OxygenOS is Allegedly Data-mining Personally Identifiable Information for Analytics
While the OnePlus phones have a good reputation for their price and openness to development, the company itself has made some questionable decisions in the past with regards to how they handle user data. At the time, we discovered that OxygenOS would leak your device’s IMEI onto the network while your device checks for an update. Now, OnePlus is accused of collecting even more sensitive, personally identifiable information according to security researcher Christopher Moore.
During a Hack Challenge he was participating in last year, Moore decided to probe the internet traffic from his OnePlus 2. He discovered that his phone was sending HTTPS requests to the domain open.oneplus.net. He decrypted the data using the on-device key and was able to see all of the data being sent back to OnePlus’ AWS servers.
He then analyzed what information was being sent to this domain and found that OnePlus was collecting screen on, screen off, device unlock events, abnormal reboots, serial number, IMEI, phone numbers, MAC addresses, mobile network(s) names and IMSI prefixes, and wireless network ESSID and BSSID.
But the data-mining doesn’t stop there, as Moore found that OxygenOS was also collecting time stamps of when he opened and closed applications and even which activities were being opened.
Moore did some digging and discovered that the code responsible for this data collection is part of the OnePlus Device Manager and the OnePlus Device Manager Provider, which is contained in the system application OPDeviceManager.apk.
If your device isn’t rooted, then you can run the following ADB command to disable this system application on your OnePlus device:
pm uninstall -k --user 0 net.oneplus.odm
All of this information is, again, sent over HTTPS so it can’t be intercepted by anyone else (provided you are on a secure network). Though, one wonders what OnePlus is doing with this kind of information. In a statement, OnePlus offered the following explanation behind the analytics they are collecting:
We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support.
Keep in mind that this data-collection is only occurring on OxygenOS, so if you have a custom AOSP-based ROM installed such as LineageOS then your phone is safe from data-mining. For a more technical breakdown, we recommend you read the original blog post that Mr. Moore made linked below.
Source: Chris’s Security and Tech Blog