OnePlus phones caught downloading GPS data over unsafe channels
What's the story
OnePlus phones have always been impressive, but a new report suggests the A-GPS system of the 'flagship killers' is plagued by a critical issue. PiunikaWeb reports that the system has been rigged to download position data over insecure channels. The issue, which can have some serious consequences, has been reported and will be fixed in a future update. Here are the details.
Issue
OnePlus engineers overrode AOSP policies
After a recent investigation of OnePlus' OxygenOS, PiunikaWeb discovered that the engineers from the company have been overriding the standard policies of the Android Open Source Project. They have been shipping a debug build of gps.conf, a text-based configuration file, with the OS, enabling insecure XTRA data servers. This could pose a major risk to the security of OnePlus customers.
Risk
How this poses a threat to customers
Normally, the XTRA system, developed by Qualcomm, enables GPS receivers to pull positioning data over the internet from Qualcomm-operated servers. It enables faster GPS access, but with this particular change, OnePlus phones could download positioning almanac data from insecure HTTP channels. This insecure data transmission could ultimately allow an attacker to carry out a man-in-the-middle attack and get hold or modify the data.
Information
How an attacker could harm you
In a man-in-the-middle attack, a bad actor relays/alters the communication between two parties who believe they are directly communicating. Here, the attacker could modify positioning data being transmitted from the insecure server to lead you to a completely different location which can be dangerous.
Report
Problem reported to OnePlus
Following the discovery, PiunkiaWeb verified the issue with LineageOS contributor Louis Popi and - after receiving a confirmation - filed a bug report on the OnePlus forum. In response, the company claimed that gps.conf isn't being utilized to download positioning data on the phones from the XTRA servers and that they're aware of the issue and will fix it "in the upcoming updates."
Quote
Here's what Jeff H. from OnePlus Bug Hunter team said
"The device is reading the address in Modem NV config, which is going through HTTPS instead of HTTP, and gps.conf has been already ignored, so the XTRA config won't be working," Jeff said, noting that they "will synchronize the gps.conf to HTTPS."
Continued use
However, PiunikaWeb says gps.conf is still in use
Though OnePlus says gps.conf is not being used, PiunikaWeb emphasized otherwise. They claimed the configuration file is still being utilized to execute data download over insecure channels and have submitted further evidence to the company. OnePlus has not responded yet but if the claims made are true, it should not take too much time to get an update out.