OnePlus reportedly collects phone data without user consent
Earlier, there have been reports on OnePlus manipulating benchmarks and incorrect mounting displays but this time around, Moore while participating in the SANS Holiday Hack Challenge decided to check the internet traffic from his phone OnePlus2 2.
He used OWASP ZAP, a security tool which tracks web applications. Interestingly, he found HTTPS requests being sent to a domain called open.oneplus.net. He decided to explore further.
After decrypting the data, he figured out that OxygenOS’s analytics is sending user data regularly to the OnePlus’s AWS servers. On further analysis he realized that, OnePlus was collecting User’ phone number, MAC addresses, IMEI and IMSI code, Mobile network(s) names, Wireless network ESSID and BSSID, Device serial number, Timestamp when a user locks or unlocks the device, Timestamp when a user opens and closes an application on his phone, Timestamp when a user turns his phone screen on or off.
Moore first blogged about this in January 2017 where he even said ” I took to Twitter to ask OnePlus on Twitter how this could be turned off, which disappointingly led down the usual path of “troubleshooting” suggestions, before being met with radio silence:”
Also as reported by The Hacker News, this glitch was earlier reported by a security researcher named “Tux” in July 2016.
Moreover, Moore’s research also found that the code which was behind this ‘in device analytics’ is contained in OnePlus Device Manager and provider which is a part of system application OPDeviceManager.apk.
A OnePlus spokesperson in an email response to ETtech said that ” We securely transmit analytics in two different streams over HTTPS to an AWS server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support. We do not share any analytics data with outside parties.”