OnePlus has been found collecting very comprehensive data of customers using its smartphones. While most smartphone manufacturers collect user data for analytics, OnePlus has been found collecting data that includes IMEI numbers, MAC addresses, mobile network names and IMSI prefixes, phone's serial number, wireless network ESSID, and more.
Christopher Moore, a software engineer, has written a blog post detailing the data collected by the Chinese smartphone maker. Moore discovered OnePlus collecting this data during a Hack Challenge while setting up his OnePlus 2 smartphone. He set up a security tool called OWASP ZAP on his OnePlus 2 and found traffic requests to open.oneplus.net, which further redirected the traffic to a US-based Amazon AWS server. Apart from finding out what data is being collected, Moore also noticed time stamps of when apps were opened and closed along with the serial number of the device.
While collecting data like unexpected reboots would help developers fix the bug at the earliest, the collection of data like when the phone is locked or unlocked seems unnecessary. In fact, Moore left the system running for an extended period of time to understand what other data OnePlus collected from its user.
Back in January, Moore highlighted the issue on Twitter and asked OnePlus how to disable data collection on his device. The company replied with usual troubleshooting options like wiping the cache and performing a factory reset. Yesterday, a Twitter user found the app responsible for collecting user data on a OnePlus smartphone.
Hey @OnePlus_Support, it's none of your business when I turn my screen on/off or unlock my phone - how do I turn this off? /cc:@troyhuntpic.twitter.com/VihaIDI6wP — Christopher Moore (@chrisdcmoore) January 13, 2017
A deeper access to file system has revealed that the data is being collected by a system app called "OnePlus System Service." Since its part of the system, OnePlus users can't turn it off. However, they can manually disable it every time the phone is restarted by running an ADB command.
Twitter user Jakub Czekanski noted that OnePlus' System Service can be permanently disabled by running the command: pm uninstall -k --user 0 pkg and substituting net.oneplus.odm for pkg. In a statement released to Android Police, OnePlus says "We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine-tune our software according to user behaviour. This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support."
While every device manufacturer collects some form of data for analytics and seeks user consent for acquiring these data, OnePlus seems to be collecting data that affects the privacy of the user. The company should be more transparent about what data it collects from its device user and even offer an option at the time of setting up the device to opt out of such data collection.