OnePlus is collecting personal information from its smartphone users, as per a report by Android Police. The Chinese OEM’s tactics have been unearthed collecting massive ‘massive amounts of analytics data’ from smartphone owners. The report cites that the collected data includes IMEI numbers, MAC address, mobile network names, IMSI prefixes, serial number etc.
The loophole was first discovered by a security researcher and software engineer Christopher Moore who revealed that OnePlus has been collecting specific data from its users without their permission. The researcher recently published an article explaining that OnePlus has been gathering his personal information and sending them without his authorisation. The researcher noticed this incongruity while completing the SANS Holiday Hack Challenge. Moore began examining the internet traffic from his OnePlus 2 using OWASP ZAP. Android Police explains that the process basically allowed the researcher to view all incoming and outgoing traffic from his device. He further found that the domain ‘open.oneplus.net’ had essentially been gathering user data and sending them to an Amazon AWS instance without his consent.
The data that OnePlus is said to have been accessing contained information about the screen, device unlock events, abnormal reboots, serial number, IMEI, phone numbers, MAC address, IMSI prefixes, and wireless network ESSID and BSSID as well.
— Christopher Moore (@chrisdcmoore) January 13, 2017
Further, Moore discovered the OxygenOS also collected timestamps of when the user opened or closed apps, which activities were being opened. Moore contacted OnePlus this year, but the company ended up giving troubleshooting suggestions to the researcher.
Notably, Android Police also tried to reach out OnePlus regarding the analytics tracking and the company in respond gave the following statement-
“We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine-tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support.”
The Chinese handset maker faced severe criticism from its users over the past two years ‘over its failure’ to provide passable device support, benchmark manipulation, users unable to place a 911 emergency call. However, gathering personal information and transmitting them without the user’s consent is a bit more concerning given that the company is somehow breaching users’ privacy.