OnePlus accused of taking users' sensitive smartphone data without their consent

Latest OnePlus claims come after company was accused of manipulating benchmarks

Smartphone maker OnePlus has been accused of setting its devices up to send sensitive user data back to the company - without seeking their consent or being upfront about its data-slurping activities.

The accusations were detailed in a blog post by security researcher Christopher Moore. After setting up a security tool called OWASP ZAP on his OnePlus 2 handset, he noticed HTTPS requests being sent to a domain called open.oneplus.net, which further redirected the traffic to a US-based Amazon AWS server.

As well as hoovering up details such as users' phone and IMEI numbers, MAC addresses and mobile network names, Moore revealed that OnePlus was collecting timestamped details such as when the user locked the device and when apps were opened and closed.

"They're collecting time-stamped metrics on certain events, some of which I understand - from a development point of view, wanting to know about abnormal reboots seems legitimate - but the screen on/off and unlock activities feel excessive, he claimed in his blog.

"At least these are anonymised, right? Well, not really - taking a closer look at the ID field, it seems familiar; this is my phone's serial number."

Moore states that the code responsible for this data collection is part of the OnePlus Device Manager and OnePlus Device Manager Provider. Thankfully, Twitter user Jakub Czekanski, tweeted that the data transmission can be disabled permanently using ADB tool with USB debugging enabled on the device.

https://twitter.com/JaCzekanski/status/917691128807395328?ref\\_src=twsrc%5Etfw

However, there's a chance that doing this could break other functionality of the system, since Device Manager could be responsible for other tasks.

OnePlus doesn't seem to consider its unconsented data collection a big issue and shrugged off the accusations in a statement.

"We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine-tune our software according to user behaviour," the firm said.

"This transmission of usage activity can be turned off by navigating to 'Settings' -> 'Advanced' -> 'Join user experience program'. The second stream is device information, which we collect to provide better after-sales support."