GrapheneOS

Latest release addresses the privacy issue brought to our attention by NitroKey with Qualcomm SoC devices by stopping xtra-daemon from sending the SoC serial number in the HTTPS User-Agent header:

https://grapheneos.social/@GrapheneOS/110284380098624253

We'll be removing the User-Agent header completely later.

#grapheneos #qualcomm #xtra #psds #privacy

GrapheneOS (@[email protected])

GrapheneOS version 2023042900 released: https://grapheneos.org/releases#2023042900. See the linked release notes for a summary of the improvements over the previous release. Forum discussion thread: https://discuss.grapheneos.org/d/4749-grapheneos-version-2023042900-released #grapheneos #privacy #security

GrapheneOS Mastodon
Apr 29, 2023 at 10:14pmWeb
Show threadGrapheneOSApr 29, 2023

Default connections made by GrapheneOS are documented at https://grapheneos.org/faq#default-connections including Qualcomm PSDS (XTRA) for 4th/5th gen Pixels.

On 6th/7th gen Pixels, GrapheneOS only uses GrapheneOS services by default since we use our own PSDS cache for Broadcom GNSS (GPS, etc.).

GrapheneOS Frequently Asked Questions

Answers to frequently asked questions about GrapheneOS.

GrapheneOS
Show threadGrapheneOSApr 29, 2023

We've already been hosting a Qualcomm PSDS cache since March which we're in the process of integrating:

https://github.com/GrapheneOS/grapheneos.network/commit/6e213e84c881d6afc64c3c54a8ea8aeab03dcb9a

xtra-daemon setting User-Agent is entirely unnecessary so we'll stop it from doing that instead of only preventing it from including any hardware IDs.

add Qualcomm PSDS data cache · GrapheneOS/grapheneos.network@6e213e8

Servers for HTTP/HTTPS connectivity checks, HTTPS network time, Broadcom PSDS cache, Qualcomm PSDS (XTRA) cache, SUPL proxy, attestation key provisioning proxy and Vanadium component update check/download proxy. - add Qualcomm PSDS data cache · GrapheneOS/grapheneos.network@6e213e8

GitHub
Show threadSpaceLifeFormApr 29, 2023

@GrapheneOS

#FingerPrinting

Show threadDerek MorrApr 29, 2023
@GrapheneOS Thank you for addressing this so quickly.
Show threadByteApr 29, 2023

@GrapheneOS why was it doing that in the first place

Why would someone program that

Show threadGrapheneOSApr 30, 2023
@Byte Qualcomm uses XTRA to gather statistics on the devices using their SoC. They use the hardware ID and a random ID to count unique users per device model, etc.
Show threadByteApr 30, 2023
@GrapheneOS Why is that turned on in the first place though? Is xtra-daemon written by Qualcomm or what?
Show threadGrapheneOSMay 2, 2023
@Byte Yes.
Show threadByteMay 2, 2023
@GrapheneOS I see. Does xtra-daemon do anything useful for GrapheneOS?
Show threadGrapheneOSMay 3, 2023
@Byte Yes, it retrieves GNSS almanacs via HTTPS GET requests to provide much faster GNSS-based location lock. We document it at https://grapheneos.org/faq#default-connections. 6th/7th generation Pixels (which are the recommended devices) use the open source AOSP PSDS downloader and we provide our own PSDS cache. We're working on doing the same thing for Qualcomm PSDS but it's more difficult due to using xtra-daemon instead of standard AOSP PSDS support. Qualcomm likes doing things their own way...
GrapheneOS Frequently Asked Questions

Answers to frequently asked questions about GrapheneOS.

GrapheneOS
Show threadByteMay 3, 2023
@GrapheneOS ah, of course. Maybe in the meantime it could be sandboxed? You know what things it’s *supposed* to access in theory? Or is it a problem of not being able to distinguish between appropriate use and inappropriate use of the network?
Show threadGrapheneOSMay 4, 2023
@Byte It is sandboxed and always was. That's how we removed access to SoC serial number. We just removed access to it rather than changing the code to stop reading it. We can also still read the code and see what it does but it's too painful to modify the code and maintain that. Removing User-Agent and using our proxy will both be done by hooking the calls it makes into the OS libraries.
Show threadByteMay 4, 2023
@GrapheneOS makes sense. Thanks for explaining it
Show threadAndrea PappacodaApr 30, 2023
@GrapheneOS well done, thanks! It's incredible how deep inside a device some information leaks are located