Explanation of the network activity on a fresh CalyxOS install
Domains your device connects to
With CalyxOS, we have tried to reduce to as much as possible the number of network connections made by your phone. On this page, we document what domains your phone is connecting to and for what purpose.
These network connections are initiated by the operating system itself and cannot be changed.
|release.calyxinstitute.org||Used to check for Over-The-Air CalyxOS system updates.|
|connectivitycheck.gstatic.com||CalyxOS connects to this Google service to determine if the device can connect to the internet. If that domain is unreachable, it may also try www.google.com, play.googleapis.com, or (in China only) www.googleapis.cn. This can be turned off from Settings -> Network & internet -> Connectivity check|
|time.android.com||CalyxOS connects to this Google service to synchronize the device's internal clock.|
|xtrapath1.izatcloud.net||This is a service of Qualcomm to allow the baseband processor to more quickly achieve a lock on GPS satellites by downloading a list of the positions of known GPS satellites.|
These connections are made by apps in the default CalyxOS configuration. You can prevent these connections by removing or disabling the app.
|f-droid.org||F-Droid||The app repository for F-Droid, the preferred and default app store for CalyxOS. There are also mirrors at ftp-push.lysator.liu.se, plug-mirror.rcac.purdue.edu, and mirror.f-droid.org|
|fdroid-repo.calyxinstitute.org||F-Droid||On CalyxOS, F-Droid comes pre-configured with a special repository just for use with CalyxOS. This repository has highest priority and we use it to push out security fixes, necessary updates, and our own version of some apps that also exist in F-Droid.|
|mtalk.google.com||microG||If you have microG enabled, this service is used to receive push notifications (see below).|
|goolag.store||Aurora Store||If you use Aurora Store with anonymous credentials, it uses this service to grab the credentials.|
|android.clients.google.com||Aurora Store||Aurora Store will connect to this Google service in order to obtain an access token needed to access the Google Play Store catalog of apps.|
|play-lh.googleusercontent.com||Aurora Store||Aurora Store will connect to this Google service in order to load content from the Google Play Store.|
How does Calyx Institute use the data collected by releases.calyxinstitute.org?
We retain per-request logs for a short period of time before these logs are aggregated and destroyed. The per-request logs may include IP address, country of origin, and device model. The aggregated long term data includes total counts of requests by country and by device model.
Per-request logs are kept strictly private without Calyx Institute.
Why does CalyxOS still use servers run by Google?
We have considered replacing Google servers for updating the system time and for connectivity check but decided against it. Our position is that using Google servers provides better privacy in this situation by allowing CalyxOS users to hide among the crowd of every other Android device on earth. Imagine if every CalyxOS device was using non-standard servers for these core functions. If we did this, it would be trivially easy for a repressive state to instantly identify all the people running CalyxOS devices and potentially target them for scrutiny.
Additionally, in the case of connectivity check and time updates, Google does not get any meaningful information from your device. It can be turned off from Settings -> Network & internet -> Connectivity check
In the future, we may allow further configuration of these settings, although we still advise against doing so.
What is Qualcomm doing?
We don’t exactly know, because this is handled inside the baseband processor (a separate computer on your device that handles all the radios and wireless networking). The domain xtrapath1.izatcloud.net is used by the baseband to load a data file of GPS satellite positions. Unfortunately, this data is downloaded over plain text HTTP, and it’s use and parsing is handled by the “black box” of the baseband, which runs proprietary software and which we have no visibility into what it is actually doing.
This is from the Qualcomm privacy notice:
The Qualcomm GNSS Assistance Service downloads to your device a data file from QTI containing the predicted orbits of the Global Navigation Satellite System (GNSS) satellites. The Qualcomm GNSS Assistance Service also uploads a small amount of data to us comprised of: a randomly generated unique software ID that is not associated to you or to other IDs, the chipset name and serial number, the Qualcomm GNSS Assistance Service software version, the mobile country code(s) and network code(s) (allowing identification of country and wireless operator), the type of operating system and version, device make and model, the date and time of connection to the server, the time since the last boot of the application processor and modem, and a list of QTI software on the device
In the future, we may choose to block this domain, causing longer initial location resolution when using GPS.