No privacy

In the research conducted by Nitrokey experts, several smartphones that were cleaned from Google services (to prevent information transfer to this company) were checked. Sony Xperia XA2 without SIM card was taken specifically for the study. The device connected to Wi-Fi and started monitoring traffic. According to the data received, regardless of the presence of their services on the smartphone, the data is still transferred to Qualcomm.

Analysis of the network traffic showed that the smartphone was sending data to the address where the cloud storage called Izat Cloud, which is part of Qualcomm’s XTRA Service, is located. Also, the data was transmitted over an insecure HTTP protocol, making it vulnerable to hackers or interference from a telecommunications operator.

What is Izat Cloud and XTRA Service? These tools tune the performance of A-GPS, the technology responsible for accelerating geolocation. Neither Sony (smartphone manufacturer), Google (Android developer) nor Qualcomm (processor manufacturer) disclose information about these tools to users, you will not find this information in the device’s manual or on the website with its description. .

Nitrokey researchers turned to Qualcomm, deciding that collecting data without the express consent of users is against the General Data Protection Regulation (GDPR). Surprisingly, a quick response came and data collection is completely legal and does not violate Qualcomm’s privacy policy. The company also pointed to the privacy policy of the XTRA Service. That document said that Snapdragon processors passed the following information to Qualcomm:

• Unique identifier.
• The name of the chipset.
• Chipset serial number.
• XTRA software version.
• Phone country code.
• Telephone code of the communication operator.
• Operating system name and version.
• Smartphone manufacturer and model.
• The time elapsed since the processor was powered on.
• List of software installed on the smartphone.
• IP address.

Qualcomm, this data is stored for 90 days.

XTRA Service does not run with the operating system of the smartphone, but directly on the processor – a firmware called AMSS. AMSS can be thought of as the main operating system of the device and Android (or other operating system in a smartphone) is simply an outer shell with which the user interacts. It is AMSS that has full control over all the features of the smartphone, including access to the camera, microphone, location information and all files in the storage.

A similar security problem is likely not only in Qualcomm processors, but also in chips from other manufacturers, especially Apple. In development, they may include a “hidden passage”.which provides full, invisible and uncontrolled access to all sensors and modules in the smartphone, opening up unlimited possibilities for tracking any person.