It looks like Chinese smartphone maker, OnePlus is collecting a host of device-level and personal data from users and transmitting it to a server. UK-based security and tech blogger, Christopher Moore found that his OnePlus 2 is collecting private device-level data such as the phone’s IMEI number, serial number, cellular number, MAC address, mobile network name, IMSI prefix, and wireless network ESSID and BSSID, as well as personal user data such as reboot, charging, screen and application timestamps. This was first reported by AndroidAuthority. The domain (open.oneplus.net) that is responsible for the data collection is in the OnePlus Device Manager and OnePlus Device Manager Provider. Moore discovered this while completing the SANS Holiday Hack Challenge 2016: Whilst completing the SANS Holiday Hack Challenge 2016, I had cause to proxy the internet traffic from my phone, a OnePlus 2, through OWASP ZAP, a security tool for attacking web applications. Amidst the traffic, I noticed requests to a domain which I’d not seen before, open.oneplus.net, and decided to examine them a little closer. What does OnePlus gain by accessing, say for example, application timestamps from your phone? From this data we can see that on Tuesday, 10th Jan 2017, I had Slack open between 20:25:40 UTC and 20:25:52 UTC, and the Microsoft Outlook app open between 21:38:41 UTC and 21:38:53 UTC, to take just two examples, again stamped with my phone’s serial number. A Twitter user believes this can be permanently disabled. Read the thread for more information about how to get it done. @chrisdcmoore I've read your article about OnePlus Analytics. Actually, you can disable it permanently: pm…
