Network Connections - DivestOS Mobile

Network Connections¶

Here is a list of expected network connections for security/verification purposes.
Address key:

✅ - should not contain any of the following: personal information, device identifiers, or other persistent identifiers.
❌ - known to contain personal information or identifiers.
❓ - has not been sufficiently reviewed

Carrier Services¶Connections to a cellular carrier if/when a SIM is inserted.

Note: These connections are largely routed over the cellular interface and when routed over the Wi-Fi interface will bypass any used VPN even with `Block connections` enabled.

Voice over LTE (VoLTE): An IPsec tunnel for making calls and sending SMS messages.
Voice over Wi-Fi (VoWiFi): Like VoLTE, but routed over connected Wi-Fi networks. DivestOS does not support VoWiFi due to privacy concerns.
Multimedia Messaging Service (MMS): Used to send & receive MMS messages such as picture messages or group SMS chats.
Rich Communication Services (RCS): A modern replacement for SMS & MMS. DivestOS does not support RCS due to it being a fundamentally broken and proprietary replacement.
Visual VoiceMail (VVM): Used to listen to & manage voicemail messages in the Phone app. Can be disabled: Phone > 3dot > Settings > Voicemail > Visual voicemail.
Carrier Wi-Fi: Used to connect automatically to public Wi-Fi hotspots at partnered stores/businesses. DivestOS does not support Carrier Wi-Fi due to privacy concerns.

Domain Name System (DNS)¶when connecting to servers via a domain name

Purpose: Used to resolve domains to IP addresses when making connections to websites and services.
Notes:

This is overridden by activated cellular/Wi-Fi network or by the user chosen 'Private DNS'.
DivestOS 17.1 and higher offers thirteen presets for `Private DNS` since 2021/11/08, users are strongly recommended to take advantage of them.

Fallback: Quad9 - privacy policy

✅ 9.9.9.9
✅ 149.112.112.112
✅ 2620:fe::fe
✅ 2620:fe::9

Internet Connectivity Checks¶every connection change

Purpose: Used to determine if a given network interface truly has an Internet connection and if there is a captive portal which needs to be accepted by the user.
Notes:

Can be disabled (14.1+) or changed (18.1+) in Settings.
When a VPN is used, this connection is performed twice: once outside of the VPN and once through the VPN, even when `Block connections` is enabled.
DivestOS 18.1 and higher offers nine presets for the `Internet Connectivity Check` server since 2023/01/23, users are strongly recommended to take advantage of them.

Default: Google - privacy policy

✅ http://connectivitycheck.gstatic.com/generate_204
✅ https://www.google.com/generate_204
✅ http://www.google.com/gen_204
✅ http://play.googleapis.com/generate_204

Optional: DivestOS - privacy policy

✅ http://divestos.org/generate_204
✅ https://divestos.org/generate_204

Network Time Protocol (NTP)¶on every boot, periodically afterwards, and additionally when actively using GPS

Purpose: Used to have an accurate system time.
Note: NTP is still polled even when `Set time automatically` is disabled in Settings. DivestOS 18.1+ builds after 2023/02/18 do not have this issue.

Default: volunteer pool - privacy policy

✅ 2.android.pool.ntp.org

Predicted Satellite Data Service (PSDS)¶when actively using GPS

Purpose: Used to speedup the process of acquiring a GPS lock.

Qualcomm devices

DivestOS has removed the IZat NLP from all devices since 2017-01.
Devices utilizing xtra-daemon to make this request will not do so as it has been removed since 2017-01.
Devices that grant the location stack access to serial number via the sysfs_soc label will be denied access since 2023-05-03.
Devices that use a source built libloc will not include this information since 2023-05-05.
To summarize (as of 2023/11/01):
- These devices will not make the request since 2017-01: akari, akatsuki, alioth, Amber, apollon, aura, aurora, avicii, axon7, barbet, beryllium, blueline, bonito, bramble, cheeseburger, cheryl, coral, crosshatch, davinci, dipper, discovery, dumpling, enchilada, equuleus, fajita, flame, FP3, FP4, griffin, guacamole, guacamoleb, h830, h850, h870, h910, h918, h990, hotdog, hotdogb, instantnoodle, instantnoodlep, jasmine_sprout, kebab, kirin, lavender, lemonade, lemonadep, lemonades, lmi, ls997, marlin, mata, mermaid, Mi8917, Mi8937, oneplus3, pioneer, platina, polaris, pro1, pro1x, redfin, rs988, sailfish, sargo, sunfish, taimen, twolip, ursa, us996, us997, vayu, voyager, vs995, walleye, wayne, whyred, xz2c, z2_plus
- These devices cannot read the serial since 2023-05-03: blueline, bonito, bramble, cheryl, coral, crosshatch, discovery, flame, FP3, jactivelte, jflteatt, jfltespr, jfltevzw, jfltexx, jfvelte, kccat6, kirin, lentislte, mako, marlin, mata, mermaid, Mi8917, Mi8937, pioneer, pro1, redfin, sailfish, sargo, serrano3gxx, serranodsdd, serranoltexx, shamu, sunfish, taimen, voyager, walleye
- These devices may make the request but have the information removed since 2023-05-05: athene, bacon, clark/17.1, crackling, d800, d801, d802, d803, d850, d851, d852, d855, ether, f400, FP2, h811, h815, ham, harpia, hlte, kipper, klte, ls990, m8, m8d, merlin, oneplus2, osprey, serrano3gxx, serranodsdd, serranoltexx, surnia, vs985, Z00T
- These devices may make the request but use an older version which may not contain the information: apollo, d2att, d2spr, d2tmo, d2vzw, deb, debx, flo, flox, hammerhead, i9100, i9300, i9305, jactivelte, jflteatt, jfltespr, jfltevzw, jfltexx, jfvelte, m7, mako, n5100, n5110, n5120, thor, victara
- These devices may make the request with all the information included: angler, bullhead, himaul, himawl, nex
- All devices not listed above must be assumed to make the request with all information included.

❌ https://{,xtra}path[1-9].izatcloud.net/xtra{,2,3grc}.bin - includes Android version, device manufacturer & model, carrier, and chipset serial number.

Broadcom devices such as Samsung Exynos, Google Tensor, and NVIDIA Tegra

✅ https://gllto.glpals.com/7day/v5/latest/lto2.dat
✅ https://gllto.glpals.com/rto/v1/latest/rto.dat
✅ https://gllto.glpals.com/rtistatus4.dat

Secure User Plane Location (SUPL)¶when actively using GPS

Purpose: Used to speedup the process of acquiring a GPS lock and to provide your location when placing a call to emergency services.
Notes:

The carrier/SIM along with emergency calls can override this server.
DivestOS 17.1 and higher can disable SUPL via Settings > Location > Force disable SUPL toggle since 2023/02/11.
DivestOS 14.1 through 16.0 can disable SUPL by removing the `supl` APN type from the selected APN via Settings.
This typically includes the IMSI with these requests, however thanks to @MSe1969, DivestOS has not done so since 2019/06/02.
This typically is used with both MSA (server calculates location) and MSB (device calculates location) modes, however DivestOS has disabled the MSA mode of operation since 2018/08/08 due to privacy concerns.

Fallback: Google - privacy policy

❌ tls://supl.google.com:727X - Includes MCC, MNC, and potentially visible cell towers & their signal strengths.

Updater¶default weekly

Purpose: Used to check for and download system updates.
Note: Can be disabled in Settings > Updater.

DivestOS - privacy policy

✅ https://divestos.org/updater.php?base=$BASE&device=$DEVICE&inc=$BUILD_ID
✅ https://divestos.org/mirror.php?base=$BASE&file=$FILE
✅ https://divestos.org/builds/$BASE/$DEVICE/divested-$VERSION-$DATE-dos-$DEVICE(-$INCREMENTAL).zip

Remote Keystore Provisioning¶when the pool runs low

Purpose: Used by some apps for hardware backed keystore attestation. Brief overview here.
Notes:

This is primarily only used on modern Google Pixel devices (4+).
DivestOS would like to offer a proxy for this service, however does not currently have the available resources to do so.

Google - privacy policy

❓ https://remoteprovisioning.googleapis.com

App Link Verification¶

Purpose: When installing an app that has defined links it wants the system to open it with by default, the system will contact the server of each declared domain to verify if it has permission to do so.
Note: Can be disabled by revoking `Network` permission to the `Intent Filter Verification Service` system app, however you will have to approve opener links manually then.

F-Droid Repositories¶default daily

Purpose: Used to browse, install, and update apps.
Note: Can be disabled in F-Droid > Settings.
Note: These repos may have additional mirrors set which files are downloaded from.

✅ https://f-droid.org/repo/ - privacy policy
✅ https://divestos.org/apks/official/fdroid/repo - privacy policy
✅ https://divestos.org/apks/unofficial/fdroid/repo - default disabled - privacy policy
✅ https://guardianproject.info/fdroid/ - default disabled - privacy policy
✅ https://apt.izzysoft.de/fdroid/ - default disabled - privacy policy
✅ https://microg.org/fdroid/repo - default disabled

Mull¶

Mull disables a lot of the typical requests that official/vanilla Firefox makes, however still does depend on various services as noted below.

Mozilla - privacy policy

✅ https://content-signature-2.cdn.mozilla.net - Used for signing/verification of all other requests.
✅ https://firefox.settings.services.mozilla.com - Used for altering various browser settings on demand and to apply monkeypatches for critical issues.
❓ https://firefox-settings-attachments.cdn.mozilla.net - Used for miscellaneous databases.
✅ https://shavar.services.mozilla.com - Used for various databases and primary indexes.
✅ https://tracking-protection.cdn.mozilla.net - Used for Enhanced Tracking Protection (ETP) blocklists.

✅ https://addons.mozilla.org - Used for add-on browsing.
❓ https://blocked.cdn.mozilla.net - Used for add-on revocation checks and for reporting abusive add-ons.
✅ https://services.addons.mozilla.org - Used for add-on downloads.
✅ https://versioncheck.addons.mozilla.org - Used to determine if installed add-ons need updating. Includes CPU type.

Additionals

❓ https://duckduckgo.com - Default search engine - privacy policy - Can be changed via Settings > Search.
✅ Auto completion for a chosen search engine is performed by default. Can be disabled via Settings > Search > Show search suggestions.

✅ Online Certificate Status Protocol (OCSP) servers may be queried to determine certificate revocation status when certificate stapling isn't used or to confirm a CRLite match.

Mulch¶

Mulch disables the majority of the typical Chromium requests and has no explicit telemetry.

Google - privacy policy

❓ https://update.googleapis.com - Used for altering various browser settings and to check for newer internal databases and extensions served by Omaha. Includes CPU type, amount of RAM, and major OS version. These databases can be seen via the chrome://components page.
✅ https://edgedl.gvt1.com - Used to download internal databases and extensions.
- Alternate: https://www.google.com/dl/
- Alternate: https://dl.google.com

Hypatia¶not pre-installed, not automatic

Purpose: Used to download and update malware signature databases.

DivestOS - privacy policy

✅ https://divested.dev/MalwareScannerSignatures/*.h*b.gz

microG¶not pre-installed, not supported, not recommended

Purpose: Used to enable extra functionality in apps that depend on the Google Play Services

Google - privacy policy

See all connections on the upstream documentation