It looks like Chinese smartphone maker, OnePlus is collecting a host of device-level and personal data from users and transmitting it to a server. UK-based security and tech blogger, Christopher Moore found that his OnePlus 2 is collecting private device-level data such as the phone’s IMEI number, serial number, cellular number, MAC address, mobile network name, IMSI prefix, and wireless network ESSID and BSSID, as well as personal user data such as reboot, charging, screen and application timestamps. This was first reported by AndroidAuthority. The domain (open.oneplus.net) that is responsible for the data collection is in the OnePlus Device Manager and OnePlus Device Manager Provider. Moore discovered this while completing the SANS Holiday Hack Challenge 2016: Whilst completing the SANS Holiday Hack Challenge 2016, I had cause to proxy the internet traffic from my phone, a OnePlus 2, through OWASP ZAP, a security tool for attacking web…
