It looks like Chinese smartphone maker, OnePlus is collecting a host of device-level and personal data from users and transmitting it to a server. UK-based security and tech blogger, Christopher Moore found that his OnePlus 2 is collecting private device-level data such as the phone’s IMEI number, serial number, cellular number, MAC address, mobile network name, IMSI prefix, and wireless network ESSID and BSSID, as well as personal user data such as reboot, charging, screen and application timestamps. This was first reported by AndroidAuthority.

The domain (open.oneplus.net) that is responsible for the data collection is in the OnePlus Device Manager and OnePlus Device Manager Provider.

Moore discovered this while completing the SANS Holiday Hack Challenge 2016:

Whilst completing the SANS Holiday Hack Challenge 2016, I had cause to proxy the internet traffic from my phone, a OnePlus 2, through OWASP ZAP, a security tool for attacking web applications. Amidst the traffic, I noticed requests to a domain which I’d not seen before, open.oneplus.net, and decided to examine them a little closer.

What does OnePlus gain by accessing, say for example, application timestamps from your phone?

From this data we can see that on Tuesday, 10th Jan 2017, I had Slack open between 20:25:40 UTC and 20:25:52 UTC, and the Microsoft Outlook app open between 21:38:41 UTC and 21:38:53 UTC, to take just two examples, again stamped with my phone’s serial number.

A Twitter user believes this can be permanently disabled. Read the thread for more information about how to get it done.

A spokesperson for OnePlus told AndroidAuthority that:

We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support.

Even if for a moment we were to accept that OnePlus needs this plethora of data simply to improve user experience and provide better after-sales service, then the starting point of the conversation has to be consent. Users need to be given the option to either opt-in to sharing this data with OnePlus or decline the same. Oh, and OnePlus itself says in the statement above that while collection of personal user information can be switched off, the device-level data collection will continue.

Other Chinese companies accused of spurious data collection

WeChat

Last month, the Tencent-owned messaging app WeChat confirmed that it shares private user data with the Chinese government. As per WeChat’s new policy, the Log Data that it collects to power its in-app advertising and direct marketing activities and other Personal Information that it collects can be disclosed:

  • To comply with applicable laws or regulations.
  • To comply with a court order, subpoena or other legal process.
  • In response to a request by a government authority, law enforcement agency or similar body (whether situated in your jurisdiction or elsewhere).

Xiaomi

In 2014, the Indian Air Force (IAF) had accused Chinese smartphone maker Xiaomi of spying on its users and transmitting user’s personal information back to Chinese servers. An alert note issued by IAF to its staff and their family members warned them against using any Xiaomi products, saying that the company was stealing not just their phone numbers and IMEI (device identifier) number, but was also accessing their phone calls and personal text messages. At the time, Xiaomi’s former VP of International operations Hugo Barra had told MediaNama that they do not collect any information without user permission. “Users will always be notified beforehand in situations when we require your personal information, and will have to approve the request.”