Smartphone maker OnePlus has been caught collecting huge amounts of personal user data from its smartphones. Security researcher Chris Moore recently discovered that OxygenOS, the Android-based operating system used in OnePlus devices, constantly sends data about which apps you use, when they are opened or closed, which Wi-Fi networks you are connecting to and when, your phone number, phone’s IMEI number and a lot more to its servers.
Since this data also includes phone numbers and IMEI numbers, it can be personally tied to specific users.
While it is normal for smartphone manufacturers to collect data from their devices to improve their software and services, it is usually anonymised for privacy and it is limited to certain features, not like what OnePlus seems to have been doing.
Here ‘s what we know that OnePlus collects:
- Device’s phone number
- IMEI code
- IMSI code
- ESSID and BSSID wireless network identifiers
- Phone serial number
- MAC addresses
- Mobile network names
- Battery status
- When the user launched or closed an app
- Which app the user opened
- Timestamp when the user locked or unlocked his phone
- Timestamp when the device screen went on or off
In a statement to Android Police, the company said:
We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support.
As you can gather from the company statement, it is an intentional collection of data and OnePlus has no qualms about storing and using personally identifiable information about its customers. While you can stop the automatic collection of your usage activity, by going to Settings > Advanced and unjoining the user experience program, there is no word on how to stop the second stream of data that OnePlus is collecting (as the company noted in its statement).
Whatever the motives of OnePlus here, it is imperative for the smartphone manufacturers to make such collection of data ‘opt-in’, rather than ‘opt-out’.