OnePlus offers response to data mining controversy
Update (October 16, 2017): Over at the OnePlus forums, OnePlus co-founder Carl Pei has announced additional steps that are coming to OxygenOS to make the data collection an opt-in. More importantly, it will stop collecting phone numbers, MAC addresses, and Wi-Fi info:
By the end of October, all OnePlus phones running OxygenOS will have a prompt in the setup wizard that asks users if they want to join our user experience program. The setup wizard will clearly indicate that the program collects usage analytics. In addition, we will include a terms of service agreement that further explains our analytics collection. We would also like to share we will no longer be collecting telephone numbers, MAC Addresses and WiFi information.
Originally published on October 12, 2017 at 11:00am:
OnePlus is known for its great value smartphones, but you may want to think twice before buying one. Security researcher Chris Moore has discovered that OnePlus' OxygenOS has been quietly collecting a ton of user data and transmitting it to a OnePlus server, along with your phone's serial number.
Moore detailed how OnePlus devices record data at various points, including when a user locks or unlocks the screen, which apps are opened, used, and closed, and which Wi-Fi networks the device connects to. While that's fairly standard, it's almost unheard of to tie that data to the phone’s IMEI, phone number, and mobile network names, which means the data can be easily traced back to you.
According to Moore, the code responsible for the data collection is part of OnePlus Device Manager and OnePlus Device Manager Provider. Moore says in his case, the services had sent off 16MB of data in 10 hours.
Responding to the controversy, OnePlus revealed it collects two streams of data from all users. The first is termed 'usage analytics', which helps it to improve its software. It also adds that this type of data-sharing can be turned off by going into Settings, selecting 'Advanced', and turning off 'Join user experience program'. However, the second stream, which OnePlus refers to as 'device information', can't be turned off.
"We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to 'Settings' -> 'Advanced' -> 'Join user experience program'. The second stream is device information, which we collect to provide better after-sales support."