OnePlus

OxygenOS, a custom version of the Android operating system that comes installed on all OnePlus smartphones, is tracking users actions without anonymizing data, allowing OnePlus to connect each phone to its customer.

A security researcher going by the pseudonym of Tux discovered the abusive tracking in July 2016, but his tweet went largely unnoticed in the daily sea of security tweets sent out each day.

The data collection issue was brought up to everyone's attention again, today, after British security researcher Christopher Moore published the results of a recent study on his site.

OnePlus caught collecting trove of sensitive details

Just like Tux, Moore discovered that OxygenOS was sending regular telemetry to OnePlus' servers. This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws.

In almost all cases, when vendors collect this data, they make sure not to include details that may reveal information about the user's real-world identity.

The problem is that OnePlus is not anonymizing this information. The Shenzhen-based Chinese smartphone company is collecting a long list of details, such as:

❕ Device's phone number
❕ IMEI code
❕ IMSI code
❕ ESSID and BSSID wireless network identifiers
❕ Phone serial number
❕ MAC addresses
❕ Mobile network names
❕ Battery status
❕ When the user launched or closed an app
❕ Which app the user opened
❕ Timestamp when the user locked or unlocked his phone
❕ Timestamp when the device screen went on or off
❕ and more...

The data collection process cannot be disabled from anywhere in the phone's settings. When Moore contacted OnePlus support, the company did not provide a suitable answer for his queries.

OnePlus did not respond to a request for comment.

Disabling data collection is not easy

It was Polish developer Jakub Czekański who provided a way to stop the data tracking behavior without rooting the phone and messing with the operating system's core files.

To do so, users must enable USB debugging in their OnePlus phone's settings section, under developer options. Users can then connect their phone via USB to their PC and use the Android Debug Bridge (adb) to run terminal commands on their OnePlus device.

According to Czekański, and this comment on HackerNews, the following operations will disable the tracking behavior:

adb start-server
adb shell
pm uninstall -k --user 0 net.oneplus.odm