Your OnePlus handset, running OxygenOS—the company's custom version of the Android operating system, is collecting way more data on its users than it requires.
A recent blog post published today by security researcher Christopher Moore on his website detailed the data collection practice by the Shenzhen-based Chinese smartphone maker, revealing that OxygenOS built-in analytics is regularly sending users' telemetry data to OnePlus' servers.
Collecting basic telemetry device data is a usual practice that every software maker and device manufacturers do to identify, analyse and fix software issues and help improve the quality of their products, but OnePlus found collecting user identification information as well.
Moore simply started intercepting the network traffic to analyse what data his OnePlus device sends to its servers, and found that the data collected by the company included:
- User' phone number
- MAC addresses
- IMEI and IMSI code
- Mobile network(s) names
- Wireless network ESSID and BSSID
- Device serial number
- Timestamp when a user locks or unlocks the device
- Timestamp when a user opens and closes an application on his phone
- Timestamp when a user turns his phone screen on or off
It is clear that above information is enough to identify any OnePlus user.
"Wow, that is quite a bit of information about my device, even more of which can be tied directly back to me by OnePlus and other entities," Moore said.
"It gets even worse. These event data contain timestamps of which activities were fired up in which in applications, again stamped with the phone's serial number."Moreover, there's no direct option available to disable this telemetry tracking behaviour.
This same issue was also publicly reported to OnePlus in July last year by another security researcher and software engineer, who goes by the online moniker "Tux," but the problem got ignored by OnePlus as well as others.
Moore also reported this issue to OnePlus support, but the team did not provide any solution to address it, while OnePlus did not yet respond.
However, the good news is that Jakub Czekański, an Android developer, today introduced a permanent solution to disable telemetry tracking practice even without rooting your smartphone.
You can directly connect your OnePlus device in USB debugging mode to a computer, open adb shell and enter this command — pm uninstall -k --user 0 net.oneplus.odm — in order to get rid of OnePlus' excess data collecting practice.