OnePlus Goes Greedy with Data Collection; Forgets to Anonymize It Too

Never Settle? More similar never care for user privacy...

OnePlus may have been tracking its users as a researcher has revealed how its custom Android operating system, OxygenOS, has been collecting massive amounts of analytics information without anonymizing it. Potentially connecting each phone to its user and their data, Christopher Moore, a security researcher has revealed that the OxygenOS is sending the company an excessive amount of personally identifiable data.

The Shenzhen based Chinese smartphone visitor is collecting a long list of data that is then tied to individual OnePlus users, including:

IMEI numbers
Telephone numbers
MAC addresses
IMSI prefixes
Serial numbers
Mobile network name(southward)
When user launched/closed an app
Screen on/off time
Fourth dimension when user locked or unlocked their phone
And more such information that could be considered intrusive.

Hey @OnePlus_Support, information technology's none of your concern when I plow my screen on/off or unlock my phone - how do I turn this off? /cc:@troyhunt pic.twitter.com/VihaIDI6wP

— Christopher Moore (@chrisdcmoore) January 13, 2017

Telemetry and more telemetry - OnePlus caught collecting massive amounts of personally identifiable data

After doing some digging in the code, going through OnePlus forums and Reddit threads, Moore discovered that the lawmaking responsible for this information drove is part of the OnePlus Device Director and the OnePlus Device Manager Provider, which run the OneplusAnalyticsJobService under the OnePlus Organization Service.

"In my case, these services had sent 16MB of data in approximately 10 hours," he said making the damning revelation.

While companies collect analytics data regularly to debug problems, they are expected to at least anonymize that data, if non to make this an opt-in process. Currently, OnePlus doesn't appear to be offering whatever way to the users to become out of this procedure and hasn't responded equally to why it needs to rail screen on/off and phone unlock time.

Jakub Czekański, a web developer, has shared how tech savvy users can stop their devices from sending telemetry data to the company without rooting their devices.

Enable USB debugging
Connect your phone to figurer
Utilise Android Debug Bridge (adb) to run the following commands:
1. $ adb showtime-server
2. $ adb vanquish
3. > pm uninstall -k --user 0 net.oneplus.odm

In its response, OnePlus has said that it "securely transmit analytics in two different streams over HTTPS to an Amazon server." The get-go is usage analytics that users tin opt out of from: Settings > Avant-garde >Join user experience plan.

"The second stream is device information, which we collect to provide meliorate after-sales support," and doesn't seem to be something from which you tin opt out of. Nevertheless, yous can utilize Czekański's tip to terminate information collection on your OnePlus devices.

- More than data on the visitor's excessive information drove is available in Moore's weblog post; more details on forcing your OnePlus phone to stop sending your data tin can be found here.