[GLOBAL] X2 Pro random connections to Chinese servers

davwheat

Member
Aug 2, 2013
35
34
38
gg-help.web.app
I've been doing some short investigating around the X2 Pro.

It seems like the device connects to some Chinese servers throughout the day. During my tests, these happened at random times: 18:53, 19:37, 18:47.

The IP it connected to was 223.202.200.150 and the connection was encrypted with TLS so I couldn't see the contents of the packets but I know it was connecting via HTTP.

That IP seems to be an Alibaba Cloud Computing server run by Oppo (ColorOS).

It's around 430 bytes sent each time over different ports. Initially it's 443 (as expected for TLS) but then changes to ports 40634, 40712, 41798, or 42036. It seems to be random.

The server it was connecting to was https://classify.apps.coloros.com/. It seems to fire whenever you install a new app. It's likely fetching an app category and storing it somewhere. This would be how it makes those auto-named app folders in the launcher, I assume.

------------------------------------------------------------------------------------------------------------------------

Following on from this, I adjusted my Wireshark filter to include any server with "oppo", "realme", "coloros", or any IPs in China and found some more servers:

Server Name: guif-eu.coloros.com
Server Name: languagef-eu.coloros.com
Server Name: ifota-eu.coloros.com (OTAs i assume)
Server Name: ifota-eu.realmemobile.com (more OTAs...?)
Server Name: ifsau-eu.coloros.com
Server Name: i6-eu.weather.oppomobile.com (I think we can guess this one...)
Server Name: state.dc.oppomobile.com
Server Name: confe.dc.oppomobile.com

There's even more than this which I've included in my full list in the 2nd post.

Some of these refuse to connect in the browser, and others return 401 unauthorised headers. It would be interesting at least to know exactly what data is being sent to each of these servers. Each of the servers are AWS Cloud Compute servers based in France. I'm not sure if the location is whichever is closest to the user, but I'd assume so.

The issue is that the Chinese gvmt can request the data on any server that is hosted in China. For all we know, the AWS servers could just be a non-suspicious front end which forwards all the data to their actual servers in China, trying to hide that from us. We just don't know.

(Thanks to Gamr13 on the Realme Discord for giving me the idea :p)
 
Last edited:

davwheat

Member
Aug 2, 2013
35
34
38
gg-help.web.app
classify.apps.coloros.com
Request sent when an app is installed. Likely to check what 'category' it is for auto-naming folders on the stock launcher.
********
guif-eu.coloros.com
Unknown.
********
languagef-eu.coloros.com
Unknown.
********
ifota-eu.coloros.com
Request sent when checking for new system updates. Unknown why there's two servers -- maybe a remnant from ColorOS?
********
ifota-eu.realmemobile.com
Request sent when checking for new system updates. Unknown why there's two servers -- maybe a remnant from ColorOS?
********
ifsau-eu.coloros.com
Unknown.
********
i6-eu.weather.oppomobile.com
Weather service.
********
i6.weather.oppomobile.com
Weather service.
********
file-eu.weather.oppomobile.com
Weather-related. I hope this isn't what it sounds like it could be... (file?)
********
state.dc.oppomobile.com
Unknown.
********
confe.dc.oppomobile.com
Unknown.
********
smartcardf-eu.apps.coloros.com
Unknown.
********
proxyeu.apps.coloros.com
Unknown. Sounds like it could be an EU-based proxy for forwarding connections to China.
********
clonephonefs.coloros.com
Unknown. Seems to correspond with the Clone Phone notification when you first set up your phone.
********
guifsf-coloros-com.oss-ap-southeast-1.aliyuncs.com
Unknown. Alibaba Cloud Computing service.
********
 
Last edited:
  • Like
Reactions: LBA97 and ZenoDiac

ZenoDiac

Member
Dec 10, 2019
33
8
0
Cape Town
Yes, they 100% collect, forward (between jurisdictions) and store information located on their servers in the People's Republic of China.
Information includes, and is not limited to, usage behaviour, face/fingerprint ID, voice, financial info (when you buy products), location, sleep patterns etc. Pretty much everything you can think of.
All of this is explained in their Privacy Policy and they state everything they are allowed to take.
Go to About Phone>Legal information.
When you use this Colour or Realme UI Operating System, you agree to these terms.
And according to the User Agreement, one is technically not even allowed to analyze the software (i.e. O.P.'s post information) or have pornography on the phone.

You can (probably?) negate this by switching to another OS, but unless you do it straight out of the box, it might already be too late: For entering your information even once, like during 1st day startup, will have your information stored in the PRC servers for an undisclosed amount of time (probably forever).
 

Sharma_Ji

Senior Member
Oct 17, 2016
898
305
73
Bikaner
Somebody pointed out on telegram their image thumbnails are getting stored in logs Folder and getting uploaded as well.
Might be for their face matching and sorting algorithm in stock gallery, because this is the first phone or app which i see does on device machine learning by sorting pics According to their faces (in the case if it doesn't upload images for)

Be it google photos, Xiaomi gallery ,etc, all identify faces after you upload the pics on their cloud.
 

nuserame

Senior Member
Sep 2, 2014
164
32
0
I wish I had seen this thread before I ordered the phone…

If the phone is rooted, you could probably use AdAway to block those domains and IP address, but will fingerprint and face unlock still work? Or even without root you could use DNS66 or DNSfilter, both available on F-Droid, to block those domains and IP address. When my phone arrives, I will test this solution.

Can I use adb to remove certain offending apps without unlocking the bootloader? (Thinking about Widevine L1 vs L3)
 
Last edited:

Sharma_Ji

Senior Member
Oct 17, 2016
898
305
73
Bikaner
I wish I had seen this thread before I ordered the phone…

If the phone is rooted, you could probably use AdAway to block those domains and IP address, but will fingerprint and face unlock still work? Or even without root you could use DNS66 or DNSfilter, both available on F-Droid, to block those domains and IP address. When my phone arrives, I will test this solution.

Can I use adb to remove certain offending apps without unlocking the bootloader? (Thinking about Widevine L1 vs L3)
If you care this much about privacy, you could unlock and use N no of custom roms available for this device.
Everything will work, except L3.
 
  • Like
Reactions: davwheat

Jerry08

Senior Member
Oct 17, 2013
499
329
93
As for files which are uploaded, all from the ColorOS folder(don't know how it is in rui as I was using it for few hours while it was in beta stage) that's in internal storage are being uploaded. Some of files there are encrypted which leads my thoughts to be very sensitive data.
 
Last edited:
  • Like
Reactions: davwheat