Ungoogling My Computing Part 3
This is part 3 in a series of getting rid of Google in my computing. See the beginning and index here: Introduction.
So the phone is there, the network environment is set up, and it's time to go through the initial setup of the device and its preinstalled applications. To ensure its captivity it will be used without a SIM card for now but access to the Wifi is configured during initial setup.
Facts:
Bought: 22-Jun-2021
Software version: EMUI 11.0.0.180(C432E3R4P3)
Security patch level: 1 March 2021
Initial Setup Wizard
Compared to the Google Android setup Huawei's version is quite different.
A very clearly structured multi-step setup asks for opt-in/opt-out to the various functionalities and cloud services offered. This includes Huawei ID setup, Hicloud connectivity, and enabling advanced functions that require network access and data transfer.
Everything can be disabled or opted-out of. Setup of the phone is possible in completely offline mode. Of special interest is the fact that there is no forced creation of any online accounts, with Huawei or otherwise.
Every item configured has a button to read the privacy statement, declaration of data use, and reasoning for the transfer of data. The wording is precise and nothing is deliberately obfuscated. Whether those declaration tell the complete story is another question of course, one to be investigated later.
Some items must be configured post-setup, see below.
Preinstalled Apps
The phone does come with a number of preinstalled applications. Some can be uninstalled, for example:
- Bing and Microsoft Office
- Huawei Weather, Translate, Info, Member Centre, Health, Find Device, Email, and Calculator apps
All of these were uninstalled.
Apps that could not be uninstalled but disabled included AI Touch, a shopping assistant. It can be disabled under Huawei Assistant. I moved all of the other Huawei add-on applications except the browser into their own folder tucked away on the second screen so I wouldn't accidentally start them.
The standard keyboard is Swiftkey, a debatable choice. See below.
Default Permissions
Some permissions are set to enabled by default. For example the location permission for AI Voice, Huawei's voice recognition assistant. It can be turned off under Location in Settings.
Another one is Wifi scanning even when location services are turned off - sneaky. It can be disabled under Location --> Advanced Settings
Ad-hoc Changes
A few adjustments can be made before testing begins.
This included going into Settings, there into Home Screen & Wallpaper, and then Magazine Unlock. This function connects to various Huawei services to download new screen lock background images each time after the screen has been unlocked. It can be turned off, in which case the images already on the device remain in rotation forever.
The Huawei Assistant can be turned off by pinching the home screen to bring up the menu, then going into Settings and there into Huawei Assistant.
An interesting item is found under Settings --> More Connections --> Private DNS. According to the online Techbone Huawei User Manual this can be used to configure a manual or automatic connection to an encrypted DNS service. I turned it off since it would interfere with our testing.
Initial Testing
These first test cases were performed within the test bed environment to monitor online activities. Packet forwarding to the Internet was disabled except as noted below.
Cold Start of P40 Pro
Startup of the phone.
DNS lookups were performed to these servers/sites:
api.cloud.huawei.com.
configserver.platform.hicloud.com.
connectivitycheck.cbg-app.huawei.com.
connectivitycheck.platform.hicloud.com.
dnkeeper.hicloud.com.
events-dre.op.hicloud.com.
grs.dbankcloud.asia.
grs.dbankcloud.cn.
grs.dbankcloud.com.
grs.dbankcloud.eu.
ntp.sjtu.edu.cn.
query.hicloud.com.
sdkserver-dre.op.hicloud.com.
shepherd.sb.avast.com.
sp-8f237ea3.honzik.avcdn.net.
1.cn.pool.ntp.org.
time.nist.gov.
time.windows.com.
At a later time I re-ran the power-on process with packet forwarding to the
Internet enabled and additionally also captured the traffic in
huawei-startup.cap. Analysis of this trace shows these connections:
| Packets | Comment |
|---|---|
| 91-93 | direct HTTPS connection to Akamai server without prior DNS lookup |
| 165-176 | HTTPS with Akamai |
| 364-367ff | 50union.com wasn't blocked in DNS |
| 387-390ff | Lookup and connect to Chinese malware scan site; most data is download (malware lists?) |
| 855/856 | 50union, 360safe, os-lb are all the same Chinese malware scan sites |
At first glance we see a number of cloud endpoints in huawei.com,
hicloud.com, and various dbankcloud.* domains. Apart from the normal
connectivity checks this also seems to involve checking for configuration
updates - possibly for things like updated APN lists for cellular providers, but
maybe also for other things.
Of interest are connections to a cloud-based virus checker by Avast, and a number of separate endpoints such as 50union, 360safe, and os-lb, which apparently are all operated by the same company. Details are scarce but I believe those sites to also offer a malware scanning service.
Rounding out the initial activity are attempted connections to a number of NTP servers run by Chinese universities, NTP.org, and funnily enough also NIST and Microsoft.
Already apparent in this snapshot is a remarkable structure of services inside Huawei which are split out over dozens of domains and subdomains.
Software Update Check
The next test was to run a software update check. The firewall enabled access to the Internet for a few minutes to allow the device to complete the check and download any update that would be available. The result, though, was there wasn't any even though the security patch was already 3 months out of date.
DNS lookups in chronological order:
[01] info: 192.168.5.11 grs.dbankcloud.com. A IN
[02] info: 192.168.5.11 query.hicloud.com. A IN
[03] info: 192.168.5.11 configserver.platform.hicloud.com. A IN
[04] info: 192.168.5.11 connectivitycheck.platform.hicloud.com. A IN
[05] info: 192.168.5.11 pushtrs.push.hicloud.com. A IN
[06] info: 192.168.5.11 telemetry.api.swiftkey.com. A IN
[07] info: 192.168.5.11 tigger-citadel.touchtype-fluency.com. A IN
[08] info: 192.168.5.11 snippetdata.api.swiftkey.com. A IN
[09] info: 192.168.5.11 bibo.api.swiftkey.com. A IN
[10] info: 192.168.5.11 token-dre.push.dbankcloud.com. A IN
[11] info: 192.168.5.11 cloud-bibo-verizon-clsprd-eun.azureedge.net. A IN
[12] info: 192.168.5.11 www.google.com. A IN
[13] info: 192.168.5.11 www.amazon.com. A IN
[14] info: 192.168.5.11 228.168.217.172.in-addr.arpa. PTR IN
[15] info: 192.168.5.11 13.10.249.13.in-addr.arpa. PTR IN
[16] info: 192.168.5.11 ntp.sjtu.edu.cn. A IN
[17] info: 192.168.5.11 sdkserver-dre.op.hicloud.com. A IN
[18] info: 192.168.5.11 grs.dbankcloud.com. A IN
[19] info: 192.168.5.11 api.cloud.huawei.com. A IN
[20] info: 192.168.5.11 h5hosting.dbankcdn.com. A IN
[21] info: 192.168.5.11 dnkeeper.hicloud.com. A IN
[22] info: 192.168.5.11 configserver-dre.platform.hicloud.com. A IN
[23] info: 192.168.5.11 go.microsoft.com. A IN
[24] info: 192.168.5.11 securetime.playready.microsoft.com. A IN
Lines 01-05 are Huawei-bound traffic. Lines 06-09 and 11 are the included Swiftkey keyboard phoning home to its servers. 12-15 are forward and reverse lookups for the main Google and Amazon sites, with Microsoft rounding out the biggest technology offenders in the last two lines. It appears those three are triggered by SDKs or other frameworks used in the included applications.
As a general rule I'd recommend disabling the automatic periodic update check and setting it to manual only. When running the check, some of the blacklisted servers must be temporarily allowed through. These are:
query.hicloud.com
configserver.platform.hicloud.com
update.dbankcdn.com
Connectivity Checks
At certain intervals the phone executes a connectivity check. This seems to be approximately every 4-5 minutes while the phone is at rest and hasn't been woken up by user interaction (or, I assume, programmed timers). After about 1-2 cycles the phone seems to enter a deep sleep mode during which connectivity checks are performed about once per hour until it is woken up again.
Connectivity checks are also performed more frequently while the phone is in active use.
The checks attempt to connect to these servers both via IPv4 as well as IPv6:
connectivitycheck.platform.hicloud.com
connectivitycheck.cbg-app.huawei.com
This traffic is not sent via the VPN tunnel but directly out the Wifi or, if enabled, cellular data interfaces.
Unsurprisingly, blocking these checks results in the phone displaying a small "!" next to the Wifi symbol to indicate issues with network connectivity.
The Huawei Chrome browser included with the OS will also display a "network connection issues" screen occasionally. A click on the "Refresh" button will then cause it to proceed to the actual requested web page. None of the other browsers tested do this.
Cloud Sync
Not part of the connectivity check but also running regularly during awake times of the phone and about every 30 minutes during sleep time, are attempts to contact these servers, also over IPv4 and IPv6:
configserver-dre.platform.hicloud.com
grs.dbankcloud.com/.cn/.eu/.asia
servicesupport2.hicloud.com
sdkserver-dre.op.hicloud.com
events-dre.op.hicloud.com
app-measurement.com
Those seem to be background activities attempting to synchronize with the Huawei cloud storage. The traffic uses the VPN tunnel connection. app-measurement.com is just one of the by-now "normal" application trackers which is blacklisted by pretty much every blocklist out there.
Findings & Considerations So Far
The results so far:
The Huawei phone can be set up in completely offline fashion, and many services can be disabled in the initial configuration wizard. It is not necessary to register an account with Huawei or with anyone else to use the phone. There is relatively little "bloatware" included with the phone; some of the apps can be deinstalled while others cannot.
Even so the phone contacts an extensive list of Huawei-associated addresses plus a small number of other sites. Some of the included applications try to access those services at every start, sometimes even following every action within the app.
There are no Google services being contacted by the standard complement of apps except during the software update check. The standard search engine is set to Bing which can be easily changed to the engine of least distrust.
The standard keyboard used is Swiftkey which creates concerning network traffic. As the keyboard is the #1 vector for keylogging attempts it MUST be replaced with something trustworthy. Unfortunately it cannot be uninstalled, just disabled. Even so it will from time to time try to phone home to its servers. Openboard or Florisboard are acceptable alternatives available from F-Droid. The quality of predictive text input and autocorrect of the latter is not yet on par with any of the commercial offerings, but it shows good development progress in its short life so far.
The phone creates next to no background traffic when not in use, unlike Google and Amazon Fire devices.
Use of the fingerprint sensor does not generate any suspicious network activity.
I hope you'll join us again next time when we'll present you with another story of gripping, spine-tingling suspense and more log files to read... ;-)