OnePlus Phones Collecting Users’ Private Data without Permission

Using the company's Android-based OxygenOS, OnePlus smartphones have been found to be leaking a considerable amount of users' activity data without their permission, according to a U.K.-based software engineer.

Earlier this year, engineer Christopher Moore reported discovering that his OnePlus 2 phone was sending a large amount of activity data to an Amazon Web Services (AWS) server. Among the information being passed along was non-anonymized data, including his phone number, IMEI (International Mobile Equipment Identity), MAC address, mobile network names, and device serial number.

In a statement provided to several media outlets, China-based OnePlus said it securely transmits two analytics streams from users' devices to provide better customer support and "more precisely fine tune our software according to user behavior." One stream can be disabled through settings adjustments, but turning off the second one requires disabling a software package by connecting the phone to a PC in debugging mode.

'Quite a Bit of Information'

Writing on his security and tech blog in June, Moore described how he discovered some traffic from his phone being directed to an unfamiliar domain while he was taking part in the SANS Holiday Hack Challenge 2016. That domain,, pointed to an AWS server in Amazon's eastern U.S. region.

Examining the traffic further, Moore said he found it included personally identifiable information about his phone, as well as timestamps for specific applications, and activities he had used.

"Wow. that's quite a bit of information about my device, even more of which can be tied directly back to me by OnePlus and other entities," he said.

Moore said he followed up with requests for help via OnePlus' Twitter account for support, "which disappointingly led down the usual path of 'troubleshooting' suggestions, before being met with radio silence."

He added he later found a few other mentions about the...

Comments are closed.