OnePlus OxygenOS Caught Collecting Sensitive User Data Without Permission
A software engineer has discovered that OnePlus is actively collecting certain data on its users without their knowledge or permission. Chris Moore, owner of a UK-based security and tech blog and a finalist at Cyber Security Challenge UK, published an article detailing the Chinese electronic company's data collection and how there does not appear to be a setting to turn it off.
Moore noticed the curious activity while participating in a security event. What he found was that his OnePlus 2 was feeding specific data to open.oneplus.net, which after a DNS lookup was revealed to be an Amazon AWS instance. One piece of data that was being transmitted was a log of when he would turn his phone's display on and off.
"From a development point of view, wanting to know about abnormal reboots seems legitimate, but the screen on/off and unlock activities feel excessive. At least these are anonymized, right? Well, not really—taking a closer look at the ID field, it seems familiar; this is my phone’s serial number," Moore says. "This I’m less enthusiastic about, as this can be used by OnePlus to tie these events back to me personally (but only because I bought the handset directly from them, I suppose)."
That was not the end of it. Further investigation revealed other personal bits in the data being collected, including his phone's IMEI, phone numbers, MAC addresses, mobile network names and IMSI prefixes, wireless network SSIDs, and his phone's serial number. His phone also transmitted timestamp ranges, letting OnePlus known when he opened and closed applications on his phone, which again was stamped with his device's serial number.
Moore's attempt to understand why OnePlus would need this data and, more importantly, how to stop the data collection was met with generic responses from the company's support team on Twitter. OnePlus advised that he wipe his phone's cache, and also try a hard reset, neither of which would do anything to prevent sensitive data from being transmitted.
"We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support," OnePlus explained to Android Authority.
This is a bad look for OnePlus, and it is equally concerning that the company does not really consider this to be a big deal.
Moore noticed the curious activity while participating in a security event. What he found was that his OnePlus 2 was feeding specific data to open.oneplus.net, which after a DNS lookup was revealed to be an Amazon AWS instance. One piece of data that was being transmitted was a log of when he would turn his phone's display on and off.
"From a development point of view, wanting to know about abnormal reboots seems legitimate, but the screen on/off and unlock activities feel excessive. At least these are anonymized, right? Well, not really—taking a closer look at the ID field, it seems familiar; this is my phone’s serial number," Moore says. "This I’m less enthusiastic about, as this can be used by OnePlus to tie these events back to me personally (but only because I bought the handset directly from them, I suppose)."
That was not the end of it. Further investigation revealed other personal bits in the data being collected, including his phone's IMEI, phone numbers, MAC addresses, mobile network names and IMSI prefixes, wireless network SSIDs, and his phone's serial number. His phone also transmitted timestamp ranges, letting OnePlus known when he opened and closed applications on his phone, which again was stamped with his device's serial number.
Moore's attempt to understand why OnePlus would need this data and, more importantly, how to stop the data collection was met with generic responses from the company's support team on Twitter. OnePlus advised that he wipe his phone's cache, and also try a hard reset, neither of which would do anything to prevent sensitive data from being transmitted.
"We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support," OnePlus explained to Android Authority.
This is a bad look for OnePlus, and it is equally concerning that the company does not really consider this to be a big deal.
