OnePlus found to be collecting user data sans authorisation
11 Oct 2017
Chinese handset maker OnePlus has been found sending sensitive personal data of users to its servers. The company's OxygenOS is under the scanner for tracking personal information like IMEI number, MAC addresses, mobile network names, Wi-Fi SSIDs, and the phone's serial number.
A security researcher discovered that his OnePlus 2 was sending specific user patterns to a company server without prior user permission.
The company has responded claiming that it is collecting data to improve its service, and that most of the data transmission can be switched off.
Christopher Moore explained in a blog that OnePlus was collecting time-stamped details such as when the user locked the device or unlocked it as well as abnormal reboots.
"They're collecting time-stamped metrics on certain events, some of which I understand - from a development point of view, wanting to know about abnormal reboots seems legitimate - but the screen on/off and unlock activities feel excessive. At least these are anonymised, right? Well, not really - taking a closer look at the ID field, it seems familiar; this is my phone's serial number," he said in the blog.
After further research, Moore noticed that the company was also collecting details such as which app the user opened and when the user launched or closed an app.
OnePlus told Android Police, "We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behaviour.
This transmission of usage activity can be turned off by navigating to 'Settings' > 'Advanced' > 'Join user experience program'. The second stream is device information, which we collect to provide better after-sales support."
Moore before putting out all the information did contact OnePlus Support team back in January with the concern on which OnePlus was unable to give a permanent fix. There are speculations that OxygenOS, the company's custom version running on top of Android, could have a plug-in to enable the transmission.
Earlier, there was no confirmation if this was typically the case with OnePlus 2 devices or all OnePlus devices. However, according to Business Today, the company's response clearly proves that other OnePlus devices including OnePlus 3T, OnePlus 5 have the same tracking issue.
According to an NDTV website, the data collection has been sourced to a system application called "OnePlus System Service" which cannot be turned off but can be disabled every time you turn your device on.
The company has not announced any plan to fix this in the future updates. Though OnePlus claims it's doing this to provide better after-sales support, most users might not be happy about being kept out of the loop all this while.
