OnePlus has become the latest smartphone maker to be accused of 'slurping' excessive amounts of users' personal data, without seeking their consent.
The accusations were detailed in a blog post by security researcher Christopher Moore. After setting up a security tool called OWASP ZAP on his OnePlus 2 handset, he noticed HTTPS requests being sent to a domain called open.oneplus.net, which further redirected the traffic to a US-based Amazon AWS server.
As well as hoovering up details such as users' phone and IMEI numbers, MAC addresses and mobile network names, Moore revealed that OnePlus was collecting timestamped details such as when the user locked the device and when apps were opened and closed.
Such a data collection would almost certainly be in contravention of the EU's General Data Protection Regulation (GDPR) when it comes into force in May next year.
"They're collecting time-stamped metrics on certain events, some of which I understand - from a development point of view, wanting to know about abnormal reboots seems legitimate - but the screen on/off and unlock activities feel excessive, he claimed in his blog.
"At least these are anonymised, right? Well, not really - taking a closer look at the ID field, it seems familiar; this is my phone's serial number."
Moore states that the code responsible for this data collection is part of the OnePlus Device Manager and OnePlus Device Manager Provider. Thankfully, Twitter user Jakub Czekanski, tweeted that the data transmission can be disabled permanently using ADB tool with USB debugging enabled on the device.
@chrisdcmoore I've read your article about OnePlus Analytics. Actually, you can disable it permanently: pm uninstall -k --user 0 pkg— Jakub Czekański (@JaCzekanski) October 10, 2017
However, there's a chance that doing this could break other functionality of the system, since Device Manager could be responsible for other tasks.
OnePlus doesn't seem to consider its unconsented data collection a big issue and shrugged off the accusations in a statement.
"We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine-tune our software according to user behaviour," the firm said.
"This transmission of usage activity can be turned off by navigating to 'Settings' -> 'Advanced' -> 'Join user experience program'. The second stream is device information, which we collect to provide better after-sales support."
The Department of Health has given the NHSBSA an ambitious goal; but data scientist Abi Haigh is optimistic
AI will never possess human wisdom, says Ma, but it may mean three or four-day working weeks
High-pressure scams rely on trusted brand names
WD claims MAMR hard disk drives will enable 40TB capacities by 2025 - if you're still using conventional disk drives by then