OnePlus accused of GDPR-busting data slurp by security researcher

Postado Outubro 12, 2017

The owner of a UK-based security and tech blog, Chris Moore, recently published an article showing that OnePlus has been gathering his personal information and transmitting them without his permission.

We've been focusing a lot of our energy on the Pixel 2, Galaxy Note 8, and LG V30 as of late, but there are still a couple more flagship phones coming down the pipeline in ...

Another workaround, which is bit tedious, requires users enable USB debugging via device's Settings (under Developer options), connecting the device to PC via USB and install the Android Bridge software, reports a forum on Hacker News. Well, it seems the Chinese tech company is in trouble again, and in my opinion, OnePlus should really take the time to explain itself this time.

As well as hoovering up details such as users' phone and IMEI numbers, MAC addresses and mobile network names, Moore revealed that OnePlus was collecting timestamped details such as when the user locked the device and when apps were opened and closed. He came across this unfamiliar domain while completing the SANS Holiday Hack Challenge, which he made a decision to investigate further.

A security researcher finds that phones running on OnePlus' OxygenOS operating system may be collecting sensitive data that ties users to their data.

The data that OnePlus is accessing ranges from device information like the phone's IMEI and serial number to user data like reboot, charging, screen timestamps as well as application timestamps.

"We securely transmit analytics in two different streams over HTTPS to an Amazon server", says the company. The first stream is usage analytics, which we collect in order for us to more precisely fine-tune our software according to user behavior. Its failure to provide adequate device support has brought down the brand with heavy criticism from its users in the past year or two. "We do not share any analytics data with outside parties".

OnePlus acknowledged that all of this was actually happening, and told Android Authority that the reason behind it is to better the user experience and its (often criticised) after-sales support. The company who successfully managed to anger and frustrate many of its users due to lack of after-sales support is now trying to justify its secret data collection because it is for after-sales support.

"Collecting basic telemetry data is quite a standard-fare but the problem arises when the data is precise enough to identify a user based on the information collected".