OnePlus has emerged as one of the main manufacturers in the smartphone world. They have continuously managed to impress the masses by launching flagship-grade devices at a lower price. As a manufacturer, OnePlus has faced many issues through their course of 3 years. Benchmark cheating, touch latency issues, 911 bug, 1.6x optical zoom issue and the jelly scrolling effect – to name a few. None of these had a serious impact on the company’s sale or popularity.
But OnePlus has now come across something serious, in fact really serious as it is related to users’ privacy.
How did we come to know about it?
A security researcher Christopher Moore discovered that mobile has been gathering user data without prior permission and was transmitting them over to a company server. While he was carrying out some tests on his OnePlus 2 a security tool which tracks web application, Moore noticed requests to a domain – open.oneplus.net, which directed traffic to an Amazon AWS server and it was involved in collecting user analytics from the smartphone.
According to Moore, OnePlus was collecting data such as phone number, IMEI number, mobile serial number, MAC address, mobile network names, and battery status along with timestamped details of various activities such as when the user locked the device, unlocked it, abnormal reboots and even details of apps opened and closed by the user along with time details.
Now, that is a ton of data but it doesn’t end there, they also tie this information to individual devices by serial numbers and user accounts, in particular, thus making it personally identifiable.
What makes this issue so serious?
Manufacturers collecting certain data from smartphones is not necessarily an abnormal activity as they tend to gather information from devices for analyzing issues and bugs, and for providing timely software updates to fix them. It is the part of User Experience Program. According to Christopher Moore, what OnePlus collects is far away from normal situations.
Moore in his blog says- “It looks like they’re collecting timestamped metrics on certain events, some of which I understand – from a development point of view, wanting to know about abnormal reboots seems legitimate – but the screen on/off and unlock activities feel excessive. At least these are anonymised, right? Well, not really – taking a closer look at the ID field, it seems familiar; this is my phone’s serial number. This I’m less enthusiastic about, as this can be used by OnePlus to tie these events back to me personally.“
Diving further deep into forums and Reddit threads, he figured out that the code responsible for this data collection is part of the “OnePlus Device Manager” which apparently is a system service and cannot be permanently disabled.
He posted about this issue on Twitter and Jakub Czekanski (a Twitter user) came up with a method to permanently disable the service through replacing net.oneplus.odm for pkg via ADB or through running this command: pm uninstall -k –user 0 pkg.
What does OnePlus say about this?
The OnePlus team has addressed this issue and released a statement – “We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine-tune our software according to user behavior. This transmission of user activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support.”
The above statement clearly doesn’t address the privacy concerns. Also, it doesn’t seem to be an issue with OnePlus 2 alone, all other OnePlus devices running Oxygen OS might be collecting user data in a similar way.
What are your thoughts on manufacturers collecting user data in the name of better support? Are you a OnePlus smartphone user, if yes, what’s your opinion about the same? Let us know your thoughts in the comments below.