Qualcomm has denied the allegations about collecting the personal data of Android phone users illegally and without acquiring user consent.
The American semiconductor behemoth, which supplies processors to billions of Android smartphones and tablets worldwide, asserts that its data collection methods are fully transparent and adhere to the relevant legal regulations in the nations where its chips operate.
The report that accuses Qualcomm of the above comes from Nitrokey, a German company specializing in open-source hardware for applications that require bolstered security, data encryption, and data privacy.
Nitrokey tested the Snapdragon 630-powered Sony Xperia XA2 running the ‘/e/OS’ system, which lacks Google proprietary services and closed-sourced components, and it found that the device sends a DNS request to “android.clients.google.com” and then contacts an unknown service named “izatcloud.net.”
Upon further investigation, Nitrokey found that Izat Cloud belongs to Qualcomm, and contact with it is made via the XTRA service, which is part of the company’s Assisted GPS (A-GPS) technology.
As Qualcomm explained to Nitrokey when asked about the data collection, the XTRA service helps speed up GPS positioning and enhance accuracy when the device’s signals are obstructed.
- Unique ID
- Chipset name
- Chipset serial number
- XTRA software version
- Mobile country code
- Mobile network code (allowing identification of country and wireless operator)
- Type of operating system and version
- Device make and model
- Time since the last boot of the application processor and modem
- List of the software on the device
- IP address
Nitrokey also reports that the requests sent by the devices to Izat Cloud are of the unencrypted HTTP type, meaning that if intercepted, they could be used to infer the user’s geographical position and other details.
No matter how sensitive or privacy-risking the data is, the worst part of this data collection is that it happens by a service (XTRA) that runs at a lower level than the user-facing operating system (Android), as it’s part of Qualcomm’s firmware (AMSS).
This practically means that it cannot be disabled, and no matter what OS restrictions or privacy settings are selected by the user, they can all be bypassed. Qualcomm AMSS directly manages real-time communication with cell towers and has full control over the device’s hardware, and is out of the user’s control.
When asked by RestorePrivacy about Nitrokey’s report, a Qualcomm spokesperson answered with a comment that reflects their strong feelings about the allegations made in the post, rejecting them all.
Furthermore, the spokesperson explained that all current Qualcomm chips rely on HTTPS for the communication exchange and that the use of HTTP has been deprecated from 2016 onwards. This means that if you’re using a fairly recent device, the AMSS communications are at least secured from man-in-the-middle attacks.
Nitrokey claims its smartphones, which runs a privacy-enhanced Android distribution named GrapheneOS, aren’t susceptible to XTRA-induced data leaks because the SUPL (Secure User Plane Location) configuration for the A-GPS service stops the exfiltration of IMSI and phone numbers and passes all data through a proxy.
Regarding the legal aspect of obtaining user consent for data collection by the AMSS, RestorePrivacy has requested clarification from Qualcomm about the process and stage at which consent is acquired, and we will update this article once we receive their response.
Update: April 26, 2023 – Qualcomm has provided us with an additional statement on the XTRA service below:
The XTRA service does not collect data that can be used to identify specific individuals. The information used by the XTRA service is non-personal and technical (and also necessary to support the expected functions of the phone). It does not collect any location data of the end user device and since none of the data is personally identifiable, applicable laws don’t require us to collect user’s opt-in consent.Qualcomm