OxygenOS, the customized version of Android used by OnePlus on its smartphones, has been found to be collecting data about users — and it’s not anonymized. Telemetry is something that has been associated with Windows 10, but now the Chinese smartphone manufacturer has its fans concerned.
That a phone collects certain information about usage is not particularly unusual — it helps to identify problems and speed up software development. But a security researcher’s discovery that his OnePlus 2 was sending highly detailed information back to OnePlus without consent has set privacy alarm bells ringing (the issue also affects more recent OnePlus handsets). OnePlus might prefer that you spend your time thinking about the upcoming OnePlus 5T and OnePlus 6, but this tale of telemetry is going to dominate for a little while.
Last year, Christopher Moore was taking part in a Hack Challenge and decided to run the web traffic from his OnePlus 2 through a proxy. In doing so, he noticed that his phone was connected to a OnePlus domain and transmitting incredibly detailed — and often very revealing — data back to the company.
Moore has detailed his findings on his website and he explains that he notice OnePlus was collecting information about when his screen was turned on and off, when his phone was unlocked, his serial number, details of mobile networks, phone numbers, MAC addresses and even which apps we was running, when and for how long. The logs went as far as recording individual activities that were performed within apps.
Perhaps most concerning is Moore’s discovery that none of this data was anonymized: it was all sent back to OnePlus complete with his phone’s serial number.
Taking to Twitter, Moore found that OnePlus was no help in explaining what was going on and how to disable it. He looked to Reddit and found an active thread of people discussing the same issue, and people suggested that the OnePlus Device Manager and the OnePlus Device Manager Provider were to blame.
There will clearly be many OnePlus owners who are concerned about what is going on, and Polish developer Jakub Czekański explains that it is possible (although far from obvious) to disable the data capture — and there’s no need to root your device to do so:
@chrisdcmoore I’ve read your article about OnePlus Analytics. Actually, you can disable it permanently: pm uninstall -k –user 0 pkg
— Jakub Czekański (@JaCzekanski) October 10, 2017
Connect your OnePlus phone to your computer and use Android Debug Bridge to run the following commands:
pm uninstall -k --user 0 net.oneplus.odm
So what does OnePlus have to say about this? Worryingly, very little. In a statement the company says:
We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to Settings -> Advanced -> Join user experience program. The second stream is device information, which we collect to provide better after-sales support.
What’s disappointing is that users are opted into the program without being told about it. It’s a highly questionable way to operate, and certainly not a way to maintain user trust.