To give you an idea…
Here’s an excerpt from today’s log
1 Like
It seems external firewalls are pretty useless to analyze what an Android phone is talking “home” for several reasons:
- An external firewall can only see the port a connection is originating from, not which app/program is making the connection
- An external firewall can only see the IP address a connection is made to, not the domain (unless using deep packet inspection)
- Most “telemetry services” are using the very same content delivery networks the majority of webpages are using such as Amazon AWS, Cloudflare, Microsoft Azure and Google Cloud, to name the probably largest ones. That leads to several effects which make it almost impossible to block these accesses:
- each service uses very large, distributed pool of IP addresses, which can change or be extended daily and there’s no reliable complete lists
- each of these IP addresses are also used by a large number of legitimate internet connections, such as chat apps, games, etc… and blocking them would cause massive colateral damage
- the majority of these connections is encrypted using TLS/HTTPS.
Using deep packet inspection, it is be possible to identify the domain names used in each access and prevent the connections, as these are transferred unencrypted in some TLS requests to allow the server to chose the appropriate certificate, but that reqires advanced firewalls, especially if these connections are to be reliably blocked without also blocking legitimate connections to the same hosts on a per-connection base
The easier option, although potentially less secure is IMHO a local firewall solution on the device. This can identify or at least narrow down which app or service is responsible for an outgoing network connection.
Without rooting the device, the best options are VVPN (virtual VPN) apps, which pretend to provide internet access through a VPN - which is routed only through a local loopback connection (VPN server and client both run on the android device)
One such option is NetGuard, which is available in both Google Appstore, Fdroid and directly from Github. https://github.com/M66B/NetGuard
Another option are genuine VPN services, preferably with a VPN server under one’s own control.
A rooted phone would of course offer more possibilities.
Just to be sure, it might make sense to use an external firewall on top of the local one, to find out if there are any apps/services capable in bypassing a local firewall and routing rules. Since some of the suspect system services have root privileges, this is theoretically possible and probably should be checked.
1 Like
@Linus I would suggest to install a local firewall such as Netguard to identify which app is responsible for creating that much traffic, and to block such if necessary.
On my phone I never had that much, but I also did some configuration changes such as disabling automatic app updates in the google appstore and disable media downloads when on cellphone-data in some apps such as messengers.
In the default installation the appstore will auto-download and install any app updates, which depending on the apps installed and affected can easily be in the hundreds of megabytes. I am not sure if it will do that over cellphone-data by default or not, but it might be worth checking.
1 Like
By default, the Play Store downloads app updates via Wi-Fi only. So no worries here. I have no idea whether alternative app stores act differently in that respect, because I do not use any.
Seeing 1.1.1.1:853 in the list is Cloudflare, not Google (theirs is 8.8.8.8 and 8.8.4.4), and it is their DNS over TLS given it uses port 853. You give Cloudflare (instead of anyone who snoops your line) access to your DNS requests. This is read access, to a large company, but the alternative is arguably worse. Especially in the USA where ISPs inject crap via DNS (no joke!). I’m unsure if Cloudflare(/Google/IBM) have write access to the requests (ie. can spoof replies).
2 Likes
I am not so sure. I think what’s running might not be “Qualcomm Location” but instead " XTRA – Predicted GNSS Satellite Orbit Data" as written about here: Privacy Policy | Qualcomm
The relevant section might then instead be:
XTRA uploads the following data types: a randomly generated unique ID, the chipset name and serial number, XTRA software version, the mobile country code and network code (allowing identification of country and wireless operator), the type of operating system and version, device make and model, the time since the last boot of the application processor and modem, and a list of our software on the device
This looks approximately consistent with what you were seeing in the user-agent string, right?
It’s still some information disclosure to upload that information (and not even over HTTPS, so any MITM can read as well!), but not at all as bad as GPS locations and Wifi towers.
1 Like
To add to the previous post; this does not exclude that there actually is some other service that is “Qualcomm Location”, but a quick googling seems to show that there seems to be “com.qualcomm.location” services on some other phones. So based on that, my guess is that “Qualcomm Location” is not installed on the FP3.
there are a number of qualcomm services running on the fairphone, including “connection security” and “telemetry” - they communicate encrypted, so we do not know what they transfer.
The only service that connects unencrypted is the GPS daemon. (Which technically is not a “service” in the classical sense. There is no app for it, it’s running on driver level and cannot be stopped/killed/disabled through adb)
It transfers a string as part of the user agent that is both device specific and state specific (parts of the string change with every request) - the data volume sent is not enough to include a complete location history though, but it is potentially enough to encode the current location at the time of the request.
that being said, the main purpose of this unencrypted request is to update the GPS Almanach, which is usually done before a GPS lock can be established.
Looking at the user agent strings you provided, the parts that change are two numbers that increase slightly and the difference between them is always “13”. It seems likely to me that this is the “time since the last boot of the application processor and modem”, i e the uptime.
Have you checked whether they use certificate pinning? Have you tried mitmproxy/sslstrip?
no – that is on my TODO list for a while, but I currently don’t have the time for exhaustive forensics.
Another option, if it does use pinning, you could disassemble and reassemble the apps involved with smali/baksmali and change a few strings (such as the server URLs) - unless the communication in question is done by native compiled crap, this might be the quickest way to find out what is transferred.
Of course you could find out its encrypted crap coming straight from the QSEE enclave. (Qualcom’s DRM stuff, running on a privileged hyperkernel above the linux kernel) in which case you would be as wise as before.
1 Like
After upgrading to Android 10, there’s various new apps and services on the phone that send data to third parties. Some of them can not be deactivated.
For example, after upgrade I caught my phone in flagranti trying to make a connection to “activation.fairphone.com” port 10780. The connection is initiated by a service running with user ID 1000 - sadly I could not identify which one - this includes quite a number of services including a new system app called “Fairphone Activator” (com.fairphone.activator) – This app has access to the phone and the phone location, which can not be disabled in the settings. The app also can not be disabled or uninstalled.
WHAT THE F*****? FAIRPHONE???
It’s bad enough that we have all this Qualcomm Spyware preinstalled which calls home all the time, but I cannot remember agreeing that fairphone is collecting data about my phone or its whereabouts.
I am going to call support, ask what kind of data this service transfers, and I am going to ask for a way to inhibit this.
5 Likes
I sent the following support request. Let’s see what the answer is:
After updating the Phone to Android10 with the recent over-the-air upgrade.
A new system app called “Fairphone Activator” has been installed.
(com.farphone.activator)
This app has access to the Phones internals as well as it’s location and
sends data to activation.fairphone.com TCP port 10780 as well as fp.thingslot.com and other URLS…I do not want that. I am a quite sensitized to privacy threads on consumer devices. This is one of the main reasons why I bought a Fairphone in the first place, since I was under the impression that Fairphone - unlike many other phone manufacturers - would NOT spy on their users.
I was quite shocked that the phone would now do that without prior notification or consent.
I tried to disable the app, but this is not possible, since it is a system app.
It also was not possible to uninstall it.Then I tried to disable the apps access to the phone’s location and system internals
(in the app permissions) but the option to change the permission is greyed out with the notice “Device requires this permission to operate”.This is obviously not the case, since the Device operated fine without this app prior to the Android10 upgrade, and the device worked fine while the network access was being blocked.
In accordance with the EU GDPR directive I have the right to know what kind of data Fairphone collects about my phone usage and for which purpose. Data like IMEI and Phone location, which this app has access to is personal information capable of identifying and tracking individuals.
The phone should not transfer any data to Fairphone or any 3rd party without prior notification and permission of its user - unless the user explicitly requested this by performing an operation that implies this data transfer (such as performing a search, phone call, or accessing a webpage) No such permission or intent was given.
I expect you to provide detailed information to me, which I will share with the community in the appropriate forum threads:
- What does this app do, what is its purpose
- What data is being collected/send to fairphone.com
- How can this app can be disabled/uninstalled
- Why was this app shipped in the first place without informing users or asking for consent to its operation.
best regards,
7 Likes
Interesting find. I took a look into the code. Looks like this app will check on every reboot if the current build has been “actived” yet (meaning data being uploaded). If not the case, it will upload the following information to the URL you mentioned:
Generic build and device infos:
BRAND
BUILD_ID
BUILD_TIME
FINGERPRINT
MODEL
OS_VERSION
Serial
It will also contain the following personal information and location data (LTE cell info for each SIM):
IMEI1
IMEI2
LANGUAGE
LTE_GCID_1
LTE_GCID_2
LTE_LAC_1
LTE_LAC_2
LTE_MCC_1
LTE_MCC_2
LTE_MNC_1
LTE_MNC_2
LTE_OPERATOR_NAME_1
LTE_OPERATOR_NAME_2
8 Likes
Since the app cannot be deactivated. uninstalled, or its access rights revoked, I tried to get rid of it using adb shell:
pm uninstall --user 0 com.fairphone.activator
I am not 100% sure if this also works after a cold reboot, or if there’s a brief window of opportunity for the app to become active if there is internet (WIFI or mobile data) while the phone is still being unlocked, as the user data - including the information about app permissions and preferences - might still not be loaded yet. I simply don’t know well enough how the android boot process works in relation to user-uninstalled-apps.
1 Like
Hi, have you already received answers about the spy features?
IMHO not every telemetry activity must be classified as „spying“ on us. If you do not even trust apps from the company that builds the phone that you have chosen, then who do you trust?
Best wishes,
Thomas
I received an initial answer from the support, saying they were unaware of that and will check back to clear that up. I haven’t heard back from them since and am still waiting.
1 Like
Full Ack! No, not every telemetry activity would be classified as “spying”
Spying is by definition secret.
If a telemetry features is known, it’s presence and purpose documented and the user informed before activation with the ability to opt out, then I would definitely not call this spying. An example would be the dialogue in many app or software installations “Do you want to participate in our anonymous quality assurance. The app will then send anonymous usage data and crash reports which help us make this product better (X) Yes ( )No [Submit]” - ideally with a link to more detailed information about which data is collected.
If a telemetry feature is however added during an over the air update, hidden, without any notification to the user, without any information about the purpose, intend or functionality, and this feature is deliberately implemented as a non de-installable and non de-activatable system application, which sends back unknown, undisclosed data behind the users back, then I would indeed call this spying. Regardless of how little data is actually transferred.
This is more a matter of trust, documentation and openness than about the purpose or amount of data.
5 Likes
I now received a more elaborate reply, here is an excerpt of the relevant parts:
…
The activation service enables Fairphone to know how many devices have been activated and are still in use. This is very useful data for us, as we aim at having our customers use their phones for as long as possible. It also can also help to determine how many users installed which software update.As this app is integrated with the phone’s operating system, it is indeed not possible to uninstall it.
The main information collected and useful for us is the IMEI, date of activation and build number.
We figured out that the user’s location was not really necessary for our activation service to work, and we are therefore working on removing it.As you might be aware, we also developed a partnership with e.Foundation, that is developing an OS specifically for privacy-conscious users.
If you wish to install it you can proceed the following way:
Please be aware that we do not provide support for alternative operating systems other than the Fairphone OS. If you require software support after installing /e/ OS, you should contact e.Foundation support directly
First, you will need to unlock your bootloader. This way you can install alternative operating systems.
Then, follow these instructions to install /e/ OS on your Fairphone 3.
I will be unable to provide you further help regarding /e/ OS, but you can find some on the Fairphone community forum or on the e.Foundation community forum dedicated to Fairphone.
If you want or need to return to the original Fairphone OS, please follow this article on how to manually install Fairphone OS on your Fairphone 3.
…
note: I can’t access the linked articles on support.fairphone.com for some reason. On Firefox at least the login form does not seem to work.
5 Likes