OnePlus Is Said to Be Tracking and Collecting Personally Identifiable Information from Its Users
In any software project, analytics data is very essential as it helps software developers in figuring out what features users use mostly, bugs that needs to be fixed, as well as what or where the ideal market is. However, in its never-ending quest to make the best Android device, Google’s OnePlus seem to overstep its bounds as it has been discovered to track its users. In this latest discovery, OnePlus was found to have collected a massive amount of analytics data from its users. The analytics data includes IMEI numbers, MAC addresses, mobile network names, IMSI prefixes, serial numbers and other information. This shocking news had left its users in shocked and some even feared that OnePlus might also track other information like their SMS messages, call logs and so on.
This appalling news was discovered by a software engineer named Christopher Moore, who made a post on his personal blog which showed hs findings. Moore started proxying the internet traffic from his own OnePlus 2 device using the OWASP ZAP during a Hack Challenge. If you are unversed with this process, it is basically allowed him to view any outgoing and incoming internet traffic from his OnePlus device. And during that process and the usual activities in the network, he saw that there was a large amount of requests to open.oneplus.net — with this, he dug deeper and found that the domain name is an Amazon AWS instance which is owned by OnePlus. To save you all the technical jargon, Moore was able to notice that his device was frequently sending data to the server of open.oneplus.net over HTTPS. He was able to decrypt the data that was sent using the authentication key on his device which showed that his OnePlus 2 was sending some time-stamped information regarding locks, unlocks and unexpected reboots.
If you think about it, logging any unexpected reboots actually makes sense as it could help software developers fix any operating system bugs. However, just like what Moore mentioned in his blog, logging every time the device is locked or unlocked seem to be taking it up a notch. Things went downhill when he left the proxy running for an extended period of time. He was able to discover that some of the information sent to OnePlus’ servers contains the phone number, the phone’s IMEI number, MAC addresses, IMSI prefixes and mobile network names, as well as Wi-Fi connection information and the serial number of the device.
And if you think that’s the worse it had gotten, well you’re wrong as Moore found out later on that the information sent also include logging every time a user opens an app. Security experts have reached out to OnePlus for a statement regarding the analytics tracking and they have responded with the following statement:
“We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to ‘Settings’ → ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after — sales support.”
Despite OnePlus claiming that the massive amount of data transmission can be turned off using the instructions above, a Twitter user named @JaCzekanski called out that the app responsible in sending data which is the OnePls Device Manager, can be removed using ADB, root not required. All you have to do is to plug your device into a computer which has ADB installed and make sure that USB debugging is enabled on your device and run the following command: pm uninstall k-user 0 net.oneplus.odm
Before you execute the command given above, take note that since Device Manager is also responsible for other tasks, there’s a possibility that this could potentially break other functionality in your Android system.
Device tracking has become common these days and is utilized not just by software developers but also users as it helps them check device information. There’s even an app called SMS Tracker that lets you track a device to view information like SMS messages, call logs, social media activities — you name it. This has basically become a must-have app especially for parents and employers as it helps them keep track of their loved ones and employees.
In conclusion, device tracking or analytics tracking is not so bad as long as it is done for the benefit of users and as long as it does not overstep its bounds, and does not affect users’ privacy.