OnePlus is no stranger to controversy, having manipulated its launch day benchmarks for its OnePlus 5 smartphone. It’s latest debacle, however, is much more sensitive, with the company being accused of tracking personal information without its users’ consent.
The accusation comes from security researcher Christopher Moore, who took to a blog post after discovering the potential breach through his taking part in the SANS Holiday Hack Challenge 2016 which required him to make use of a security tool called OWASP ZAP. The tool enabled him to track traffic, in which among the usual HTTPS requests was one under the domain name of open.oneplus.net, which further redirected to an Amazon AWS server based in the US.
When digging into what was being sent to this domain, Moore found that time stamped data of actions and events was being collected, including that of when the user activates the screen and unlocks their device. Despite being excessive, Moore notes that this would be somewhat understandable from a developmental point of view, but the company crosses all kinds of lines with each bit of data being accompanied by an ID field that contains the device’s serial number.
It gets worse though, as delving further into what else is being gathered by the company has access to the phones IMEI(s), phone numbers, MAC addresses, mobile network(s) names and IMSI prefixes, as well as wireless network ESSIDs and BSSIDs.
The code responsible for collecting this data is OnePlus Device Manager and the OnePlus Device Manager Provider, according to Moore.
Luckily, after Moore called out the company on Twitter, another user by the name of Jakub Czekanski replied with a way to disable it permanently by uninstalling the OnePlus Device Manager and the OnePlus Device Manager Provider, both of which Moore claims is responsible for the breach. This can, however, result in the device experiencing issues as these are two core applications that are responsible for how the smartphone behaves.
@chrisdcmoore I've read your article about OnePlus Analytics. Actually, you can disable it permanently: pm uninstall -k –user 0 pkg
— Jakub Czekański (@JaCzekanski) October 10, 2017
OnePlus has since commented on the issue, as if it wasn’t even an issue at all despite its users not consenting to such a practice.
“We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine-tune our software according to user behaviour,” stated OnePlus. “This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support.”
KitGuru Says: Nowadays, it seems common for companies to ask for unreasonable amounts of intrusive data if the user wants to be a part of whatever is current in the technology industry, but not even giving the choice to opt in is a new low. Do you own a OnePlus device? What do you think of the company’s reactions?