OnePlus has been reportedly collecting sensitive information from its users without prior, notice from their devices. This report came out with the blog post from Christopher Moore, who is a software engineer, made a post on his personal blog showing his discoveries. During a Hack Challenge, Moore began proxying the internet traffic from his OnePlus 2 using OWASP ZAP. This allowed him to view all incoming and outgoing internet traffic from his phone. Among the usual network activity, he noticed many requests to open.oneplus.net.
According to a post on Christopher Moore’s blog, OnePlus is collecting sensitive private data like IMEI numbers, mobile network names and IMSI prefixes, MAC addresses, and more. He discovered that his OnePlus 2 device was sending data to a HTTPS domain, which was transmitted to Amazon Web Services instance owned by OnePlus.
He could see his phone sending data frequently to the open.oneplus.net server over HTTPS. He was able to decrypt the data (using the authentication key on the phone) which revealed that his OP2 was sending time-stamped information about locks, unlocks, and unexpected reboots.
Oneplus, on the other hand, came up with the following response to the allegations. According to Android Police, OnePlus stated, “We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely finetune our software according to user behavior. This transmission of user activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support.”