Telemetry, Spyware, list of privacy threats on FP3 Android 9

I would love to. Where do you set this?

The main issue is, as a user installed App in Android9 , it would not run until the user logged in (Same issue as with custom keyboard Apps and similar). Which means all it needs is a spontaneous reboot while Wifi is on. The phone will remember that Wifi WAS on before rebooting, but would not start the VPN app until after the user unlocked the phone. By then all these background telemetry connections have all already taken place.

In some ROMs (MIUI for example) It’s possible to setup a Wifi network in such a way that the phone does not automatically connect to it. This was my workaround on my previous phone, I didn’t allow autoconnect to ANY wifi’s, ensuring that after a reboot I wouldn’t have internet until after I unlocked the phone. However in stock Android, the only way is to manually have it “forget” the network, which of course is not an option if you encounter an unscheduled device reboot.

Settings → Network & Internet → VPN → WireGuard Settings (Icon) → Block connections without VPN (Toggle).

Faraday cage I mean, does this occur often? Not on FP3 AFAIK.

After some playing around I found a way to force the GPS daemon to make the aforementioned connections.

In Settings -> System -> Extended -> Developer Options -> Service Menu
click Service tests -> Test Single -> GPS -> Purge assistance data
followed by
Service tests -> Test Single -> GPS -> GPS Location Test

this will trigger the GPS daemon to make two connections to a random IPv4 address hosted by Amazon cloud services

1. udp port 123 (NTP)
2. tcp port 80 (HTTP)

I have been able to “see” the port 80 connection attempt in netstat, but due to the limited access restrictions in /proc/… I couldn’t find out which PID was responsible for this connection, so - close but no cigar. Needs root.

I had only one spontaneous reboot on the FP3 so far that I’m aware of.
But if you worry about your privacy. It doesn’t really matter how often this happens. Once is already once too often, compromised is compromised.

Depends on the impact, and who you consider your adversary.

Our privacy has been impacted already. When I worry about privacy, I leave my (smart)phone at home. Whatever has to remain private isn’t digital. The stakes are too high to depend on technology.

Other people can carry smartphones around. With mics. And spyware. And radios. And cameras. And who knows what else. I cannot decide I don’t get tracked when I leave my house, even if I leave my smartphone at home.

My goal isn’t to win. We can’t. The system is too complex to win. Source code, binaries, huge amounts, super complex. Think of the capabilities you can give an app alone.

My goal is to fight back as good as I can, explore, and document the findings. By sharing our findings, we empower each other to fight back. Thousands of David’s, against the Goliath’s. Be it Google, Facebook, or a (hostile) state actor.

Sorry, but I find all these efforts and discussions such a waste of time (pardon me). If this is really an issue for you, you should not use a smartphone or mobile phone at all.

This thread might have derailed a bit towards justifying privacy and possible countermeasures, I apologize. (This very post including).

We should focus on documenting actual privacy threads found in the phone as opposed to hypothetical impacts on different user bases.

IMHO this isn’t just a “waste of time” - far from it. Spying on the user base - which Qualcomm seems to be doing through their preinstalled drivers - without offering an opt-in or even an opt-out and without consent or even informing the user is simply illegal in the countries where the Fairphone 3 is sold. Feel free to look at
https://eur-lex.europa.eu/eli/reg/2016/679/oj and the national implementations for reference.

This is made worse by the fact that Qualcomm is the leading manufacturer of Smartphone modem and processors and their exact same drivers can not only found in FP3 but basically any modern smartphone.

For me personally one of the main reasons to buy a Fairphone was the desire to have a Phone that I could trust, which wasn’t the case with the cheap Chinese phone I had previously. If you don’t expect any phone, not even a phone built to “fair principles” to at least abide the laws protecting its customers, then that is your choice, but don’t dis this thread or other people who might do care.

Or are you arguing that the rights of workers in an African Cobalt mine matter, but the rights of the users in Europe should be freely violated? I argue, a “fair” phone should care about both.

You are free to not read it. You are in no position to demand what other people spend their time on. There are quite some people on this forum who value privacy and security. You shall have to live with that fact.

That is one solution. It might be applicable in some situations, however it is a defeatist approach, and in 21th century people are simply using mobile phones and smartphones.

Allow me to quickly swoop into this conversation with some general remarks that might be of interest.

First of all, thank you, guys, for not only putting in so much effort into this issue, but also for sharing the gained information with everybody who is willing to know more about it. I would like to thank corvuscorax in particular as he seems eager to do the work most of us wouldn’t or simply couldn’t do.

I myself have been a strong supporter of privacy for a long while now, alas my lack of knwowledge has always put some restraints to it. Unfortunately, my FP2 recently fell to the “flexing” demon and I was forced to order a new phone. I went for the FP3 for rather obvious reasons (I suppose) and chose to take privacy issues more seriously than before (I was one of the early adopters of the FP2 and had lived with a Google contaminated phone ever since).

Your contributions (in this wiki, but also in other discussions in this forum) have greatly increased my understanding of several privacy concerns, while admittedly reducing hope of creating a somewhat privacy-friendly environment on my phone. The Qualcomm issue in particular seems to send a bit of a devastating message in this regard.

Still, this is the first time ever for me to register to a forum simply to express my appreciation and on behalf of everybody who has been reading along so far without contributing (as I often do), I say kudos and thank you!

Hi,
I do not know if you understand German. I received this from Bussels:
Lieber Alexander,

da das Gesetzgebungsverfahren rund um die DSGVO abgeschlossen und die Fraktion im Europäischen Parlament neu ist, gibt es keine formelle Zuständigkeit innerhalb der Fraktion für die DSGVO. Anna hat uns gefragt, ob wir dir weiterhelfen können, was wir gerne machen. Ich bin Mitarbeiterin im Büro von Alexandra Geese und wir betreuen, grob gesagt, die Digitalthemen. Ich habe vormals bei Jan Philipp Albrecht gearbeitet und war lange Zeit anwaltlich beratend zur DSGVO tätig. Ich kann leider nicht direkt im Thread antworten, da ich dort keinen Account habe, aber du kannst meine Anmerkung gerne dahin weitergeben.

Zur rechtlichen Bewertung: Eine Datenverarbeitung kann unter der DSGVO nicht nur nach einer Einwilligung geschehen, sondern auch, wenn sie etwa nötig ist zur Durchführung eines Vertragsverhältnisses oder ein “berechtigtes Interesse” des Verarbeitenden besteht (Art. 6 DSGVO: Verordnung - 2016/679 - EN - Datenschutz Grundverordnung - EUR-Lex). Zudem sind hier (zumindest zum Teil) Telekommunikationsdaten betroffen (Verkehrsdaten, Standortdaten), auf die nicht die DSGVO, sondern die e-Privacy-Richtlinie (EUR-Lex - 32002L0058 - DE) anwendbar ist. Diese wurde in jedem Mitgliedsstaat durch eigene Gesetze umgesetzt; in Deutschland ist das das Telekommunikationsgesetz (https://www.gesetze-im-internet.de/tkg_2004/, insbesondere §§ 91 ff.).

Eine DSGVO-Beschwerde kann jede*r bei der Datenschutzbehörde ihres/seines Wohnortes einreichen. In Deutschland hat jedes Bundesland sowie zusätzlich der Bund eine eigene Datenschutzbehörde; in Sachsen ist das der Sächsische Datenschutzbeauftrage: https://www.saechsdsb.de/. Die haben mittlerweile ein Online-Formular zum Eingeben von Beschwerden: Startseite - Sächsische Datenschutz- und Transparenzbeauftragte - sachsen.de. Das Verfahren ist nicht formgebunden, das heißt du kannst die Beschwerde auch per E-Mail oder Post eingeben. Auch der Inhalt ist nicht formgebunden; am besten trägst du einfach - so wie ihr es im Thread ja auch gemacht habt - zusammen, worum es euch geht. Sollte die Behörde dann noch mehr Informationen brauchen, meldet sie sich (beachte, dass das aktuell alles sehr lange dauert, weil die Behörden leider nach wie vor viel zu schlecht ausgestattet und ziemlich überlastet sind). Da es sich in diesem Fall um eine Bewertung nach dem Telekommunikationsrecht zu handeln scheint, könntest du deine Beschwerde auch direkt beim Bundesdatenschutzbeauftragten einreichen, der in einem solchen Fall zuständig wäre; auch dieser hat ein Online-Meldeformular: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit ( BfDI ) Interaction Platform. So oder so leiten die Behörden ansonsten intern die Beschwerde an die richtige Stelle weiter.

Ich hoffe das bringt erstmal etwas Licht ins Dunkel! Bitte verstehe, dass wir keine Rechtsberatung oder ähnliches vornehmen dürfen oder können. Wenn ihr detaillierteren Klärungsbedarf habt, ist es, wie ihr schon erkannt habt, definitiv der richtige Weg, sich an die Datenschutzbehörde zu wenden. Toi toi toi!

Beste Grüße

Jana

Jana Gooth
Legal Policy Advisor

to Alexandra Geese, MEP
European Parliament
Rue Wiertz 60
ASP 08H342
B-1047 Bruxelles

+32 2 283 89 05
@janagooth | www.alexandrageese.eu

Wow, thanks for going that far this did clear some things up.

I wonder who is at fault here. If you purchase a software license (for example for windows) and accept the EULA, you accepted a contract with that party. The party then has the rights and obligations under DSGVO and e-Privacy-Directive towards you as a contracted party.

But if you purchase a phone, are you ever agreeing to such a contract? Who is the contract partner and legally responsible? Is it Fairphone for selling the phone? Is it Google for making you click on “I accept” on first power on (if so)? Is it Qualcomm?

If it is Qualcomm, based on what contract? I don’t want any services from Qualcomm, I’d happily stop using their stuff and uninstall all their “Qualcomm Mobile Security” software. I wouldn’t even install that myself, the phone came with it as part of the drivers. It was already running when I unpacked it.

I don’t want to file too many complaints without knowing more at this point in time. We should first make sure Fairphone isn’t the one legally responsible for Qualcomm’s wrongdoings.

Can anyone who has recently factory-reset the FP3 tell if there is any notification and/or information about the Qualcomm software that is preinstalled, any contract or software license that one implicitly or explicitly agrees by turning the thing on? Any EULA , end user agreement or privacy information file mentioning ANY of the Qualcomm features? I can’t remember, but I don’t want to factory reset the phone now just to figure that out.

Fairphone seems to be really busy right now with hardware manufacture and delivery hell and a million support requests because stuff isn’t working as it should (hint: microphone )

I don’t think it would be fair to give them even more of a headache by filing legal complaints because of Qualcomm’s potential spyware now, if the issue might be addressed soon by an option to root the phone and get rid of the crap and/or a ROM that doesn’t have this stuff. Then again, it might be Qualcomm’s proprietary drivers which could be the main hold-back from releasing the kernel source so far.

Fairphone might be trapped between the fire and a hot place, by being legally responsible for the effects on end-user-privacy of shipping phones with Qualcomm’s spyware, while at the same time being contractually bound to them (without Qualcomm drivers, the phone would not boot) the only short-term possible solution might be to stop shipping Fairphones, and that’s not something I would want to have enforced before all cards and options are on the table.

We might should contact someone @Fairphone regarding this, before bringing it to the attention of authorities (even though we probably could)

So going forward:

1. A 2nd pcap would be helpful. Can anyone with a Fairphone 3 make a traffic log of the gps daemon calling “home” and record the “User-Agent” identifier. If this identifier is unique to each phone, it allows tracking each device. If it’s not and only identifies the phone as a Fairphone (and maybe the software version) this would be a whole lot less problematic.

2. Who could we best contact at Fairphone to tell us what the contractual base is for software use of Qualcomm products on the Phone by the end-user, how an end user can withdraw from any such contract and uninstall the qualcomm software products, if and what alternatives are /will be/ available and when, etc.
   At the intersection of “highly technical” and “legally relevant” this isn’t something the typical support clerk is ready or capable of answering, and it would be better to have a good answer than a quick one.

Been reading this thread since the beginning, never bothered to sign up until now as this discussion revealed some disturbing information to me. And yes, I’m also someone who’s getting more and more concerned about our privacy when using online devices…

I’ve reset my device 10 minutes ago.
The only Accept I had to give was for Google services…

No message was displayed about any other service which might send PII back to 3rd parties.

Thanks for confirming that. And welcome to the forum, great first post

Is there any way to skip this step? I will receive my FP3 today or tomorrow and don’t agree with Google Services.

I don’t know.
You definitely have to accept in order to make a google account and use the google app store. However the app-store technically isn’t necessary, since you can activate developer mode in settings and install F-Droid using adb - then get everything you need from there. However on first start, a “greater” app gets started which helps the user through the setup process (including selecting a google account) and I am not sure if you can bypass it or not. I’d have to do a factory reset to check, and right now I have too many customisations on my FP3 which would take hours to redo.
Since you’re receiving your phone anyway, can you try to bypass the greeter and tell us if/how this works, or where you get stuck ?

Edit: I think, at least some steps in the greeter app have a “skip” button. But even if the greeter app has no way to “quit” it before completion, it might be possible to pull down the quick-menu bar from the top, then enter settings from there and force kill (and later uninstall) the greeter, thus bypassing any agreements and account creations. But I haven’t tried, this is only a theory.

Yep, I will do everything I can to bypass it. I do not intend to use any Google Services, but would install F-Droid right away anyways.

You can also download it using the browser (I assume Chrome is preinstalled? ) and install the APK locally, right?

By default, the installed Chrome version is not yet updated and therefore likely vulnerable.

It is recommended to download the APK using a secure, latest version of Firefox (or Safari, Edge, Chrome, or curl) and then transfer it via ideally USB.

This is both in advantage to your privacy (in Firefox, disable telemetry) and to security.

Is there any way to skip this step?

Yes, it’s possible.

did you need to do anything fancy (settings/force kill) or simply press the “skip” button?

Just press the “Skip” button