OnePlus, for such a young company, have had more than their fair share of controversies and they seem to have learnt important lessons from each one. Unfortunately for them they now have another controversy to learn and grow from, the collection of personally identifiable data of users without their knowledge.
We have seen several issues in the past where apps have been installed on phones by manufacturers to analyse how the customer uses their phone and any issues they have with it. This collection of data was usually unknown to the customer. Now OnePlus have been caught doing the same thing, and it seems it is not the first time.
Security Researcher Chris Moore was doing a bit of hacking on his OnePlus 2 as part of the SANS Holiday Hack Challenge 2016 and “had cause to proxy the internet traffic from my phone” and came across web traffic requests to a domain open.oneplus.net. Of course he did what any decent software engineer would do, he investigated it closer, and the closer he got the more shocked he got.
— Christopher Moore (@chrisdcmoore) January 13, 2017
The data first found to be being sent over HTTPS (thank goodness for small mercies) was when he turned his display on, off, unlocked or when there was an abnormal reboot. These don’t seem to be much of an issue except that they also include the serial number of his phone in the traffic!
After further investigation he also found that it recorded the “phone’s IMEI(s), phone numbers, MAC addresses, mobile network(s) names and IMSI prefixes, as well as my wireless network ESSID and BSSID and, of course, the phone’s serial number”. All this can be attributable back to him as he bought the phone directly from OnePlus.
It recorded when he opened each and every app and how long he had it open for as well as time stamps of each activity within each app when activated. After contacting OnePlus via Twitter when he got nothing remotely helpful, he searched some more and found that this wasn’t new. It seems that way back in July of last year someone complained to OnePlus about this, or something very similar, but seems that they got nowhere as well.
— tux 🏴🧨 (@__tux) July 15, 2016
Android Police contacted OnePlus and received the following comment (we got a no comment):
We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support.
So in a nutshell, you can opt out to the first stream but not the second one. A user has told them that it can be fixed by removing the offending app although they do not know if this fix will break anything else within the system functionality so be careful before you do this and do so at your own risk:
pm uninstall -k --user 0 net.oneplus.odm
The code responsible for this data collection and transmission is inside the OnePlus Device Manager and the OnePlus Device Manager Provider “which run the OneplusAnalyticsJobService under the OnePlus System Service” and resulted in 16MB of data being sent in just ten hours. You would think that this continual monitoring would not be great for battery life.
We have looked on our OnePlus 5 and have not been able to find the offending app or service so we assume that it is no longer done or done under other apps.
In the end I am sure that OnePlus are scrambling behind the scenes to put out this fire. While it is important for future devices that some data is collected it is unusual that things such as serial number and IMEI of the phone are not just collected, and also sent in such an open fashion that allows the user to be easily identifiable.
Hopefully OnePlus can learn from this mistake, although we are not sure that they actually still do this. In the future they should either make this analytical data collection opt in (or out), stop the practice entirely or modify it to just the essentials they require. One thing though, if they do still acquire this data, you can be sure they are not the only one. Now where did I put that tinfoil hat.
Is this an over-reaction by the enthusiast community?