Analytics data is important for any software project. The data can help developers figure out what features people use, what bugs need to be fixed, and what/where the target market is. OnePlus, in its never-ending mission to make itself the worst Android phone manufacturer on the planet, has been discovered collecting massive amounts of analytics data from phone owners. The collected data includes IMEI numbers, MAC addresses, mobile network names and IMSI prefixes, serial numbers, and more.
Christopher Moore, a software engineer, made a post on his personal blog showing his discoveries. During a Hack Challenge, Moore began proxying the internet traffic from his OnePlus 2 using OWASP ZAP. If you're not familiar with this process, this essentially allowed him to view all incoming and outgoing internet traffic from his phone. Among the usual network activity, he noticed a large amount of requests to open.oneplus.net.
Through deeper inspection, he found the domain name to be an Amazon AWS instance owned by OnePlus. I'll save you the technical jargon, but essentially, he could see his phone sending data frequently to the open.oneplus.net server over HTTPS. He was able to decrypt the data (using the authentication key on the phone) which revealed that his OP2 was sending time-stamped information about locks, unlocks, and unexpected reboots.
Logging unexpected reboots would make sense (it could help developers fix OS bugs), but as Moore noted in his blog, recording every time the phone is unlocked or locked seemed excessive. He left the proxy running for an extended period of time, and things went downhill quickly.
Moore discovered that some of the data being sent to OnePlus' servers included the phone's IMEI number, the phone number, MAC addresses, mobile network names and IMSI prefixes, Wi-Fi connection info, and the phone's serial number. And if you thought that was bad, he later found that the data included every time an app was opened.
We reached out to OnePlus about the analytics tracking, and the company responded with the below statement:
We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support.
While OnePlus says that the bulk of the data transmission can be turned off with the above instructions, Twitter user @JaCzekanski pointed out that the app sending the data (OnePlus Device Manager) can be removed via ADB, root not required. Just plug your phone into a computer with ADB installed, make sure USB debugging is enabled, and run this command:
pm uninstall -k --user 0 net.oneplus.odm
There's a chance this could break other functionality of the system, since Device Manager could be responsible for other tasks, so do this at your own risk.
- Chris's Security and Tech Blog
- Everyone who sent this in