OnePlus accused of taking users' sensitive smartphone data without their consent

OnePlus accused of taking users' sensitive smartphone data without their consent

With that much amount of data, it would be easy to connect the dots to an individual user.

A new report comes to warn us against OnePlus devices which are said to be sending users' personal info to the company's servers. Of course he did what any decent software engineer would do, he investigated it closer, and the closer he got the more shocked he got.

This data includes things like when the device's screen is turned off and on alongside timestamps, a phone's serial number, IMEI, phone number, MAC addresses, IMSI prefixes, the mobile networks it uses, a WiFi network's ESSID and BSSID, which apps are opened and how long they're used. Unfortunately, in the smartphone industry, it's even harder to get away with backdoors and other exploits that would allow a company to collect personal data from customers. He was able to decrypt the data (using the authentication key on the phone) which revealed that his OP2 was sending time-stamped information about locks, unlocks, and unexpected reboots.

During a Hack Challenge he was participating in previous year, Moore made a decision to probe the internet traffic from his OnePlus 2. By all accounts, the data, which is being sent back to a OnePlus server, isn't anonymized.

"Those are timestamp ranges (again, unix epoch in milliseconds) of the when I opened and closed applications on my phone". Moore says in his case, the services had sent off 16MB of data in 10 hours.

Additionally, Twitter user Jakub Czekanski seemed to have found a fix to permanently disable the data transmission as well.

In the end I am sure that OnePlus are scrambling behind the scenes to put out this fire. Actually, you can disable it permanently: "pm uninstall -k -user 0 pkg".

Moore did some digging and discovered that the code responsible for this data collection is part of the OnePlus Device Manager and the OnePlus Device Manager Provider, which is contained in the system application OPDeviceManager.apk. However, users aren't advised to resort to the method as removal of OnePlus Device Manager app can affect the functionality of the phone.

The OnePlus team responded to the data collection claims, and told Android Police, "We securely transmit analytics in two different streams over HTTPS to an Amazon server".

Now, even if OnePlus keeps all this to itself, "in order to more precisely fine tune software according to user behavior", as well as "provide better after-sales support", it's still way too much and way too detailed data.

For what it's worth, you can turn off the "transmission of usage activity" by unjoining the "user experience program" in your advanced settings menu.

The second stream, the OnePlus rep added, was just device information, which was not shared with outside parties.

Related News: