Company says that it is collecting data to enhance its software based on user behaviour
Beware OnePlus smartphone users, as the Chinese electronics company, has been accused of collecting device and user data without their permission and sending it to their servers.
Christopher Moore, owner of a UK-based security and tech blog, has claimed in a detailed article on his Security and Tech Blog that OnePlus is constantly collecting user data without his knowledge. The data being sent to OnePlus servers included the phone’s IMEI numbers, phone numbers, MAC addresses, IMSI prefix, mobile network names, phone’s serial number, and wireless networks ESSID and BSSID.
Moore discovered the leak during a hack challenge when he found that his OnePlus 2 was sending across information including unusual reboots, screen on/off, and unlocks to open.oneplus.net. On further investigation, it was found that domain name “open.oneplus.net” was owned by OnePlus, and hosted on US-based Amazon AWS server. What was even worse that some of the data that OnePlus collected included user data like reboot, charging, screen timestamps as well as application timestamps.
“Those are timestamp ranges (again, unix epoch in milliseconds) of the when I opened and closed applications on my phone. From this data we can see that on Tuesday, 10th Jan 2017, I had Slack open between 20:25:40 UTC and 20:25:52 UTC, and the Microsoft Outlook app open between 21:38:41 UTC and 21:38:53 UTC, to take just two examples, again stamped with my phone’s serial number,” Moore wrote in a blog post.
“These event data contain timestamps of which activities were fired up in which applications, again stamped with the phone’s serial number,” Moore explained on his website. “I took to Twitter to ask OnePlus on Twitter how this could be turned off, which disappointingly led down the usual path of ‘troubleshooting’ suggestions, before being met with radio silence.”
According to Moore, the code responsible for this data collection is part of the OnePlus Device Manager and OnePlus Device Manager Provider. However, Twitter user @JaCzekanski pointed out that the OnePlus Device Manager despite being a system service can actually be removed by replacing net.oneplus.odm for pkg via Android Debug Bridge (ADB) or through running this command: pm uninstall -k –user 0 pkg
However, we advise our readers not to resort to this method of removing OnePlus Device Manager app, as it could affect the performance of your phone.
When Android Authority contacted OnePlus to comment on the issue, the company simply responded that the data are collected for user support and failed to address privacy concerns. The company said that the users had the option to switch off the option of transmitting usage activity at any time.
“We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support.”
We are yet to hear from OnePlus announcing a fix on this issue.