OnePlus has fetched all the limelight again. But this time its all for the wrong reasons. According to a blog post by security researcher Chris Moore, Chinese smartphone manufacturer is secretly collecting data from its users and transmitting it to a server along with each device’s serial number. Further, he produced details on how OnePlus devices supported by OxygenOS records data at various points, including when a user locks or unlocks the screen when the apps are opened, used, and closed and even which Wi-Fi networks the device connects to.
Now, its no more of a secret affair that OnePlus has already faced quite a lot of criticism from its users in the recent past due to its failure to provide adequate device support. More of the complaints included the reports of benchmark manipulation,wrongly-mounted displays, and the most important, i.e. users not being able to dial 911 during emergencies.
The recent experience is shared by Chris Moore, the owner of a UK-based security and tech blog, who had his share of botheration after his realization that OnePlus has been gathering all his personal information. Also, he noticed an unfamiliar domain while completing the SANS Holiday Hack Challenge and decided to further examine it. Then he discovered that the domain, open.oneplus.net – had essentially been collecting his private device and user data and transmitting them to an Amazon AWS instance, all without his permission.
The list of data to be stored secretly varies from the phone’s IMEI, serial number, cellular number, MAC address, mobile network name, IMSI prefix, and wireless network ESSID and BSSID to user data like a reboot, charging, screen timestamps as well as application timestamps.
Moore has also detected that the code responsible for this data collection is part of the OnePlus Device Manager and OnePlus Device Manager Provider. For Moore, the services had sent off 16MB of data in 10 hours.
Fortunately, Jakub Czekanski has also claimed that despite there being a system service, they can’t be permanently disabled through replacing net.oneplus.odm for pkg via ADB or through running this command: pm uninstall -k –user 0 pkg.
Lastly, OnePlus clarified that it does transmit analytics to an Amazon server in two streams. The first is for using analytics to fine-tune its software and the second stream is device information, which is needed for collecting the after-sales support. Further, the company says users can turn off the data collection by going to Settings, then Advanced, and deselecting the option in “Join user experience program.” However, there are no such ways of disabling the second stream.