German security firm Nitrokey recently published a report claiming to have discovered an unpatched feature in Qualcomm Snapdragon chips that collects user information and transmits it directly to Qualcomm servers. The feature is independent of the Android operating system, meaning data is transferred even if the operating system is not included. Nitrokey installed a non-Google version of Android on a Sony Xperia XA2 phone equipped with a Qualcomm Snapdragon 630 chip and found that the data was sent to Qualcomm’s izatcloud.net server.

According to the report, Qualcomm chips collect and share information about the user, including a unique smartphone identifier, chip name, chip serial number, XTRA software version, mobile country code and mobile network code, carrier or operating system type and version, device manufacturer. and model , list of apps on the device, IP address and other data. The data is transmitted over an insecure HTTP protocol without any additional encryption and becomes available to almost anyone who can read the unique identifier data sent to Izat Cloud.

Unencrypted data transfer from Qualcomm chips

This feature affects approximately 30% of phones worldwide, including Android phones and iPhones using Qualcomm communication modules. Nitrokey’s conclusion in the blog post is that because Qualcomm’s custom AMSS firmware takes precedence over all operating systems and uses the HTTP protocol, the collected data can be used to create a unique device signature that can be accessed by third parties.

Qualcomm responded to the report by saying that the data transfer complies with the privacy policy of the XTRA service, which effectively allows the company to collect user data mentioned above. However, the transmission of data over an insecure HTTP protocol raises concerns about the privacy and security of user information.

This report highlights the importance of transferring user data securely and in accordance with privacy policies. It also highlights that tech companies need more transparency about the data they collect and how it is used. As more devices connect and collect more data, it’s important that users know and can control how their information is used. Google’s latest developer update now requires all Android apps to include a feature that allows users to delete their accounts and data, reflecting an increased focus on user privacy.