The Shenzhen based Chinese smartphone manufacturer OnePlus allegedly has been collecting sensitive information on users without their consent from their devices. This was brought to light in a blog post by security researcher Christopher Moore.
Earlier, there have been reports on OnePlus manipulating benchmarks and incorrect mounting displays but this time around, Moore while participating in the SANS Holiday Hack Challenge decided to check the internet traffic from his phone OnePlus2 2.
He used OWASP ZAP, a security tool which tracks web applications. Interestingly, he found HTTPS requests being sent to a domain called open.oneplus.net. He decided to explore further.
After decrypting the data, he figured out that OxygenOS’s analytics is sending user data regularly to the OnePlus’s AWS servers. On further analysis he realized that, OnePlus was collecting User’ phone number, MAC addresses, IMEI and IMSI code, Mobile network(s) names, Wireless network ESSID and BSSID, Device serial number, Timestamp when a user locks or unlocks the device, Timestamp when a user opens and closes an application on his phone, Timestamp when a user turns his phone screen on or off.
Moreover, Moore’s research also found that the code which was behind this ‘in device analytics’ is contained in OnePlus Device Manager and provider which is a part of system application OPDeviceManager.apk.
This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support.”