OnePlus reportedly collecting lots of data on its users without telling them
ET Tech|
Updated: Oct 11, 2017, 05.26 PM IST
The Shenzhen based Chinese smartphone manufacturer OnePlus allegedly has been collecting sensitive information on users without their consent from their devices. This was brought to light in a blog post by security researcher Christopher Moore.
Earlier, there have been reports on OnePlus manipulating benchmarks and incorrect mounting displays but this time around, Moore while participating in the SANS Holiday Hack Challenge decided to check the internet traffic from his phone OnePlus2 2.
He used OWASP ZAP, a security tool which tracks web applications. Interestingly, he found HTTPS requests being sent to a domain called open.oneplus.net. He decided to explore further.
After decrypting the data, he figured out that OxygenOS's analytics is sending user data regularly to the OnePlus's AWS servers. On further analysis he realized that, OnePlus was collecting User’ phone number, MAC addresses, IMEI and IMSI code, Mobile network(s) names, Wireless network ESSID and BSSID, Device serial number, Timestamp when a user locks or unlocks the device, Timestamp when a user opens and closes an application on his phone, Timestamp when a user turns his phone screen on or off.
Moore first blogged about this in January 2017 where he even said " I took to Twitter to ask OnePlus on Twitter how this could be turned off, which disappointingly led down the usual path of “troubleshooting” suggestions, before being met with radio silence:"
Also as reported by The Hacker News, this glitch was earlier reported by a security researcher named "Tux" in July 2016.
Moreover, Moore's research also found that the code which was behind this 'in device analytics' is contained in OnePlus Device Manager and provider which is a part of system application OPDeviceManager.apk.
While OnePlus is yet to respond to ETtech's questionnaire at the time of publishing of the article, they responded to Android Police saying " We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior.
This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support."
Earlier, there have been reports on OnePlus manipulating benchmarks and incorrect mounting displays but this time around, Moore while participating in the SANS Holiday Hack Challenge decided to check the internet traffic from his phone OnePlus2 2.
He used OWASP ZAP, a security tool which tracks web applications. Interestingly, he found HTTPS requests being sent to a domain called open.oneplus.net. He decided to explore further.
After decrypting the data, he figured out that OxygenOS's analytics is sending user data regularly to the OnePlus's AWS servers. On further analysis he realized that, OnePlus was collecting User’ phone number, MAC addresses, IMEI and IMSI code, Mobile network(s) names, Wireless network ESSID and BSSID, Device serial number, Timestamp when a user locks or unlocks the device, Timestamp when a user opens and closes an application on his phone, Timestamp when a user turns his phone screen on or off.
Moore first blogged about this in January 2017 where he even said " I took to Twitter to ask OnePlus on Twitter how this could be turned off, which disappointingly led down the usual path of “troubleshooting” suggestions, before being met with radio silence:"
Also as reported by The Hacker News, this glitch was earlier reported by a security researcher named "Tux" in July 2016.
Moreover, Moore's research also found that the code which was behind this 'in device analytics' is contained in OnePlus Device Manager and provider which is a part of system application OPDeviceManager.apk.
While OnePlus is yet to respond to ETtech's questionnaire at the time of publishing of the article, they responded to Android Police saying " We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior.
This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support."
