OnePlus has gotten caught collecting sensitive information from its users without their explicit permission, making them vulnerable to attacks and violating their privacy. Specifically, it’s been gathering massive amounts of analytics data that includes MAC addresses, IMEI numbers, IMSI prefixes, phone numbers, and serial numbers.
Amassing analytics data is a common phenomenon since it helps developers iron out kinks and improve their work. However, it seems OnePlus has been recording unnecessary information like when a person locks or unlocks their phone, complete with a time-stamp.
A software engineer named Christopher Moore discovered this happening on his OnePlus 2 while participating in the SANS Holiday Hack Challenge 2016. He observed that there was an unusual amount of incoming and outgoing internet traffic from his device to open.oneplus.net, a server owned by OnePlus.
Upon deeper inspection, he uncovered that OnePlus had gone as far as to log every time an app was opened on his smartphone, along with the previously mentioned data. This is pretty serious considering anyone with their hands on this treasure trove of information could have easily linked it to a person via their phone or IMEI number.
OnePlus later told Android Police that it securely transmits analytics over HTTPS to an Amazon server in 2 streams. One beams out usage analytics to help in fine-tuning software according to user behavior, while the second sends out device data for better after-sales support. The first can be switched off by heading to Settings, Advanced, and finally Join user experience program.
A Twitter user named Jakub Czekański has an even more thorough solution, advising people to disable the OnePlus Device Manager permanently by plugging the phone into a computer with Android Debug Bridge (ADB) installed, making sure USB debugging is active, and running the command ‘pm uninstall -k –user 0 net.oneplus.odm’ to get rid of it forever.
This could adversely affect other features that depend on the OnePlus Device Manager though, so use the solution with caution. The company also stated that none of the data collected was sold for advertising, but that doesn’t explain why it’s been seizing so much excess information in the first place.