Option to switch servers instead of disabling SUPL / Captive Portal

d3sox · 13 September 2025 16:50

Is iodeOS still using supl.vodafone.com / supl.google.com (same thing) as a SUPL server? I couldn’t find information on this.
If yes why is the only other option to disable it? Couldn’t we have a privacy-respecting alternative (for example Graphene’s server) like with the Captive Portal?

I’d find it best if both were user-configurable.

rik · 15 September 2025 19:54

I’m checking on this.

rik · 17 September 2025 16:17

The feedback is that “there is no freely available privacy-respecting supl server that we know of besides the Graphene one you mention”, and we aren’t sure if it would be a good idea to use theirs.

So the work to build out the user configurable nature isn’t worth it at this point until we would identify that there are alternatives that would be possible.

d3sox · 17 September 2025 16:21

Maybe you could talk to the guys at Graphene if it would be okay to use their server.

But their “server” is actually just a proxy. So another option might be for iode to also host one.

Here is the NGINX config for it

github.com/GrapheneOS/grapheneos.network

nginx/nginx.conf

0cade05af


      
          ssl_session_ticket_key /etc/session-ticket-keys/3.key;
          ssl_session_ticket_key /etc/session-ticket-keys/2.key;
          ssl_session_ticket_key /etc/session-ticket-keys/1.key;
          ssl_session_timeout 1d;
          
          log_format main "$connection $protocol $remote_addr $server_port $ssl_session_reused $ssl_protocol $ssl_cipher $ssl_server_name "
              "$status $bytes_received $bytes_sent $session_time "
              "$upstream_connect_time/$upstream_first_byte_time/$upstream_session_time";
          access_log syslog:server=unix:/dev/log,nohostname main;
          
          upstream supl.google.com {
              zone supl.google.com 128k;
              server supl.google.com:7275 max_conns=1024 max_fails=0 resolve;
          }
          
          # Qualcomm and Samsung SUPL lack support for SNI
          server {
              listen 7275 default_server ssl backlog=4096;
              listen [::]:7275 default_server ssl backlog=4096;
          
              # Older Qualcomm SUPL devices also lack support for ECDHE

Here is Graphene’s announcement GrapheneOS: "Our next release will override carrier selected S…" - GrapheneOS Mastodon

I see why allowing for a custom server might be too much. My main concern is that iode is sending this directly to Google servers, making it possible for them to assign the data to you.

rik · 17 September 2025 16:29

Regarding collaboration, I sent you a DM on that topic. To your other points, let me pass this back to the devs for some more feedback.

d3sox · 8 November 2025 00:20

Any updates on this? I find it a bit spooky that every time my devices uses location it directly contacts Google servers. I even double-checked this and found DNS requests for supl.google.com As a ROM that advertises privacy, I think this should be a higher priority.

Because currently you’re options are either

send associable data to Google
location sucks (very bad time to first fix, especially with cold starts)

rik · 9 November 2025 15:24

From our documentation:

In iodéOS, a patch to avoid leaking device identifiers (IMEI, IMSI) and phone number to SUPL servers while maintaining A-GPS functionality is implemented, and is now intergrated upstream in LineageOS.

d3sox · 9 November 2025 15:30

Yeah, still your device is contacting Google with your IP sending the data directly which could go through a proxy like on graphene where to Google it looks like one single entity does all these requests, which is really no big effort to set up. Just use any NGINX server running on a VPS and set the DNS entries for it. Then update iodeOS to use that proxy.

It also wouldn’t be that difficult to add a setting where the user can just define the server. Then I can just use Graphene’s because I don’t care about this unnecessary beef

The same for the Captive Portal as already mentioned in this discussion,

Just give the user the freedom to choose if you don’t want to do all that above