OnePlus Phones Collecting Private Data without Permission
Using the company's Android-based OxygenOS, OnePlus smartphones are leaking leaking a considerable amount of users' activity data without their permission, according to a U.K.-based software engineer.
Earlier this year, engineer Christopher Moore reported discovering that his OnePlus 2 phone was sending a large amount of activity data to an Amazon Web Services (AWS) server. Among the information being passed along was non-anonymized data, including his phone number, IMEI (International Mobile Equipment Identity), MAC address, mobile network names, and device serial number.
In a statement provided to several media outlets, China-based OnePlus said it securely transmits two analytics streams from users' devices to provide better customer support and "more precisely fine tune our software according to user behavior." One stream can be disabled through settings adjustments, but turning off the second one requires disabling a software package by connecting the phone to a PC in debugging mode.
'Quite a Bit of Information'
Writing on his security and tech blog in June, Moore described how he discovered some traffic from his phone being directed to an unfamiliar domain while he was taking part in the SANS Holiday Hack Challenge 2016. That domain, open.oneplus.net, pointed to an AWS server in Amazon's eastern U.S. region.
Examining the traffic further, Moore said he found it included personally identifiable information about his phone, as well as timestamps for specific applications, and activities he had used.
"Wow. that's quite a bit of information about my device, even more of which can be tied directly back to me by OnePlus and other entities," he said.
Moore said he followed up with requests for help via OnePlus' Twitter account for support, "which disappointingly led down the usual path of 'troubleshooting' suggestions, before being met with radio silence."
He added he later found a few other mentions about the issue on Reddit and OnePlus' online user forums, but was unable to find a way to permanently disable such data collection on his phone.
How To Disable Analytics Data Traffic
"We securely transmit analytics in two different streams over HTTPS to an Amazon server," OnePlus said in its statement. "The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to 'Settings' -> 'Advanced' -> 'Join user experience program'. The second stream is device information, which we collect to provide better after-sales support."
Commenting about Moore's blog post via Twitter yesterday, programmer Jakub Czekanski said he found a way to disable the second stream of analytics information by disabling the package named net.oneplus.odm on a OnePlus phone. The process doesn't require root access but does require connecting to a PC via ADB to uninstall the system-based application.
That doesn't actually uninstall the application from the device, but it does uninstall it for the current users, according to a video tutorial posted on the XDA developers site.
"This kind of data collection, especially one containing information that can be directly tied back to me as an individual, should really be opt-in and/or have an easily accessible off switch," Moore noted in his blog post in June.
Image credit: Product shots by OnePlus.