Earlier this month, software engineer Christopher Moore discovered that Shenzen, China-based phone manufacturer OnePlus was secretly collecting a trove of data about users without their consent and communicating it to company servers. Moore had routed his OnePlus 2's internet traffic through security tool OWASP ZAP for a holiday hack challenge, but noticed his device was regularly transmitting large amounts of data to a server at open.oneplus.net.
According to Moore’s analysis, captured information included his phone’s IMEI and serial number, phone numbers, MAC addresses, mobile network names and IMSI prefixes, and wireless network data. OnePlus was also collecting data on when its users were opening applications and what they were doing in those apps, including Outlook and Slack. With the cat out of the bag, OnePlus admitted to the non-consensual snooping in a post to its customer service forum on Friday, but said the intent of the program was improving user experience on its OxygenOS software.
“The reason we collect some device information is to better provide after-sales support,” OnePlus wrote. “If you opt out of the user experience program, your usage analytics will not be tied to your device information.”
“We’d like to emphasize that at no point have we shared this information with outside parties,” the company added. “The analytics we’re discussing in this post, which we only look at in aggregate, are collected with the intention of improving our product and service offerings.”
According to OnePlus, it will also stop collecting “telephone numbers, MAC Addresses and WiFi information,” and by the end of October, the company will clearly prompt all users on how and why it collects data and provide users with an option to not participate in its “user experience program.”
Multiple users responded by saying their concerns were not resolved, as some of the data collected—like telephone numbers and wireless network information—was of limited use from a support perspective and instead could have been mined for its value to marketers.
As TechCrunch noted, the opt-out provision also does not appear to actually stop the data collection, but simply removes tags linking the data to a specific device. So no matter which way you slice it, this is not a very good situation for OnePlus users to find themselves in. As Moore noted, there are few good options to stop the data collection entirely:
Unfortunately, as a system service, there doesn’t appear to be any way of permanently disabling this data collection or removing this functionality without rooting the phone. One alternative would be to stop the service every time you boot your phone (assuming it doesn’t get periodically restarted) or using an app to achieve the same effect, or perhaps prevent communication with open.oneplus.net somehow.