In a yet another case of a Chinese smartphone maker recording sensitive data of its users, OnePlus has been found to do something similar. Normally, there is a certain level of information sent to the company like crashes, bugs and general issues that could be fixed by a software update. However, OnePlus was found to collect data that includes IMEI numbers, MAC addresses, mobile network names and IMSI prefixes, serial numbers, and more.
Christopher Moore, a software engineer, made a post on his personal blog showing his discoveries. During a Hack Challenge, Moore began proxying the internet traffic from his OnePlus 2 using OWASP ZAP. What this means is that it essentially allowed him to view all incoming and outgoing internet traffic from his phone. Among the usual network activity, he noticed a large amount of requests to open.oneplus.net. Through deeper inspection, he found the domain name to be an Amazon AWS instance owned by OnePlus. He was able to decrypt the data (using the authentication key on the phone) which revealed that his OP2 was sending time-stamped information about locks, unlocks, and unexpected reboots.
It is quite usual for a phone to log OS crashes as it allows developers to find a fix for such bugs. But, as Moore notes in his blog, sending the data of every time the phone is locked or unlocked seems a bit excessive. Moore discovered that some of the data being sent to OnePlus’ servers included the phone’s IMEI number, the phone number, MAC addresses, mobile network names and IMSI prefixes, Wi-Fi connection info, and the phone’s serial number. He later found out that the data included every time an app was opened.
OnePlus had this to say in response:
We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to ‘Settings’ --gt; ‘Advanced’ --gt; ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support.
There are rumours that OnePlus is working on the OnePlus 5T which might be launched in November and it is to be seen if this information of sensitive data recording will have any repercussions on the company’s plans.