Sending private data to zzhc.vnet.cn

[drwetter]

Hello,

don't know who's in charge of this but I am seeking help.

I found on a recent Nokia phone in com.qualcomm.qti.autoregistration.apk the code from https://github.com/bcyj/android_tools_leeco_msm8996/blame/f242858a8cbb2c9ad9b5b2e53d75380ae775727a/qrdplus/ChinaTelecom/apps/AutoRegistration/src/com/qualcomm/qti/autoregistration/RegistrationTask.java which is sending various private data like IMEIs, CELLID , CCID, MAC address to zzhc.vnet.cn, see also thread @ https://twitter.com/drwetter/status/1081267425637814273 .

This is a breach of privacy!

Can you help to pass contact info to me from the people responsible so that this will be eliminated?

[PythonLimited]

I mean it's china... What do you expect. And also this apk in particular is included in every Board Support Package I've seen seen so far. You can simple delete the line in common/ to include the qrdplus. Then you don't get any preinstalled apps at all...

[drwetter]

And also this apk in particular is included in every Board Support Package I've seen seen so far.

I hope it's not, at least in Europe. Or at least not with this line.

https://www.translatetheweb.com/?from=&to=en&dl=en&ref=trb&a=https%3A%2F%2Fnrkbeta.no%2F2019%2F03%2F21%2Fnorske-telefoner-sendte-personopplysninger-til-kina%2F https://arstechnica.com/gadgets/2019/03/hmd-admits-the-nokia-7-plus-was-sending-personal-data-to-china/ https://twitter.com/Reuters/status/1108666467627749376 https://www.zdnet.com/article/nokia-firmware-blunder-sent-some-user-data-to-china/

[PythonLimited]

Well the OEM holds the responsibility for editing the preloaded apps. If they don't care its probably going to end up in the final product.

[PythonLimited]

And I mean like stated in the article you linked: "Our device activation client meant for another country was mistakenly included in the software package of a single batch of Nokia 7 Plus." Indicates that they forgot to remove it. Qcom just ships these with all their source releases. So not a fault on their side.

[drwetter]

You assume the owner of this Repo is Qualcomm. I still don't know who it is.

IIRC I looked at the APK after thie fix. I can't remember finding this after decompiling but I maybe I am mistaken. It's some time back. And in the mean time the owner did a factory reset.

[PythonLimited]

You assume the owner of this Repo is Qualcomm. I still don't know who it is.

IIRC I looked at the APK after thie fix. I can't remember finding this after decompiling but I maybe I am mistaken. It's some time back. And in the mean time the owner did a factory reset.

I think i need to clarify some things here. First what youre looking at is a Board support Package or short BsP. Its the source code for a qcom chipset which includes all drivers for wifi, camera, nfc, qmi (qualcomm modem interface) etc...

Secondly, this is proprietary, you shouldn't be looking at this, and in the future this is hopefully DCMA like all other repos.

Normally you sign an NDA to get these and only via your company. What i mean by that is that you have to either work for qcom, or work at a company which is a smartphone manufacturer who has a partnership with qcom for their devices.

So to get those in charge, ask Qualcomm.

P.S if you search for: -> filename."AU_INFO.txt" <- on github int the code section you can get about 15 of those BsP, some dating back to 2014, others from 2019/2020. Some even include the modem/aboot (aka fastboot/bootloader) code which is not included in a BsP.

[PythonLimited]

Android developers/hackers just love them as it enables them to keep devices updated unofficially by editing the libraries to be compatible with the specific camera sensors, or sensors like rotation, etc... or find vulnerabilities in the otherwise closed source.

[drwetter]

Thanks for the heads up, that sheds some light on it.

However while the term proprietary may be what Qualcomm aimed for, it's utterly ridiculous, at least if it is an apk which I can pull from a phone and decompile :-) Don't know they stlll live in the past.

Secondly, this is proprietary, you shouldn't be looking at this, and in the future this is hopefully DCMA like all other repos.

What is that supposed to mean? It's out there. Are you aware how this thing called internet works?

[PythonLimited]

Ik but I mean if you look at githubs DCMA list they take down those repos like every two years or so. But still there are other ways to get your hands on one of these :)