On his blog, Chris Moore reveals that the Chinese electronics company has been collecting some very specific data from OnePlus users without their permission.
The hype around OnePlus is real: the next so-called flagship killer from the company is expected to feature a bigger display with a new aspect ratio and minimal bezels, and there are already multiple reports out there creating an online buzz. However, that’s not to say that all’s well in paradise. It’s no secret that OnePlus has faced heavy criticism from its users in the past year or two over its failure to provide adequate device support. More negative press ensued after the launch of the OnePlus 5 with reports of benchmark manipulation, wrongly-mounted displays, and more importantly, users being unable to dial 911 in emergency situations. Well, it seems the Chinese tech company is in trouble again, and in my opinion, OnePlus should really take the time to explain itself this time.
Chris Moore, the owner of a UK-based security and tech blog, recently published an article demonstrating that OnePlus has been gathering his personal information and transmitting them without his permission. He noticed an unfamiliar domain while completing the SANS Holiday Hack Challenge and decided to further examine it. He found that the domain – open.oneplus.net – had essentially been collecting his private device and user data and transmitting them to an Amazon AWS instance, all without his permission.
The data that OnePlus is accessing ranges from device information like the phone’s IMEI, serial number, cellular number, MAC address, mobile network name, IMSI prefix, and wireless network ESSID and BSSID to user data like reboot, charging, screen timestamps as well as application timestamps.
The data that OnePlus is accessing ranges from device information like the phone’s IMEI and serial number to user data like reboot, charging, screen timestamps as well as application timestamps.
Moore states that the code responsible for this data collection is part of the OnePlus Device Manager and OnePlus Device Manager Provider. Fortunately, Jakub Czekanski claims that despite their being a system service, they can be permanently disabled through replacing net.oneplus.odm for pkg via ADB or through running this command: pm uninstall -k –user 0 pkg
@chrisdcmoore I’ve read your article about OnePlus Analytics. Actually, you can disable it permanently: pm uninstall -k –user 0 pkg
— Jakub Czekański (@JaCzekanski) October 10, 2017
It’s concerning that a major Android manufacturer has been collecting and transmitting user data without permission, but it’s even more concerning that OnePlus doesn’t seem to consider it a big issue. When we reached out for a comment, the company simply stated that the data are collected for user support and failed to address privacy concerns:
We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support.
We also spoke with a representative from the company but did not receive a satisfactory explanation as to why the company does not simply let users opt-in and share their data to help with future updates. At any rate, the irony here is that OnePlus is breaching its users’ privacy to provide better after-sales support. Of all the manufacturers out there, the company who managed to anger and frustrate so many users precisely due to its lack of after-sales support is trying to justify its unauthorized data collection on the grounds that it’s for after-sales support.
The company who managed to anger and frustrate so many users precisely due to its lack of after-sales support is trying to justify its unauthorized data collection on the grounds that it's for after-sales support.