Chinese smartphone maker OnePlus has been accused of collecting unanonymised analytics data from its users without their permission. According to a blog post by security researcher Christopher Moore, he found his OnePlus 2 sending specific user patterns to a company server without his permission.
The data he found being collected included phone number, IMEI number, mobile serial number, MAC address, mobile network names, and battery status. The blog claims that OnePlus was also collecting details on when a user locked his device, when he unlocked it as well as the timings related to when a particular app was being used.
"They're collecting timestamped metrics on certain events, some of which I understand - from a development point of view, wanting to know about abnormal reboots seems legitimate - but the screen on/off and unlock activities feel excessive. At least these are anonymised, right? Well, not really - taking a closer look at the ID field, it seems familiar; this is my phone's serial number," Moore said in the blog post.
Moore had pointed out this data transmission to OnePlus as early as in January this year but failed to get a convincing response.
And I'm _definitely_ not convinced you should know how long I spend in which apps. pic.twitter.com/1tX3vjW9fu— Christopher Moore (@chrisdcmoore) January 13, 2017
After the blog post, OnePlus responded to the allegations saying the device information being collected was to improve services and that users had the option to switch off the option of transmitting usage activity at any time.
"We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behaviour. This transmission of usage activity can be turned off by navigating to 'Settings' -> 'Advanced' -> 'Join user experience program'. The second stream is device information, which we collect to provide better after-sales support," OnePlus told Android Police.
The data collection has been sourced to a system application called "OnePlus System Service" which uses cannot be turned off but can be disabled every time you turn your device on.
While there was initially no clarity on whether the device affected only the OnePlus 2, the company’s response clarifies that all OnePlus devices such as OnPlus 3, OnePlus 3T and OnePlus 5 have this issue.
How to switch it off?
While the response by OnePlus only relates to partially stop the device from automatically sending usage data, a Twitter user has posted a way that can end the transmission of usage data permanently.
@chrisdcmoore I've read your article about OnePlus Analytics. Actually, you can disable it permanently: pm uninstall -k --user 0 pkg— Jakub Czekański (@JaCzekanski) October 10, 2017
There are speculations that OxygenOS, the company's custom version running on top of Android, could contain a particular plug-in to enable the transmission. We are yet to hear from the company on this.
The company is yet to announce a fix on this issue. There is also no clarity on how switching off this functionality permanently would affect the performance of the device and users are advised to tread with caution in choosing to disable it.