from the mess-under-the-hood dept.
Snapdragon giant and others insist alleged data gathering is overblown:
Analysis Cellphones using Qualcomm chipsets may transmit data sometimes classified as personal information, specifically IP addresses, back to Qualcomm. But where such transmission is occurring, it's not secret and it has been going on for years.
That doesn't mean, however, there's no privacy risk in Qualcomm-based phones or in devices with rival chip sets for individuals like journalists or human rights advocates with sophisticated adversaries. Such scenarios, however, are unusual and not much of a worry for most mobile phone users.
Recently, hardware security firm Nitrokey published an advisory claiming that "smartphones with Qualcomm chips secretly send personal data to Qualcomm" and do so "without user consent, unencrypted, and even when using a Google-free Android distribution."
[...] "Qualcomm's proprietary firmware is not only downloading some files to our phone to help establish the GPS location faster, but also uploads our personal data, such as the devices' unique ID, our country code (Germany in this case), our cellphone operator code (allowing identification of country and mobile operator), our operating system and version and a list of software on the device," as Nitrokey put it, arguing this supplied metadata amounts to a unique per-person signature that harms privacy and occurs even when GPS is turned off.
A Qualcomm spokesperson disputed the research. "The article is riddled with inaccuracies and appears to be motivated by the author's desire to sell his product," a company spokesperson told The Register in an email. "Qualcomm only collects personal information when permitted by applicable law."
[...] Martijn Braam, a core developer for Alpine-Linux-based postmarketOS, has published a similarly scathing dismissal of the research as empty marketing. He noted the Qualcomm-initiated HTTP communication does not contain any private data. "It's just downloading a GPS almanac from Qualcomm for A-GPS [assisted GPS]," he observed.
[...] The Nitrokey post goes on to claim that Qualcomm's XTRA service is not part of /e/OS or Android, but operates from the Qualcomm firmware known as AMSS. "This covert operating system operates on the broadband processor (modem) and manages the real-time communication with the cell towers," the advisory stated.
A former mobile industry executive familiar with Qualcomm technology told The Register that characterizing AMSS as "a covert operating system" is "total nonsense."
However, our source explained, what goes on in phones at a low level isn't really understood by the general public.
"The way chipsets work, there's an application processor family," our source explained. "Underneath there's a kernel that hosts and virtualizes the operating system. And there are various subsystems – the modem, the Wi-Fi, peripherals like USB, the display driver, and the GPU. The vendors all have large amounts of software like AMSS that runs there. And they have a choice on what to compile from that image."
All the chipset makers, such as Huawei, Samsung, Qualcomm, and Apple, our source said, "any of these guys are going to have all kinds of different fetches that they're going to make [over the network]."
GrapheneOS, a privacy-focused version of Android, discloses these sorts of transmissions in its documentation. The only way to be sure about how one's phone behaves is to test it with a network traffic tool like Wireshark, our source said.
That's necessary, our source said, "because you can't get a straight answer from the vendors. Some of these features may have five or 10 switches to turn it on. There is a lot of old software. There's a lot of new software. It's very complex and there is a huge amount of it. And it has evolved from generation to generation. It's pretty much hideous, like any major operating system. The only thing I wouldn't call it is 'covert,' because it's been there forever."
[...] If your life depends on not being tracked through your phone, don't use a phone. For less pressing privacy scenarios, enjoy your chosen handset with the knowledge that you're probably leaving some kind of digital footprints somewhere. ®
More VPNs!