supl
- /e/ version: any
- Device model(s): any
Summary
SUPL is used to accelerate GPS location acquisition, but it seems to use connect to some Google servers or other third party servers, which is potentially problematic in term of personal data collection.
More about SUPL service issue: #2481 (closed)
Description
We had a first report from a research lab:
SUPL:
On a pixel 4a there are connections to supl.google.com made over the cellular connection, and also associated dns connections. An example decoded payload is below (the encoding is per the SUPLv2 standard). It includes the full IMSI as well as the cell id. Its quite tricky to see these connections, but fortunately my friend and colleague Francesco Gringoli (cc’d) at U.Brescia has a software radio cell basestation that can be used to sniff the cellular traffic. The supl connections seem never to be made over wifi (at least on a pixel 4a), and they are not visible on the rmnet_ipa0 interface on the device (where other cell data traffic can be seen) plus the qualcomm /dev/diag interface also seems to be disabled on this device (maybe a userdebug os install would enable it, but I haven’t checked). Last week I asked google what their privacy policy is re this traffic, but haven’t heard back yet (its the 4th july holiday).
As to mitigations, I guess the obvious approach is to (i) modify the /vendor/etc/gps.conf file to change the supl server to something like localhost, and (ii) also modify:
defaults.putString(KEY_SUPL_HOST_STRING, "supl.google.com”);
in class CarrierConfigManager in package android.telephony from /system/framework/framework.jar (this is used by the GnssLocationProvider in /system/framework/services.jar, search for calls to setAgpsServer() in com.android.server.location.gnss.hal.GnssNative to find where). But its going to be tricky to confirm the effectiveness of these changes when its hard to see the supl connections in the first place.
XTRA:
The modem also makes connections to http://xtrapath1.izatcloud.net/xtra3grcej.bin to download satellite position info. The user-agent string in the connections are like this (these are from a pixel 2):
User-Agent:A/10/Google/Pixel#2/walleye/unknown/QCX3/l3413608899667772867/-/367973139/-/google/607/608/-
User-Agent:A/10/Google/Pixel#2/walleye/unknown/QCX3/l3413608899667772867/-/367973139/-/google/225/226/00:BOOT.XF.1.2.2.c1-00051-M8998LZB-2+01:TZ.BF.4.0.6-00245+03:RPM.BF.1.7-00128+11:MPSS.AT.2.0.c4.8-00023-8998_GEN_PACK-1.262258.2.274106.1+12:ADSP.HT.3.0-00372-CB8998-1+14:VIDEO.VE.4.4-00060+15:SLPI.HB.2.0.c3-00016-M8998AZL-1
It looks like we can parse a fair bit of the string using this code snippet:
snprintf(userAgent, sizeof(userAgent), "A/%s/%s/%s/%s/-/QCX3/s%u/-/%s/-/%s/-/-/-“, release, manufacture, model, board,mContext->getIzatDevId(), chipsetsn, brand);
from here:
https://android.googlesource.com/platform/hardware/qcom/gps/+/e98b641%5E%21/
https://www.dragino.com/downloads/downloads/datasheet/other_vendors/BG95/Software/Quectel_BG95&BG77&BG600L_Series_GNSS_Application_Note_V1.2.pdf
As a check, "A/10/Google/Pixel#2/walleye” is Android 10, on a Google Pixel 2 device. The long number l3413608899667772867 corresponds to getIzatDevId(). The 367973139 value matches the output of “cat /sys/devices/soc0/serial_number”. The string "MPSS.AT.2.0.c4.8-00034-8998_GEN_PACK-1” matches the output of "cat /dev/at_mdm0 & echo -e ati\\r > /dev/at_mdm0"
Qualcom has a privacy policy covering these connections here: https://www.qualcomm.com/site/privacy/services (see the section "Qualcomm GNSS Assistance Service”).
As to mitigations, perhaps disable the xtra connections in gps.conf, re-implement the downloads using a faked user-agent string (random id’s etc) and manually inject the downloaded satellite data into the gps via the hal.
———————————————————
Example decoded SUPL connection:
ULP-PDU ::= {
length: 45
version: Version ::= {
maj: 2
min: 0
servind: 0
}
sessionID: SessionID ::= {
setSessionID: SetSessionID ::= {
sessionId: 0
setId: 22 02 11 00 00 00 51 F5
}
}
message: SUPLSTART ::= {
sETCapabilities: SETCapabilities ::= {
posTechnology: PosTechnology ::= {
agpsSETassisted: FALSE
agpsSETBased: TRUE
autonomousGPS: TRUE
aFLT: FALSE
eCID: TRUE
eOTD: FALSE
oTDOA: FALSE
}
prefMethod: 2 (noPreference)
posProtocol: PosProtocol ::= {
tia801: FALSE
rrlp: TRUE
rrc: FALSE
ver2-PosProtocol-extension: Ver2-PosProtocol-extension ::= {
lpp: FALSE
posProtocolVersionRRLP: PosProtocolVersion3GPP ::= {
majorVersionField: 13
technicalVersionField: 0
editorialVersionField: 0
}
}
}
}
locationId: LocationId ::= {
cellInfo: LteCellInformation ::= {
cellGlobalIdEUTRA: CellGlobalIdEUTRA ::= {
plmn-Identity: PLMN-Identity ::= {
mcc: MCC ::= {
2
2
2
}
mnc: MNC ::= {
0
1
}
}
cellIdentity: 00 19 B0 10 (4 bits unused)
}
physCellId: 1
trackingAreaCode: 00 07
rsrpResult: 68
rsrqResult: 27
tA: 2
}
status: 1 (current)
}
qoP: QoP ::= {
horacc: 19
maxLocAge: 0
delay: 7
}
}
}Remove dependencies from external and partially hidden connections to SUPL service services.
What does it bring?
Protect users from personal data collections & degoogling.
Examples
Validation
Checklist
- [ ] License
-
Translations -
Documentation -
Test plan