Smartphones with Qualcomm chips were found to send private user information, including IP address, unique ID, mobile country code, back to the U.S. chipmaker, according to a report by the German security company Nitrokey first released on April 25.

Such personal information was sent "without user consent, unencrypted, and even when using a Google-free Android distribution," said the report.

Nitrokey tested with a Sony Xperia XA2 smartphone which was equipped with a Qualcomm Snapdragon 630 chip and installed /e/OS, an open-source version of Android free of Google services.

No SIM-card was inserted in the phone, nor was the GPS location service turned on. The device can only access the internet through WiFi.

The company monitored the data with Wireshark, a network traffic software, and found that the data will be transmitted to izatcloud.net server, which attributes to Qualcomm.

The report said the data packages were "sent via the HTTP protocol and are not encrypted using HTTPS, SSL or TLS," making them vulnerable to attacks as anyone accessible to the network "can easily spy on us by collecting this data, store them, and establish a record history using the phone's unique ID and serial number Qualcomm is sending over to their mysteriously called Izat Cloud."

It added that the data sharing with Qualcomm is not mentioned in the terms of service from Sony or Android or /e/OS, which violated the General Data Protection Regulation.

While a Sony smartphone was used, Nitrokey said "many more Android phones" with popular Qualcomm chips such as Fairphone are likely to be affected.

Qualcomm's response

The chipmaker reacted in a statement sent to Nitrokey that the data sharing was in accordance with its XTRA Service Privacy Policy.

"Through these software applications, we may collect location data, unique identifiers (such as a chipset serial number or international subscriber ID), data about the applications installed and/or running on the device, configuration data such as the make, model, and wireless carrier, the operating system and version data, software build data, and data about the performance of the device such as performance of the chipset, battery use, and thermal data," said the statement.

In its statement sent to cybernews.com, Qualcomm called the Nitrokey report "riddled with inaccuracies and appears to be motivated by the author's desire to sell his product," and noted that it only collects personal data permitted by applicable law.

Nitrokey said the chipmaker, however, didn't mention IP addresses were being collected originally, but added IP addresses into its data collection list after the research was completed.

'Not a backdoor'

The report triggered heated discussion after release.

A Reddit post said that Nitrokey proves a backdoor by Qualcomm chips, which the security firm denied, saying it did not discover a backdoor, and "this is not a backdoor."

British tech news website The Register said that the Izat Cloud, part of Qualcomm's XTRA service, is "basically a way to make GPS more precise and reliable while reducing use of energy-intensive radio hardware."

It cited a source familiar with Qualcomm technology saying that all chipmakers "are going to have all kinds of different fetches that they're going to make [over the network]."

While on the other hand, The Register cautioned that data transmission on mobile device can cause problems in high-risk environments in that "network identifiers such as IP addresses can be considered personal data, particularly when paired with hardware identifiers or other sorts of data. "

Martijn Braam, an IT expert said in his critique titled "Nitrokey disappoints me" that what's in the HTTP traffic "does not contain any private data" but just downloads an GPS almanac from Qualcomm for A-GPS, which is to "make getting a GPS fix quicker and more reliable."

Also, "The thing that gets leaked is your IP address which is required because that's how you connect to things on the internet. This system does not actually send any of your private information like the title of the article claims," Braam said.

He added the feature "happens in practically all devices that have both GPS and internet," and also called the Nitrokey article a marketing piece for selling their own phones.