Despite making some impressive handsets that sell at wallet-friendly prices, OnePlus has been no stranger to controversy this year. Now, the Chinese phone maker could face another customer backlash, this time over accusations that it collects users’ identifiable data without their consent.
Software engineer Christopher Moore discovered what was happening after setting up OWASP ZAP, a security tool for attacking web applications, on his OnePlus 2. He noticed HTTPS requests were being sent to a domain owned by OnePlus, called open.oneplus.net. The traffic was then being redirected to an Amazon AWS server based in the US.
Upon decoding the data, Moore found his device was sending timestamp details of certain events to the server, such as when specific apps were opened and closed, when the screen was on, locks and unlocks, and charging times.
Additionally, OnePlus also collected “the phone’s IMEI(s), phone numbers, MAC addresses, mobile network(s) names and IMSI prefixes, as well as my wireless network ESSID and BSSID and, of course, the phone’s serial number.”
Moore writes that some of the data can be tied to specific users and that OnePlus doesn’t ask for permission to collect it. He notes that while sharing certain information about a device, such as repeated unexplained reboots, can help a manufacturer address problems, what OnePlus is doing feels very excessive.
When asked for comment, the company said: “We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior.”
"This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support. We do not share any analytics data with outside parties.”
Moore revealed that the data collection is tied to the OnePlus Device Manager and OnePlus Device Manager Provider. Twitter user Jakub Czekański explained how to block the transmissions using ADB with USB debugging enabled on the device, but this could cause other problems.
@chrisdcmoore I've read your article about OnePlus Analytics. Actually, you can disable it permanently: pm uninstall -k --user 0 pkg— Jakub Czekański (@JaCzekanski) October 10, 2017
Back in June, OnePlus was once again accused of using code in its review units to manipulate handsets’ benchmark scores. A month later, an issue with the OnePlus 5 caused the phone to reboot every time a user dialed 911.