Your OnePlus is Phoning Home with Your Personal Data

The biggest story of this short news week has to be the revelation that OnePlus phones running the company’s stock ROMs—Hydrogen and Oxygen OS—are, without their users’ consent, collecting and transmitting personally-identifiable data. Here’s a sample of what’s being collected:

getAndroidVersion()Ljava/lang/String;
getBSSID(Landroid/content/Context;)Ljava/lang/String;
getBatteryLevel(Landroid/content/Context;)F
getBatteryStatus(Landroid/content/Context;)Ljava/lang/String;
getBrandName()Ljava/lang/String;
getCellSignalLevel(Landroid/content/Context;)Ljava/lang/String;
getDeviceId()Ljava/lang/String;
getIMEI(Landroid/content/Context;)Ljava/lang/String;
getIMEI1(Landroid/content/Context;)Ljava/lang/String;
getIsHiddenSSID(Landroid/content/Context;)Z
getLocale(Landroid/content/Context;)Ljava/util/Locale;
getMacAddr(Landroid/content/Context;)Ljava/lang/String;
getModelName()Ljava/lang/String;
getOSVersion()Ljava/lang/String;
getPCBA()Ljava/lang/String;
getResolutionHeight(Landroid/content/Context;)I
getResolutionWidth(Landroid/content/Context;)I
getRomVersion()Ljava/lang/String;
getSimCountryCode(Landroid/content/Context;)Ljava/lang/String;
getSoftVersion()Ljava/lang/String;
getTimezone()Ljava/lang/String;
getWifiMacAddress(Landroid/content/Context;)Ljava/lang/String;
getWifiSSID(Landroid/content/Context;)Ljava/lang/String;
getWifiSignalLevel(Landroid/content/Context;)I
isH2()Z
isO2()Z
isRooted()Z

But wait, there’s more… OnePlus is also collecting timestamped events on your device, like unexpected reboots, which apps you use and for how long, even when you lock and unlock your screen. It may sound like innocuous diagnostic information, but each of these timestamps is dispatched with personally-identifiable information. And even if you opt out of the OnePlus User Experience Program the hidden services that collect this data are still collecting this data and sending it back to OnePlus.

The collection can be halted via adb and a terminal command on a desktop computer. A more detailed account of how this data harvesting was discovered, and how to fix it, can be read at the link directly below.

Link: Chris’s Security and Tech Blog

Leave a Reply