Phone maker OnePlus was recently discovered that it was collecting users’ private data without their permission.
UK-based software engineer Chris Moore published a detailed article yesterday showing that OnePlus is able to collect his analytics data on his OnePlus 2 smartphone without his permission.
Data collected by OnePlus from its users include IMEI numbers, MAC addresses, mobile network names and IMSI prefixes, serial numbers and a lot more.
Some of the data-gathering is pretty standard fare, including how often you unlock your phone, the apps you open and use, and the Wi-Fi networks you connect to. The problem lies with the lack of anonymity. It turns out, OnePlus is transferring this info along with your phone’s serial number, meaning that your activity is personally identifiable.
Chris Moore discovered this by proxying the internet traffic on his onePlus 2 using OWASP ZAP, which allowed him to track his phone’s network activity. He noticed that a large amount of data is being sent to the open.oneplus.net server through the secure HTTPS protocol. He also dug deeper into open.oneplus.net and discovered the domain name to be an Amazon AWS instance, which is also owned by OnePlus.
Using the authentication key on his phone, he was able to decrypt the data that the company was collecting from his OnePlus 2. He saw that his handset was sending time-stamped information about locks, unlocks and unexpected reboots, according to Android Police.
He discovered that the data being sent to OnePlus’ servers included the phone’s IMEI number, the phone number, MAC addresses, mobile network names and IMSI prefixes, info on Wi-Fi connection and the phone’s serial number. The worst thing that Moore discovered was that some of the data that OnePlus collected included every time a user opens an app and how long they have that app opened on their device.