OnePlus mobile phones are mining and sending handset data without obvious prompting, incensed customers are alleging against the manufacturing giant. Security blogger and software engineer Christopher Moore first publicised the discovery on his personal blog, while monitoring the web traffic of his own device.
Moore claims that the outbound information appears to include the phone’s International Mobile Equipment Identity (unique codes that identify mobile sets), phone numbers, MAC addresses (unique addresses of networks), and mobile carrier. Upon further investigation, Moore also found that his OnePlus 2 handset was transmitting information when he opened and closed apps or unlocked his phone to a domain at net.onepls.odm.
While Moore discovered the issue months ago, it has only now gained traction in online forums. When questioned by The Register, OnePlus explained that the collection of information from devices is enabled by default, and users have to opt out of the system. The firm also noted that they do not share any of this information with third-parties.
A spokesperson for the OnePlus said: “We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behaviour. This transmission of usage activity can be turned off by navigating to ‘Settings’ > ‘Advanced’ > ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support. We do not share any analytics data with outside parties.”
The code which enables this secondary data grab forms a part of OnePlus Device Manager and the OnePlus Device Manager Provider. Privacy-minded users can also stop this activity, by entering the Android Debug Bridge (ADB) utility of their phone and removing the apps from there.
Similarly, Apple has faced a number of privacy-related debacles in the past. The company was forced to defend its data-gathering practices in a 2011 court case which alleged that Apple continued to collect Wi-Fi hotspot and mobile tower data, even after location services had been turned off. Apple claimed that the issue was a ‘bug’ which they subsequently fixed in iOS 4.3.3, released later that year. The court complaint was dismissed after prosecutors failed to convince the judge that they fully understood Apple’s privacy policies before agreeing to them.