OnePlus
OnePlus is collecting private user data without people's permission. REUTERS/Danish Siddiqui

Chinese phone maker OnePlus is under fire once again as it was recently discovered that it was collecting users’ analytics data without their permission. Data collected by OnePlus from its users include IMEI numbers, MAC addresses, mobile network names and IMSI prefixes, serial numbers and a lot more.

UK-based software engineer Chris Moore published a detailed article yesterday showing that OnePlus is able to collect his analytics data on his OnePlus 2 smartphone without his permission. Moore discovered this by proxying the internet traffic on his onePlus 2 using OWASP ZAP, which allowed him to track his phone’s network activity. Moore noticed that a large amount of data is being sent to the open.oneplus.net server through the secure HTTPS protocol. He also dug deeper into open.oneplus.net and discovered the domain name to be an Amazon AWS instance, which is also owned by OnePlus.

Using the authentication key on his phone, Moore was able to decrypt the data that the company was collecting from his OnePlus 2. He saw that his handset was sending time-stamped information about locks, unlocks and unexpected reboots, according to Android Police.

Requesting time-stamped data for unexpected reboots makes sense. This allows developers to fix bugs that are in the operating system. What Moore considered excessive however is collecting data related to when users lock and unlock their phones. This is why Moore continued to run his proxy for a long period of time and discovered even more information on what OnePlus is collecting.

He discovered that the data being sent to OnePlus’ servers included the phone’s IMEI number, the phone number, MAC addresses, mobile network names and IMSI prefixes, info on Wi-Fi connection and the phone’s serial number. The worst thing that Moore discovered was that some of the data that OnePlus collected included every time a user opens an app and how long they have that app opened on their device.

“These event data contain timestamps of which activities were fired up in which applications, again stamped with the phone’s serial number,” Moore explained on his website. “I took to Twitter to ask OnePlus on Twitter how this could be turned off, which disappointingly led down the usual path of ‘troubleshooting’ suggestions, before being met with radio silence.”

Android Authority was able to speak to a OnePlus representative about this issue, but received an unsatisfactory response. The representative didn’t provide an explanation as to why OnePlus didn’t simply have users opt-in for this instead of having it covertly happening in the background. What's also worrying is that the company didn't even address the implication on users' privacy. The representative said that users can disable the transmission of data by turning it off under Settings>Advanced>‘Join user experience program’.

The code that’s responsible for collecting users’ private data is part of the OnePlus Device Manager and OnePlus Device Manager Provider. Moore said that these services had sent out 16MB of data in approximately 10 hours. Since those two services are natively part of OnePlus’ OxygenOS operating system, meddling with it could have consequences. Even if that’s the case, there’s actually a way to permanently block this intrusive form of data collection.

Twitter user @JaCzekanski pointed out that the OnePlus Device Manager can actually be removed using the Android Debug Bridge (ADB) without having to root the phone. Android Police explained that that users will simply have to install ADB on their OnePlus device and plug in their phone into a computer with USB debugging enabled. Users will have to run this command [ pm uninstall -k --user 0 net.oneplus.odm ] to remove the OnePlus Device Manager permanently.