For any software project, analytics data is important. It can help developers to figure out bugs and fix them in the next update. And to improve the user experience, companies like Google, Apple and Microsoft do collect user data, but it is a completely different conversation when companies do this without user knowledge. This seems to be the case with Chinese smartphone manufacturer OnePlus, which is reportedly collecting specific usage data from its users.
Christopher Moore, a software engineer, revealed on his personal blog about OnePlus collecting user information without permission. During a Hack Challenge, Moore started to proxy the internet traffic from his OnePlus 2 using OWASP ZAP. It is a free security tool used for automatically finding security vulnerabilities in web applications. According to Moore’s discovery, OnePlus was found collecting data such as IMEI numbers, mobile network names, IMSI prefixes, MAC address and serial numbers, among others. All these data requests were made by open.oneplus.net.
After deeper inspection, Moore found that the domain name was owned by OnePlus, and hosted on Amazon AWS. He was able to pull the log and decrypt the data using an authentication key on his smartphone, revealing that his OnePlus 2 was sending information about locks and unlocks, unexpected reboots, and more. Sure, this data will eventually help OnePlus to rollout more stable OxygenOS build to its users, but the way the company is collecting data can be considered unethical. Moore further found that OnePlus was also logging data every time an app was opened. ALSO READ: OnePlus 5 criticisms: Here’s what CEO Pete Lau said about the design, cameras and rigged benchmarks
In a statement to AndroidPolice, OnePlus said, “We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support.” ALSO READ: Amid hacking fears, Indian Government may force smartphone makers to set up servers in India: Report
This is not the first time for OnePlus, as the company has previously been accused of cheating in synthetic benchmarks to scores. XDA Developers had found that the OnePlus 3T powered by Qualcomm Snapdragon 821 SoC was forced to run at higher clock speed whenever a benchmarking app was detected. While OnePlus had promised that it will stop cheating, it was again found rigging benchmark scores on the OnePlus 5. ALSO READ: OnePlus, Meizu caught cheating in synthetic benchmarks to throttle the performance
OnePlus is not the only one, late last year, Chinese smartphone makers such as Xiaomi, Oppo and Vivo, among others were also caught sending private user data to Chinese servers in every 72 hours. Even UC Browser was found sending data to remote servers in China. Xiaomi’s Manu Kumar Jain did come out saying that all of their smartphones are secure, and they do not collect information without taking prior permission from users. He further mentioned that all this data is encrypted, and even if someone gets access, they cannot retrieve it. Soon after these incidences and with fear of hacking, the Indian Government reportedly sent notices to smartphone makers to set up servers in India.