Gimme Your Data!! OnePlus Goes Greedy with Data Collection; Forgets to Anonymize It Too
OnePlus may have been tracking its users as a researcher has revealed how its custom Android operating system, OxygenOS, has been collecting massive amounts of analytics data without anonymizing it. Potentially connecting each phone to its user and their data, Christopher Moore, a security researcher has revealed that the OxygenOS is sending the company an excessive amount of personally identifiable data.
The Shenzhen based Chinese smartphone company is collecting a long list of data that is then tied to individual OnePlus users, including:
- IMEI numbers
- Phone numbers
- MAC addresses
- IMSI prefixes
- Serial numbers
- Mobile network name(s)
- When user launched/closed an app
- Screen on/off time
- Time when user locked or unlocked their phone
- And more such data that could be considered intrusive.
— Christopher Moore (@chrisdcmoore) January 13, 2017
Telemetry and more telemetry - OnePlus caught collecting massive amounts of personally identifiable data
After doing some digging in the code, going through OnePlus forums and Reddit threads, Moore discovered that the code responsible for this data collection is part of the OnePlus Device Manager and the OnePlus Device Manager Provider, which run the OneplusAnalyticsJobService under the OnePlus System Service.
"In my case, these services had sent 16MB of data in approximately 10 hours," he said making the damning revelation.
While companies collect analytics data regularly to debug problems, they are expected to at least anonymize that data, if not to make this an opt-in process. Currently, OnePlus doesn't appear to be offering any way to the users to get out of this process and hasn't responded as to why it needs to track screen on/off and phone unlock time.
Jakub Czekański, a web developer, has shared how tech savvy users can stop their devices from sending telemetry data to the company without rooting their devices.
- Enable USB debugging
- Connect your phone to computer
- Use Android Debug Bridge (adb) to run the following commands:
- $ adb start-server
- $ adb shell
- > pm uninstall -k --user 0 net.oneplus.odm
In its response, OnePlus has said that it "securely transmit analytics in two different streams over HTTPS to an Amazon server." The first is usage analytics that users can opt out of from: Settings > Advanced > Join user experience program.
"The second stream is device information, which we collect to provide better after-sales support," and doesn't seem to be something from which you can opt out of. Nevertheless, you can use Czekański's tip to stop data collection on your OnePlus devices.