Thursday, October 12, 2017

OnePlus Phones Quietly Collecting User Data With No Opt Out -

OxygenOS, a custom version of the Android operating system that comes installed on all OnePlus smartphones, is collecting user data without permission -- and without a full opt out function. The discovery was first quietly made way back in January in a blog post by security researcher Chris Moore, but only gained widespread attention this week. Moore discovered that code in the OS's OnePlus Device Manager and OnePlus Device Manager Provider collects the phone's IMEI, phone number, and mobile network names and shares it with OnePlus, letting the company easily identify the phone owner.

All told, OnePlus is collecting screen on, screen off, device unlock events, abnormal reboots, serial number, IMEI, phone numbers, MAC addresses, mobile network names and IMSI prefixes, as well as wireless network ESSID and BSSID. Using the the on-device key, Moore was able to see all of the data being sent back to OnePlus' AWS servers.

During testing, Moore said he found that these services sent off 16MB of data in 10 hours to OnePlus.

In a statement given to XDA-Developers, OnePlus downplayed the scope of the problem.

"We securely transmit analytics in two different streams over HTTPS to an Amazon server," says the company. "The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to 'Settings' -> 'Advanced' -> 'Join user experience program'. The second stream is device information, which we collect to provide better after-sales support."

That second stream, however, can't be disabled by the end user.

Let's block ads! (Why?)

see source

No comments:

Post a Comment