I've been taking a closer look at the WebOS side of my Palm Pre tonight, and I noticed that it periodically uploads information to Palm, Inc.
The first thing sent is intended to be my GPS location. It's the same location I get if I open the map app on the Pre. Not very accurate in this case, but I've seen it be accurate enough to find my house before.
{ "errorCode": 0, "timestamp": 1249855555954.000000, "latitude": 36.594108, "longitude": -82.183260, "horizAccuracy": 2523, "heading": 0, "velocity": 0, "altitude": 0, "vertAccuracy": 0 }
Here they can tell every WebOS app I use, and for how long.
{ "appid": "com.palm.app.phone", "event": "close", "timestamp": 1250006362 }
{ "appid": "com.palm.app.messaging", "event": "launch", "timestamp": 1250006422 }
{ "appid": "com.palm.app.messaging", "event": "close", "timestamp": 1250006446 }
It sends the above info on a daily basis.
2009-08-10t09:15:10z upload /var/context/pending/1249895710-contextfile.gz.contextlog ok rdx-30681971
2009-08-11t09:15:10z upload /var/context/pending/1249982110-contextfile.gz.contextlog ok rdx-31306808
There is also some info that is recorded when a WebOS app crashes. Now, I've seen WebOS crash hard a time or two, but it turns out apps are crashing fairly frequently behind the scenes, and each such crash is logged and a system state snapshot taken. At least some of these are uploaded, though if things are crashing a whole lot it will be throttled.
2009-08-09T17:01:22Z upload /var/log/rdxd/pending/rdxd_log_59.tgz OK RDX-30246857
2009-08-09T17:05:36Z upload /var/log/rdxd/pending/rdxd_log_26.tgz OK RDX-30249465
2009-08-09T17:09:11Z upload /var/log/rdxd/pending/rdxd_log_56.tgz OK RDX-30252374
2009-08-09T17:11:46Z upload /var/log/rdxd/pending/rdxd_log_70.tgz OK RDX-30253958
2009-08-09T17:16:29Z upload /var/log/rdxd/pending/rdxd_log_67.tgz ERR_UPLOAD_THROTTLED_DAILY
2009-08-09T17:17:28Z upload /var/log/rdxd/pending/rdxd_log_51.tgz ERR_UPLOAD_THROTTLED_DAILY
2009-08-09T17:20:40Z upload /var/log/rdxd/pending/rdxd_log_21.tgz ERR_UPLOAD_THROTTLED_DAILY
Each tarball contains a kernel dmesg, syslog, a manifest.txt
listing all installed ipkg packages (including third-party apps), a
backtrace of the crash, a df (from which they can tell I'm using Debian
on the phone), and ps -f output listing all processes owned by root
(but not by joey).
The uploading is handled by uploadd, which reads /etc/uploadd.conf:
[SERVER=rdx]
RepositoryURL=https://<HOST>/palmcsext/prefRequest?prefkey=APPLICATIONS,RDX_SRV
UploadURL=https://<HOST>/palmcsext/RDFileReceiver
[SERVER=context]
RepositoryURL=https://<HOST>/palmcsext/prefRequest?prefkey=APPLICATIONS,RDX_SRV
UploadURL=https://<HOST>//palmcsext/RDFileReceiver
The "HOST" this is sent to via https is ps.palmws.com.
My approach to disable this, which may not stick across WebOS upgrades,
was to comment out the 'exec' line in /etc/event.d/uploadd and reboot.
However, then I noticed a contextupload process running. This is started
by dbus, so the best way to disable it seems to be:
rm /usr/bin/contextupload
BTW, since Palm has lawyers, they have a privacy policy, which covers their ass fairly well regarding all this, without going into details or making clear that the above data is being uploaded.
Update: WebOS upgrades do re-enable the spyware; this has to be repeated after each upgrade.
Previously: Debian chroot on Palm Pre, debian desktop via vnc on the palm pre
Sprint already has a log of every web server I visit with my Pre via EVDO. Sprint already has a log of my gps track whenever I use google maps or sprint nav. Sprint already has a log of every email address I get email from or to. Sprint already has a log of every phone number I get or make a call to. Sprint already has a log of every sms message I get or make. Sprint has the ability to have a log of every cell tower I ping into. Sprint has the ability to read every email I send or receive.
What, exactly, is it that I'm risking in terms of my privacy that palm gets crash logs and usage time of apps again?
Yawn. Who cares?
Man in the middle: http://www.webos-internals.org/wiki/Decrypt_SSL_(trusted_man-in-the-middle_technique)
I wanted to do this for a while to see how synergy worked, but never configured it.
yYHUyFYOl_q0soVNxfeEAk83.7PkYxo-#f45cf [me.yahoo.com/a]
You don't use TLS/SSL for your Email?
psykoyiko, you have an excellent point, and that relative openness (you can even build your own kernel!) is why I got the Pre in the first place.
To clarify, I didn't monitor traffic, I only looked at the log files I posted. You can easily google how to get root on the Pre if you'd like to do the same.
Also, since I forgot to mention -- the Pre has some location privacy settings, and a backup service. Obviously, if you enable the backup service, you're telling it to transmit your preferences and account info and so on to Palm. But not the info I've found here. The location privacy settings allow you to turn off the GPS, which someone reports does prevent location being logged and sent. It also allows you to turn off reporting of location information to Google.
But nowhere is there a setting to disable sending these logs to Palm. The existance of these other privacy settings thus makes the Pre's behavior even more unexpected and jarring.
I'm a relatively new Pre owner, so forgive me if this is not news.
I just recently got the OTA update from webOS version 1.4 to version 1.4.1.1 (Sprint). When I went to go back and re-edit uploadd and re-remove contextupload, I was surprised to find that the "exec" line in the former was still commented out, and the latter was still not there. Has this always been the case with minor updates, or might this have to do with the new way that Palm packages the update files?