OnePlus has reportedly been collecting personal information of users and sending to company’s server without their permission, according to a security researcher. Christopher Moore, who is a software engineer. Moore said in a blog post that OnePlus’ collected data includes phone’s IMEI, phone numbers, MAC addresses, mobile network names, phone’s serial number and wireless network’s ESSID and BSSID.
Essentially, Moore monitored the incoming and outgoing traffic from his phone to discover that his OnePlus 2 was making traffic requests to open.oneplus.net. This traffic was further being directed to a US-based Amazon AWS server. OxygenOS, which is company’s operating software that runs on top of Android, is said to be facilitating data transmission without a user’s prior permission.
OnePlus has been accused to keeping a tab on when people open which app and the amount of time they spend on individual apps. The researcher says the data contains “timestamps of which activities were fired up in which in applications, again stamped with the phone’s serial number”. Moore claimed that even basic things like screen on/off and unlock activities are being sent to company’s servers.
“Those are timestamp ranges (again, unix epoch in milliseconds) of the when I opened and closed applications on my phone. From this data we can see that on Tuesday, 10th Jan 2017, I had Slack open between 20:25:40 UTC and 20:25:52 UTC, and the Microsoft Outlook app open between 21:38:41 UTC and 21:38:53 UTC, to take just two examples, again stamped with my phone’s serial number,” Moore wrote in a blog post.
Interestingly, Twitter user Jakub Czekanski seems to have found a fix to permanently disable the data transmission. “I’ve read your article about OnePlus Analytics. Actually, you can disable it permanently: pm uninstall -k –user 0 pkg,” Czekanski wrote on Twitter, in response to Moore’s blog post.
@chrisdcmoore I've read your article about OnePlus Analytics. Actually, you can disable it permanently: pm uninstall -k --user 0 pkg
— Jakub Czekański (@JaCzekanski) October 10, 2017
zekanski’s method does not require rebooting as OnePlus Device Manager (app responsible for sending data) can be removed via ADB tool and USB debugging enabled. However, users aren’t advised to resort to the method as removal of OnePlus Device Manager app can affect the functionality of the phone.
“We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support,” OnePlus’ statement reads.
Hey @OnePlus_Support, it's none of your business when I turn my screen on/off or unlock my phone - how do I turn this off? /cc:@troyhunt pic.twitter.com/VihaIDI6wP
— Christopher Moore (@chrisdcmoore) January 13, 2017
And that ID appears to be the phone's serial number which, since many buy handsets direct from you, can be linked to their identity...
— Christopher Moore (@chrisdcmoore) January 13, 2017
Yes please: how do I turn off this event data collection (which gets sent to https://t.co/42nroll7PD)?
— Christopher Moore (@chrisdcmoore) January 13, 2017
Alright. Please try doing a hard reset https://t.co/1qyq9XajiJ and see if there are improvements.
— OnePlus Support (@OnePlus_Support) January 13, 2017
This is not the first time that OnePlus has ended up in a major controversy. Earlier this year, the company was accused of inflating OnePlus 5’s benchmark scores on apps like Geekbench 4. OnePlus denied the charge, and said they are not overclocking the cores.
Share This Post
