OnePlus GPS security issue we exclusively highlighted has been fixed

Location tracking for individuals is a child’s play nowadays. Modern smartphones are now equipped with a tiny little chip that can talk with a group of satellites and help users to navigate without any hiccup.

Although people often call it GPS (Global Positioning System), newer location hardware can connect with multiple constellations besides GPS. For example, Russia (formerly Soviet Union) developed GLONASS (Global’naya Navigatsionnaya Sputnikovaya Sistema) as an alternative to US made GPS.

With the release of Android 7.0 Nougat, Google added official support for multiple constellations support alongside GPS. Android can now recognize GPS, GLONASS, BEIDOU (China), GALILEO (European Union), QZSS (Japan) and generic SBAS signals.

Collectively, these are called Global Navigation Satellite Systems (GNSS).

Smartphone makers started to incorporate dual-frequency GNSS chips in order to improve location accuracy. By dual-frequency, the receiver can listen more than one radio signal from each satellites on different frequencies.

Xiaomi’s Mi 8 was one of the first major Android smartphones launched with out of the box support for dual frequency GPS. Besides L1 and L5 for GPS, it also supports Galileo’s E1 and E5a.

Mainstream flagships are also adopting the design, as some variants of the Samsung Galaxy S10 do support dual-frequency location tracking signals. Honor View 20 is another popular smartphone having this feature.

However, there are several other techniques to achieve improved location data. There is a widely used technology called assisted GPS (A-GPS) which is used by devices to get a faster time to first fix (TTFF) with the help of nearby cellular towers.

aGPS is particularly useful in indoor locations, where satellite signal reception is often behaving poorly. The architecture for smartphones communicating with A-GPS providers is called Secure User-Plane Location (SUPL).

Reader may remember that Team PiunikaWeb investigated the AGPS implementations of popular smartphone vendors and uncovered a number of discrepancies.

For example, Xiaomi (Pocophone as well) is using state owned China Telecom servers as SUPL provider in MIUI. The practice is not limited to Chinese Xiaomi phones, but global models as well.

On the other hand, OnePlus engineers deliberately overrode standard AOSP policies and shipped debug build of gps.conf in OxygenOS. It can used to download positioning almanac data over the internet from Qualcomm-operated servers insecurely.

Upon contacting OnePlus, they got back to us (albeit after a long delay) and assured that the issue will fixed in subsequent updates.

For the downloading under XTRA, the device is reading the address in Modem NV config, which is going through HTTPS instead of HTTP, and GPS.conf has been already ignored, so the XTRA config won’t be working. Thanks for the feedback anyways, and we will Synchronize the GPS.conf to HTTPS in the upcoming updates to fix the issue.

The Shenzhen based OEM rolled out a new set of Open Beta builds for OnePlus 5/5T and 6/6T yesterday. For detailed description as well as download links of the OTA updates, you can take a look at this article.

Although the changelog did not mention it, we found that OnePlus silently removed the insecure entries and enabled XTRA data verification support. Now that’s a surprising move.

Wait, there’s more!

When we reported our findings to OnePlus, Oxygen Updater contributor Some_Random_Username also noticed that some of the Global Terrestrial Positioning (GTP) server addresses hardcoded in the OxygenOS firmware had faulty HTTPS certificates.

Qualcomm uses the GTP servers for enumerating Wi-Fi positioning system (WPS) data. The IZat Cloud servers are directly operated by Qualcomm, but the TLS certificates they use are untrusted.

The bug hunter representative quickly replied back and suggested that the GTP AP functionality was disabled on OnePlus phones.

Some_Random_Username suggested that those configs should be edited (at least commented out) as the featureset was not used by the phones. The OnePlus guy seconded the suggestion.

However, the suggestion did not make its way to the current Open Beta release. Although this issue is less significant than the previous one, a quick mitigation is always appreciated.

How often do you use GPS on your phone?

Follow @PiunikaWeb

PiunikaWeb is a unique initiative that mainly focuses on investigative journalism. This means we do a lot of hard work to come up with news stories that are either ‘exclusive,’ ‘breaking,’ or ‘curated’ in nature. Perhaps that’s the reason our work has been picked by the likes of Forbes, Foxnews, Gizmodo, TechCrunch, Engadget, The Verge, Macrumors, and more. Do take a tour of our website to get a feel of our work. And if you like what we do, stay connected with us on Twitter (@PiunikaWeb) and other social media channels to receive timely updates on stories we publish.