wordpress blog stats
Connect with us

Hi, what are you looking for?

OnePlus collecting both device level and user data without consent

It looks like Chinese smartphone maker, OnePlus is collecting a host of device-level and personal data from users and transmitting it to a server. UK-based security and tech blogger, Christopher Moore found that his OnePlus 2 is collecting private device-level data such as the phone’s IMEI number, serial number, cellular number, MAC address, mobile network name, IMSI prefix, and wireless network ESSID and BSSID, as well as personal user data such as reboot, charging, screen and application timestamps. This was first reported by AndroidAuthority.

The domain (open.oneplus.net) that is responsible for the data collection is in the OnePlus Device Manager and OnePlus Device Manager Provider.

Moore discovered this while completing the SANS Holiday Hack Challenge 2016:

Whilst completing the SANS Holiday Hack Challenge 2016, I had cause to proxy the internet traffic from my phone, a OnePlus 2, through OWASP ZAP, a security tool for attacking web applications. Amidst the traffic, I noticed requests to a domain which I’d not seen before, open.oneplus.net, and decided to examine them a little closer.

What does OnePlus gain by accessing, say for example, application timestamps from your phone?

From this data we can see that on Tuesday, 10th Jan 2017, I had Slack open between 20:25:40 UTC and 20:25:52 UTC, and the Microsoft Outlook app open between 21:38:41 UTC and 21:38:53 UTC, to take just two examples, again stamped with my phone’s serial number.

A Twitter user believes this can be permanently disabled. Read the thread for more information about how to get it done.

Advertisement. Scroll to continue reading.

A spokesperson for OnePlus told AndroidAuthority that:

We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support.

Even if for a moment we were to accept that OnePlus needs this plethora of data simply to improve user experience and provide better after-sales service, then the starting point of the conversation has to be consent. Users need to be given the option to either opt-in to sharing this data with OnePlus or decline the same. Oh, and OnePlus itself says in the statement above that while collection of personal user information can be switched off, the device-level data collection will continue.

Other Chinese companies accused of spurious data collection


Last month, the Tencent-owned messaging app WeChat confirmed that it shares private user data with the Chinese government. As per WeChat’s new policy, the Log Data that it collects to power its in-app advertising and direct marketing activities and other Personal Information that it collects can be disclosed:

  • To comply with applicable laws or regulations.
  • To comply with a court order, subpoena or other legal process.
  • In response to a request by a government authority, law enforcement agency or similar body (whether situated in your jurisdiction or elsewhere).


In 2014, the Indian Air Force (IAF) had accused Chinese smartphone maker Xiaomi of spying on its users and transmitting user’s personal information back to Chinese servers. An alert note issued by IAF to its staff and their family members warned them against using any Xiaomi products, saying that the company was stealing not just their phone numbers and IMEI (device identifier) number, but was also accessing their phone calls and personal text messages. At the time, Xiaomi’s former VP of International operations Hugo Barra had told MediaNama that they do not collect any information without user permission. “Users will always be notified beforehand in situations when we require your personal information, and will have to approve the request.”

Advertisement. Scroll to continue reading.

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.


In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...


By Jai Vipra, Senior Resident Fellow at Vidhi Centre for Legal Policy The use of new technology, including facial recognition technology (FRT) by police...


By Stella Joseph, Prakhil Mishra, and Yash Desai The Government of India circulated proposed amendments to the Consumer Protection (E-Commerce) Rules, 2020 (“E-Commerce Rules”) which...


By Rahul Rai and Shruti Aji Murali A little less than a year since their release, the Consumer Protection (E-commerce) Rules, 2020 is being amended....

You May Also Like


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ