last updated: 2023/07/20 - Acronyms: - GNSS global navigation satellite system https://en.wikipedia.org/wiki/Satellite_navigation - A-GNSS assisted GNSS https://en.wikipedia.org/wiki/Assisted_GNSS - SBAS satellite based augmentation systems https://en.wikipedia.org/wiki/GNSS_augmentation - GBAS ground based augmentation systems https://en.wikipedia.org/wiki/GNSS_augmentation - TTFF time to first fix https://en.wikipedia.org/wiki/Time_to_first_fix - NLP network location provider https://en.wikipedia.org/wiki/Wi-Fi_positioning_system - PSDS predicted satellite data service - SUPL secure user plane location https://en.wikipedia.org/wiki/Assisted_GPS#SUPL - MSA mobile station assisted https://en.wikipedia.org/wiki/Assisted_GPS#Modes_of_operation - MSB mobile station based https://en.wikipedia.org/wiki/Assisted_GPS#Modes_of_operation - RRLP radio resource location services protocol https://en.wikipedia.org/wiki/Radio_resource_location_services_protocol - LPP location positioning protocol https://www.rohde-schwarz.com/br/file/LTE_LBS_White_Paper.pdf - LPPE LPP extensions - GNSS is any of GPS (US), GLONASS (RU), Beidou (CN), and Galileo (EU). - GNSS satellites can be further helped via SBAS and GBAS. - These are land towers or ocean buoys or even alternative satellites systems. - GNSS TTFF is slow due to the data rates and distances. - GNSS TTFF can be sped up by using PSDS or A-GNSS. - While waiting for a GNSS lock or when an accurate location isn't necessary a NLP can be used instead. - NLP does not reduce the GNSS TTFF. - NLP typically works by using Wi-Fi access points against a database of their locations and can be very accurate. - Examples of NLP are Google Play Services, Qualcomm IZat, and microG's UnifiedNlp. - Google and Qualcomm NLP handling performs lookups on their servers allowing them to effectively know your location. - UnifiedNlp has both online (eg. Ichnaea) and offline (eg. Deja Vu) databases. - Google NLP - Can be avoided by not having Google Play Services. - Likely is tied to your Google account. - Qualcomm NLP - Is typically opt-in. - Is not on all Qualcomm devices as they charge vendors extra to license it. - Includes lots of additional personal or device information: - "Qualcomm Location Service": https://www.qualcomm.com/site/privacy/services - DivestOS explicitly removes most of the Qualcomm location stack, including this NLP, since 2017/01. - A-GNSS control plane (needs more research/verification) - These are protocols such as RRLP, LPP, and LPPE - RRLP is a basic signal strength based mechanism to determine location - LPP extends that by taking into account the extra antennas that LTE has and their angles - LPPE extends that with extra sensor data like barometer and visible Wi-Fi networks - DivestOS has disabled LPP and LPPE since 2023/07/10: https://gitlab.com/divested-mobile/divestos-build/-/commit/f699e1bc86ff433d25dce3c8bda341fdcb8dc786 - A-GNSS user plane (SUPL) - SUPL is a two-way street, as in the server and client can ask each other to do things. - SUPL can provide the almanac as well as ephemeris data. - SUPL MSA works by the client sending the server everything it knows so the server can calculate location. - This mode allows the server to effectively know your location. - DivestOS has disabled MSA since 2018/08/08: https://gitlab.com/divested-mobile/divestos-build/-/commit/bf717204e3ecabb1c87201929fedc0ab9a4632cf - SUPL MSB works by the server sending everything it knows to the client so the client can calculate location. - SUPL requests may contain visible cell towers and their signal strengths. - SUPL (MSB) requests on Android typically include the IMSI, MCC, and MNC. - Kuketz publicized the IMSI issue first on 2018/10/04: https://www.kuketz-blog.de/android-imsi-leaking-bei-gps-positionsbestimmung/ - Many aftermarket systems do not include the IMSI: - MSe1969 authored the original patch sometime around or before 2018/10/29 - DivestOS since 2019/06/02: https://gitlab.com/divested-mobile/divestos-build/-/commit/bb72bccbe - GrapheneOS since 2023/01/25: https://grapheneos.org/releases#2023012500 - DivestOS sent MSe1969's patch to GrapheneOS on 2021/08/08: https://github.com/GrapheneOS/platform_frameworks_base/pull/87 - CalyxOS since 2023/03/16: https://calyxos.org/news/2023/03/16/march-update/ - DivestOS sent MSe1969's patch to CalyxOS on 2021/08/08: https://gitlab.com/CalyxOS/calyxos/-/issues/618 - LineageOS 20.0 since 2023/03/12: https://review.lineageos.org/c/LineageOS/android_frameworks_base/+/350287 - iodéOS since late 2021/early 2022? - Android uses supl.google.com as a fallback SUPL server. - Carrier config or SIM card can override this. - An emergency call can also override this. - This functionality may have been abused (by carriers) to gather accurate locations when not actually in an emergency call. - https://nvd.nist.gov/vuln/detail/CVE-2018-9526 - supl.google.com only supports MSB. - GrapheneOS provides a proxy override for this since 2023/03/04: https://grapheneos.org/releases#2023030400 - Some aftermarket systems change the fallback to supl.vodafone.com which is actually just a CNAME to supl.google.com. - Some aftermarket systems allow the user to disable use of SUPL: - GrapheneOS since 2023/02/10: https://grapheneos.org/releases#2023021000 - DivestOS 17.1+ since 2023/02/11: https://gitlab.com/divested-mobile/divestos-build/-/commit/49f5f1c6740eb36153af2cb8032322dcca7df84b - CalyxOS since 2023/03/16: https://calyxos.org/news/2023/03/16/march-update/ - LineageOS has this same SUPL/PSDS/XTRA toggle since 2023/06/06: https://review.lineageos.org/q/topic:agps - DivestOS & iodéOS also inherit this toggle on 20.0 - iodéOS since 2023/02/11? - PSDS is used to download the almanac of the current satellites and their paths. - Fetching this file over the Internet is much quicker than waiting for it to be slowly broadcasted. - This is typically a static request for a file. - Broadcom GPS chips (eg. Samsung Exynos, Google Tensor, and NVIDIA Tegra) - The PSDS server is typically defined by the carrier config. - Tensor devices use agnss.goog. - Others use the plain gllto.glpals.com. - DivestOS overrides Tensor to this as well since 2023/01/20: https://gitlab.com/divested-mobile/divestos-build/-/commit/9558a7d0e9a8de04c7c9b5c4c5cb637834ed52dc - GrapheneOS provides a proxy for this request since 2022/04/19: https://grapheneos.org/releases#2022041900 - The PSDS requests are performed by the Android system (frameworks/base), not the GPS stack. - These PSDS requests are not known to contain any personal or device information. - Qualcomm GPS chips - The PSDS server is typically defined by the GPS stack. - This is usually xtrapath[1-9].izatcloud.net. - The Android system could override the server chosen. - GrapheneOS provides a proxy override for this since 2023/05/05: https://grapheneos.org/releases#2023050500 - The PSDS requests are performed by the GPS stack, specifically xtra-daemon or libloc. - The PSDS requests have a User-Agent containing Android version, device manufacturer & model, carrier, and chipset serial number. - "Qualcomm GNSS Assistance Service": https://www.qualcomm.com/site/privacy/services - With `strings` this can be seen grep'ing for: `/sys/devices/soc0/serial_number` and `XTRA_UA` - With libloc source code access this can be seen as: setXtraUserAgent(), proc(), saveUserAgentString(), and getChipsetSerialNo() - The PSDS requests may be performed over plain-HTTP, especially if they were before 2018 or so - https://nvd.nist.gov/vuln/detail/CVE-2016-5341 - DivestOS has removed xtra-daemon since 2017/01: https://divestos.org/pages/network_connections#psds - DivestOS has removed serial number access since 2023/05/03 - DivestOS has removed the User-Agent from source-built libloc since 2023/05/05 - GrapheneOS removes serial number access and User-Agent from xtra-daemon since 2023/04/29: https://grapheneos.org/releases#2023042900 - CalyxOS removes serial number access since 2023/06/02: https://calyxos.org/news/2023/06/02/feature-update/ - LineageOS has this same patchset since 2023/06/09: https://review.lineageos.org/q/I6254ef6e160ff0d3c3ce2e51f20f557e75826dff - Some aftermarket systems allow the user to disable use of PSDS & XTRA: - GrapheneOS has a toggle since 2023/05/05: https://grapheneos.org/releases#2023050500 - CalyxOS has a toggle since 2023/06/02: https://calyxos.org/news/2023/06/02/feature-update/ - LineageOS has this same SUPL/PSDS/XTRA toggle since 2023/06/06: https://review.lineageos.org/q/topic:agps - DivestOS & iodéOS also inherit this toggle on 20.0 - TODO - Geofencing - DivestOS has disabled geofencing since 2018/09/19: https://gitlab.com/divested-mobile/divestos-build/-/commit/289b110d8f9644ccf1fc17388120d4e9bad886f3 - OMA-DM - DivestOS has removed OMA-DM blobs since 2017/01/25: https://gitlab.com/divested-mobile/divestos-build/-/commit/80a20859845e5cb4b071138d15929f2b8b11b2e2 - GrapheneOS has removed OMA-DM blobs since 2017/02/13: https://github.com/GrapheneOS-Archive/android-prepare-vendor/commit/ea4b42c617991607970471f6eee2615f29570dc4 - CalyxOS since ??? - CarrierLocationServices - DivestOS has removed CarrierLocation blobs since 2020/10/20: https://gitlab.com/divested-mobile/divestos-build/-/commit/0958df7de54fde71ba4ecb742bf76d80424d652d - GrapheneOS since ??? - CalyxOS since ??? See something wrong? Open an issue or merge request: - https://gitlab.com/Divested-Mobile/DivestOS-Website/-/blob/master/static/misc/gnss.txt - https://github.com/Divested-Mobile/DivestOS-Website/blob/master/static/misc/gnss.txt - https://codeberg.org/divested-mobile/divestos-website/src/branch/master/static/misc/gnss.txt