OnePlus Smartphones Found Collecting User Data Without Anonymization
Cybersecurity experts have discovered that OxygenOS, the operating system used by OnePlus smartphones, collects a large amount of user data and sends it to the company’s servers without prior anonymization. The issue was first brought to light by a researcher known as Tux back in July 2016. Unfortunately, his tweet went unnoticed at the time, and the problem was rediscovered only a year later, this week, when British cybersecurity specialist Christopher Moore noticed the data leak.
Moore found that OxygenOS regularly sends telemetry data collected from the device to OnePlus servers. While it’s common for apps to collect telemetry these days, the main concern here is that the information is not properly anonymized. This means the telemetry can be linked to a specific user and device, effectively de-anonymizing a person in the real world.
What Data Do OnePlus Smartphones Collect?
- Device phone number
- IMEI
- IMSI
- ESSID and BSSID identifiers
- Device serial number
- MAC address
- Network operator name
- Battery status
- Data on app openings and closings
- Times when the device is locked and unlocked
- Times when the screen is turned off and on
Even worse, Moore discovered that it is impossible to disable this data collection. He contacted OnePlus support for help, but the company’s specialists were also unable to provide a solution to stop the data leak. As of now, OnePlus has not issued any official comments on the matter.
How to Stop OnePlus Data Collection
While the company has not yet provided an official fix, Polish developer Jakub Czekanski has suggested a workaround. This method does not require rooting the device or digging deep into system files. The steps are as follows:
- Enable USB debugging mode in the developer settings on your smartphone.
- Connect your smartphone to a PC.
- Use Android Debug Bridge (ADB) to run the following commands:
adb start-server adb shell pm uninstall -k --user 0 net.oneplus.odm