OnePlus was caught collecting personal information from users of its smartphones without permission, which is a cybersecurity problem that should concern the company's customers.
However, an even bigger issue is that the company is apparently downplaying the discovery. Will OnePlus continue to collect user data without permission from its customers?
OnePlus Collects Personal Data Without User Permission
It was previously found that OnePlus' operating system, OxygenOS, leaks the IMEI of devices into the network while checking for updates. Security researcher Christopher Moore has now discovered an even worse cybersecurity concern with OxygenOS, as he claims that OnePlus is collecting sensitive and personal identifiable information from its customers.
In a post on his blog, Moore narrated that while participating in a hacking challenge last year, he noticed that his OnePlus 2 was sending HTTPS requests to a domain named open.oneplus.net. Upon further investigation, he discovered that the data being sent by his OnePlus device to the domain included the smartphone's IMEI, phone numbers, mobile networks information, MAC addresses, and the smartphone's serial number.
Moore also found that the data included the specific times at which he opened and closed particular apps on his OnePlus 2. Digging even further, he found that the data also included the timestamps on the activities that were launched within the applications.
The fact that a major Android smartphone manufacturer was collecting personal data without permission is concerning, to say the least, as it violates user privacy. For OnePlus device owners who have not rooted their smartphones, running the command "pm uninstall -k --user 0 net.oneplus.odm" while the device is plugged into a computer with ADB installed will disable the app sending the data to OnePlus, though with the risk that other functions will be affected.
OnePlus Downplays Cybersecurity Issue
While Moore's discovery is troubling, even more alarming is the fact that OnePlus apparently does not think that there is something wrong with what it is doing.
"We securely transmit analytics in two different streams over HTTPS to an Amazon server," the company said in a statement. The first stream, according to OnePlus, is for usage analytics, so that it can develop software according to the behavior of its users. It can be deactivated by going into the "join user experience program" option under the Advanced menu of Settings. The second stream, meanwhile, is for device information, which OnePlus said it collects to provide customers with better after-sales support.
OnePlus did not address the privacy concerns with its data collection activities, and a representative also failed to explain why users are not asked for permission over this.
From the looks of it, OnePlus will not stop its data collection practice, so customers who want to retain their privacy might want to start thinking about purchasing a replacement smartphone from another brand.