One plus silently harvesting private data from users without permission

OnePlus accused of GDPR-busting data slurp by security researcher

OnePlus accused of GDPR-busting data slurp by security researcher

OxygenOS, a custom version of the Android operating system that comes installed on all OnePlus smartphones, is collecting user data without permission - and without a full opt out function. If you haven't rooted your phone ever, we will recommend proceeding with a lot of caution.

OnePlus is soon to launch the next so-called flagship killer and is expected to feature a bigger display with a new aspect ratio and minimal bezels.

Chris Moore, the owner of a security and technology blog, published an article in January proving that OnePlus has been collecting private data from users, such as the phone's International Mobile Equipment Identity (IMEI) number, serial number, cellular number, MAC address, mobile network name, International Mobile Subscriber Identity (IMSI) prefix and wireless connection service set identifiers (SSIDs).

While almost all tech manufacturers and brands today collect user data in some form or another, the difference with OnePlus and its OxygenOS operating system is that data such as the phone number, mobile network names, and the International Mobile Equipment Identity (IEMI) are also collected. He noticed an unfamiliar domain while completing the SANS Holiday Hack Challenge and chose to further examine it.

Chinese handset maker OnePlus has been found sending sensitive personal data of users to its servers.

The data that OnePlus is accessing ranges from device information like the phone's IMEI and serial number to user data like reboot, charging, screen timestamps as well as application timestamps.

Moore states that the code responsible for this data collection is part of the OnePlus Device Manager and OnePlus Device Manager Provider.

@chrisdcmoore I've read your article about OnePlus Analytics.

"We securely transmit analytics in two different streams over HTTPS to an Amazon server", says the company. It's common practice today among tech brands to make sure that they get explicit user permission first before collecting data from users. The second stream is device information, which we collect to provide better after-sales support. "We do not share any analytics data with outside parties", the company said in a statement.

The company has responded claiming that it is collecting data to improve its service, and that most of the data transmission can be switched off. Though OnePlus claims it's doing this to provide better after-sales support, most users might not be happy about being kept out of the loop all this while.

The company who managed to anger and frustrate so many users precisely due to its lack of after-sales support is trying to justify its unauthorized data collection on the grounds that it's for after-sales support.
This transmission of usage activity can be turned off by navigating to "Settings" - "Advanced" - "Join user experience program".