simply press the “skip” button?

Just press the “Skip” button

it would be interesting to find out which apps/components phone home even despite the user having skipped/declined the agreements. There shouldn’t be any, as that’d be most likely illegal, but I have a hunch at least the Qualcomm stuff and most likely also many gapps will contact their servers when given the chance.

I’ve reset my device, accepted the Google EULA and that’s it. I did not configure an account or added any other apps. Just factory default settings.
I also did not use the FP3 for a week. it was just lying there on my desk without SIM card
I now have a week of FortiGate logs to analyse…
There are a lot of calls going out (2259 calls and about 280MB on data), most of them towards google domains but also some undefined IP addresses which I still need to verify

I’ll see if I can setup a new test when refusing Google EULA

3 Likes

It is not possible to refuse Google privacy agreement. You cannot pull down the notification bar. I also tried in safe mode, but it didn’t work.

4 Likes

Lol the moderator has deleted my reply. 280MB in one week is not acceptasble. The Flatrate from aldi talk is only eaten by the phone itself!!!:

https://www.alditalk.de/jahrespaket

what is talking home? what data is collected for 280mb/week???

To give you an idea…
Here’s an excerpt from today’s log

1 Like

It seems external firewalls are pretty useless to analyze what an Android phone is talking “home” for several reasons:

  1. An external firewall can only see the port a connection is originating from, not which app/program is making the connection
  2. An external firewall can only see the IP address a connection is made to, not the domain (unless using deep packet inspection)
  3. Most “telemetry services” are using the very same content delivery networks the majority of webpages are using such as Amazon AWS, Cloudflare, Microsoft Azure and Google Cloud, to name the probably largest ones. That leads to several effects which make it almost impossible to block these accesses:
    • each service uses very large, distributed pool of IP addresses, which can change or be extended daily and there’s no reliable complete lists
    • each of these IP addresses are also used by a large number of legitimate internet connections, such as chat apps, games, etc… and blocking them would cause massive colateral damage
    • the majority of these connections is encrypted using TLS/HTTPS.

Using deep packet inspection, it is be possible to identify the domain names used in each access and prevent the connections, as these are transferred unencrypted in some TLS requests to allow the server to chose the appropriate certificate, but that reqires advanced firewalls, especially if these connections are to be reliably blocked without also blocking legitimate connections to the same hosts on a per-connection base
The easier option, although potentially less secure is IMHO a local firewall solution on the device. This can identify or at least narrow down which app or service is responsible for an outgoing network connection.
Without rooting the device, the best options are VVPN (virtual VPN) apps, which pretend to provide internet access through a VPN - which is routed only through a local loopback connection (VPN server and client both run on the android device)
One such option is NetGuard, which is available in both Google Appstore, Fdroid and directly from Github. https://github.com/M66B/NetGuard
Another option are genuine VPN services, preferably with a VPN server under one’s own control.
A rooted phone would of course offer more possibilities.

Just to be sure, it might make sense to use an external firewall on top of the local one, to find out if there are any apps/services capable in bypassing a local firewall and routing rules. Since some of the suspect system services have root privileges, this is theoretically possible and probably should be checked.

1 Like

@Linus I would suggest to install a local firewall such as Netguard to identify which app is responsible for creating that much traffic, and to block such if necessary.
On my phone I never had that much, but I also did some configuration changes such as disabling automatic app updates in the google appstore and disable media downloads when on cellphone-data in some apps such as messengers.
In the default installation the appstore will auto-download and install any app updates, which depending on the apps installed and affected can easily be in the hundreds of megabytes. I am not sure if it will do that over cellphone-data by default or not, but it might be worth checking.

1 Like

By default, the Play Store downloads app updates via Wi-Fi only. So no worries here. I have no idea whether alternative app stores act differently in that respect, because I do not use any.