OnePlus may have been collecting user data without permission
Security researcher claims OnePlus is gathering critical data such as serial number, IMEI number, wireless network IDs and timestamps for the screen on and screen off. Here’s how to keep your data secure.
Chinese handset company OnePlus has come under scanner for allegedly collecting users' data without consent. UK-based security researcher Chris Moore discovered OnePlus phones running on OxygenOS gathering users' device data and sending them back to servers in China. This has largely impacted OnePlus 2 and OnePlus 3 owners, according to the researcher. OnePlus, however, has said that it does not share users' data with "outside parties."
Moore discovered that critical data such as timestamps of when the device was active and on standby, MAC address, phone number, wireless network, mobile network, and International Mobile Equipment Identity (IMEI) numbers were being transmitted.
These data aren't really anything different from what other smartphone makers collect from users' devices. The problem, however, is that OnePlus fails to provide anonymity to the data, Engadget points out in its report. This essentially means the data is identifiable and can be traced back to a particular user.
Moore further said that the code responsible for the data collection was part of the OnePlus Device Manager and OnePlus Device Manager Provider, which run the "OneplusAnalyticsJobService" under the "OnePlus System Service."
"In my case, these services had sent 16MB of data in approximately 10 hours," he explained on its website.
OnePlus, however, has explained how its data collection process works. According to the company, the data analytics is transmitted in two different streams HTTPS (a secure version of Internet Protocol) to an Amazon Web Services server.
"The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. The second stream is device information, which we collect to provide better after-sales support. We do not share any analytics data with outside parties," the company said in a statement.
"Collecting basic telemetry data is quite a standard-fare but the problem arises when the data is precise enough to identify a user based on the information collected. Even if OnePlus doesn't have any mal intentions, if a malicious hacker gains access to internal assets of OnePlus, this kind of information, can be used for extremely targeted attacks on mass," said Ankush Johar, Director at HumanFirewall.io, a IT security company.
How to disable data collection on OnePlus smartphones
OnePlus says users can block transmission of usage activity disabling the option in Settings > Advanced > Join user experience program.
Another workaround, which is bit tedious, requires users enable USB debugging via device's Settings (under Developer options), connecting the device to PC via USB and install the Android Bridge software, reports a forum on Hacker News. If you haven't rooted your phone ever, we will recommend proceeding with a lot of caution.
@chrisdcmoore I've read your article about OnePlus Analytics. Actually, you can disable it permanently: pm uninstall -k --user 0 pkg— Jakub Czekański (@JaCzekanski) October 10, 2017
According to Twitter user @JaCzekanski, users can uninstall the OnePlus Device Manager via Android Debug Bridge (adb) software by running following command: pm uninstall -k --user 0 net.oneplus.odm. You can learn more about how to set up and run adb here.