Chinese smartphone manufacturer OnePlus is collecting data from its users and transmitting it to a server along with each device’s serial number, according to security researcher Chris Moore. In a January blog post (which has gained newfound attention this week), Moore detailed how OnePlus devices running OxygenOS record data at various points, including when a user locks or unlocks the screen; when apps are opened, used, and closed; and which Wi-Fi networks the device connects to. That’s all relatively standard.
But OnePlus also collects the phone’s IMEI, phone number, and mobile network names, so the data sent is identifiable to you personally with little to no effort required, which is what makes this very problematic. According to Moore, the code responsible for the data collection is part of OnePlus Device Manager and OnePlus Device Manager Provider. Moore says in his case, the services had sent off 16MB of data in 10 hours.
In a statement, OnePlus said it does transmit analytics to an Amazon server in two streams. The first is for usage analytics to fine-tune its software and the second stream is device information, which it collects for after-sales support. Further, the company says users can turn off the data collection by going to Settings, then Advanced, and deselecting the option in “Join user experience program.” There’s no way to disable the second stream.
The Verge has reached out to OnePlus for further comment and will update this post if it responds.