OxygenOS, a custom version of the Android operating system that comes installed on all OnePlus smartphones, is tracking users actions without anonymizing data, allowing OnePlus to connect each phone to its customer.
A security researcher going by the pseudonym of Tux discovered the abusive tracking in July 2016, but his tweet went largely unnoticed in the daily sea of security tweets sent out each day.
The data collection issue was brought up to everyone's attention again, today, after British security researcher Christopher Moore published the results of a recent study on his site.
Just like Tux, Moore discovered that OxygenOS was sending regular telemetry to OnePlus' servers. This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws.
In almost all cases, when vendors collect this data, they make sure not to include details that may reveal information about the user's real-world identity.
The problem is that OnePlus is not anonymizing this information. The Shenzhen-based Chinese smartphone company is collecting a long list of details, such as:
The data collection process cannot be disabled from anywhere in the phone's settings. When Moore contacted OnePlus support, the company did not provide a suitable answer for his queries.
OnePlus did not respond to a request for comment.
It was Polish developer Jakub Czekański who provided a way to stop the data tracking behavior without rooting the phone and messing with the operating system's core files.
To do so, users must enable USB debugging in their OnePlus phone's settings section, under developer options. Users can then connect their phone via USB to their PC and use the Android Debug Bridge (adb) to run terminal commands on their OnePlus device.
adb start-server adb shell pm uninstall -k --user 0 net.oneplus.odm