That's what Chris Moore, owner of a UK-based security and technology blog, says that OnePlus is collecting data as specific from users as the IMEI of your phones, MAC address, phone number and others without their express consent.
It is not the first scandal faced by the OnePlus company however on this occasion, and given the enormous gravity of the matter, it becomes unpredictable that I provide convincing explanations.
Improving user experience by violating their privacy, that seems to be OnePlus policy
Previously, OnePlus has had to deal with numerous crises over the last couple of years, especially in relation to its inability to provide adequate support to its customers. In addition, after the launch of OnePlus 5, reports emerged that spoke of manipulation of the benchmarks, poorly mounted screens and even users who cannot call the emergency service when they need it. Well, now comes an even more serious crisis than the previous ones and before which users must demand a compelling and urgent explanation.
Chris Moore, owner of a security and technology blog in the UK, has posted an article that would come to show that OnePlus has been collecting personal information from users and transmitting it without their permission.
What kind of data is OnePlus collecting without users' permission?
The discovery came at the SANS Holiday Hack Challenge event where Moore detected an unknown domain, and decided to examine it more closely. What was doing that domain - open.oneplus.net - was basically collect user data from your device and transmit it to an Amazon AWS instance, all without your permission.
Among the data that OnePlus is accessing are from information of the device itself such as IMEI code, serial number, phone number, MAC address, mobile network name, IMSI prefix, and wireless network ESSID and BSSID, to user data such as reboots, loads, flags, app usages and more.
Is there a remedy to the problem?
According to Moore, the code responsible for this data collection is part of the OnePlus Device Manager and OnePlus Device Manager Provider. Fortunately, Jakub Czekanski states that despite being a system service, these can be permanently disabled by replacing net.oneplus.odm for pkg via ADB or by using this command: pm uninstall -k -user 0 pkg.
And what does OnePlus think of this controversy?
Well, basically, there is little else we can say beyond "slipping". Obviously, OnePlus is one of the most important manufacturers of Android mobile phones, it has a significant user base, and the fact that it has been collecting and transmitting user data without their permission, serious by the very nature of the act, it is even more in relation to the volume of people affected. But even more worrying than OnePlus doesn't seem to consider it a big deal. Consulted by Android Authority regarding the discovery of Chris Moore, the company has limited itself to stating that the data collected is intended to serve as a support to the users themselves, without responding in any way to questions regarding the privacy of those who they are your customers.
We securely transmit the analytics in two different streams over HTTPS to an Amazon server. The first flow is usage analytics, which we collect so that we can more precisely adjust our software according to user behavior. This streaming of usage activity can be disabled by navigating to 'Settings' -> 'Advanced' -> 'Join the user experience program'. The second flow is device information, which we collect to provide better after-sales service.
Brian Reigh from Android Authority notes that they have also contacted and spoken with a OnePlus representative however, “we did not receive a satisfactory explanation as to why the company simply does not allow users to opt-in to share their data to help with future updates ». And continues: "the irony here is that OnePlus is violating the privacy of its users to provide a better after-sales service. Of all the manufacturers, the company that managed to anger and frustrate so many users precisely because of its lack of after-sales support is trying to justify its unauthorized data collection on the grounds that it is for after-sales support. "