Hello, I stumbled over this topic here mentioned on the website from nitrokey: Smartphones With Popular Qualcomm Chip Secretly Share Private Information With US Chip-Maker | Nitrokey I guess my device Xperia XA2 with Sailfish is affected too?
Citation needed, the author doesn’t provide actual packets with data that is supposedly sent and according to grapheneos devs (GrapheneOS: "Qualcomm uses their own xtra-daemon service inste…" - GrapheneOS Mastodon):
The whole article sounds like gpt generated advertisement
And I’m surprised they don’t know izatcloud.net! It is in the first line of gps.conf on any android phone (and in SailfishOs).
Can @Jolla please research and check if this is a hoax or not? They should have the necessary laboratory equipment to do this.
It’s Qualcomm’s XTRA service and they are HTTP GET requests to address like https://xtrapath1.izatcloud.net/xtra2.bin
I would worry more SUPL request to service like supl.google.com as those request contain device identification infomation.
I’m wondering about this too, as I ran SailfishOS on an XA2 and the Xperia 10 line also uses Qualcomm Snapdragon chips.
May we request Jolla looking into this? @flypig ?
Yes the company is advertising their own device. But it doesn’t read like a ChatGPT generated article to me.
This is just an advertisement article to promote their modified Google Pixel phones with GrapheneOS. I don’t see anything new in this article.
The connection to android.clients.google.com
is because of e/os/ using microg which does this to register the device with google when this setting is enabled. If you enable Google device registration in microg it connects to google.
The other stuff is like already mentioned A-GPS related.
What I am upset about is whatever kind of data is sent: it’s without my permission. Now we have rules like GDPR, but nobody officially cares about.
I would like to see EU taking care about those issues. What does the industry cares about if I contact them and refer to the GDPR?
The Member countries of EU are supposed to take care of that. The GDPR gives you the possibility to file complaints with the data protection body. Problem is, some countries have shitty data protection agencies who purposefully neglect their duty (looking at you Ireland).
It’s not fully automated, but the copywriter clearly used assistance (the mixing of jargon/buzzwords with no understanding of them - xtra-daemon is android level implementation that has nothing to do with baseband os which is apprently the same as android firmware, but they did a search on /e/'s github and ‘our /e/OS has been completely de-Googled’…). It’s all pretty much just to spread fud, push their superiorly secure product and sadly it’s working as you can see from reactions. More curious how this garbage ad got posted twice here within like half an hour, pageranking or maybe google alerts as they mentioned sfos
Martijn Braam from Postmarketos agrees.
For sure not a company i would consider if i needed a secure phone.
This whole story is FUD. The gps ‘features’ from Qualcomm have been a well advertised product since 2014 or 15. How it is enabled, but who (presumably after having licensed the tech) is anyone’s guess, though I’d bet the marketing literature from Qualcomm is full of references.
The best Part of that Advertising is:
They claim its secure and Google free but then the Nitrophone 2 (Pro) its based on Pixel 6 (Pro) Hardware with Titan M2 Securitychip by Google
I have to admit, my paranoia in recent years led me to disable IPMI on server boards as a matter of course and replace all that with a self-built serial console server. But, the fact is, I have NO idea what the chipsets on my phone are doing. sigh. too much, to do.